The final DFARS cybersecurity rule promulgated in 2016, which included the latest changes to the DFARS clause at 252.204-7012, was a significant development for DoD contractors, in part because it mandates compliance with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. DoD has been working with the contracting community since that time with respect to the implementation of the final rule, but has concluded that further compliance steps are needed in the form of cybersecurity certification standards.
The anticipated new cybersecurity certification standards for DoD contractors are quickly taking shape. Katie Arrington, former South Carolina legislator and current special assistant for Cybersecurity to Assistant Secretary of Defense for Acquisition, recently announced that DoD is partnering with the Carnegie Mellon University Software Engineering Institute and the Johns Hopkins University Applied Physics Laboratory in developing the new certification standard: the Cybersecurity Maturity Model Certification or “CMMC.” This Alert outlines what has been revealed thus far about the CMMC, how the CMMC will affect DoD contractors, and steps you can take to be ready when the CMMC goes live.
What is the CMMC?
The CMMC will be a comprehensive and coordinated standard for cybersecurity, bringing together existing requirements, such as NIST SP 800-171, NIST SP 800-53, and AIA MAS 9933; private sector contributions; and input from academia. The goal of the CMMC is to secure the DoD supply chain by curing existing cybersecurity shortcomings within the Defense Industrial Base. DoD has indicated that, to achieve this goal, the CMMC model must be adaptable to new and evolving cyber threats, which suggests that the CMMC itself will evolve over time. A neutral third party will maintain the standard for DoD. The CMMC will include the development and deployment of a tool that third-party cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.
The CMMC will consist of 5 levels, ranging from basic hygiene to “State-of-the-Art.” Each level will measure both the sophistication of a contractor’s cybersecurity practices, and the institutionalization of such practices. The required level (between 1 – 5) will appear in sections L and M of DoD requests for proposals (RFPs).
How will the CMMC affect you?
The Required CMMC Level will be a Go/No-Go Decision in Contracting. CMMC Version 1.0 is targeted for a January 2020 delivery. Third-party audits for CMMC certification will begin shortly thereafter. By June 2020, the CMMC requirements will be included in requests for information (RFIs), and in September 2020, in RFPs. Because DoD has stated that the required CMMC Level will be a “go/no-go decision,” failure to comply with the required CMMC Level may be fatal to your offer.
DoD has Recognized that Costs are an Issue. DoD has acknowledged that the cost of its ongoing compliance efforts, including the CMMC, is an issue for the contracting community, noting that the CMMC must be semi-automated and cost effective enough that small businesses can achieve the minimum CMMC Level of 1. Also, the CMMC will include a center for cybersecurity education and training. More importantly, it has been reported that cybersecurity will be an allowable cost in DoD contracts. It remains to be seen whether DoD auditors and contracting officers will agree with this position, but announcing that position provides a significant incentive for industry to ramp up compliance efforts and is in line with DoD being serious about the need for increased cybersecurity.
What steps can you take to be ready for the CMMC?
Review your current cybersecurity policies and procedures. DoD has an 18-month timeline for rolling out the CMMC, and has clearly decided that the current self-attestation approach is insufficient. As with so many things, success in this new environment will depend on adequate preparation. Take time now, before the CMMC requirements start appearing in RFPs, to review your current approach to cybersecurity and work on known issues.
Attend a listening section. DoD is taking the CMMC on the road as part of efforts to engage with industry and solicit feedback. Starting this month and continuing through August, officials will be hosting 11 listening sessions in major cities across the country, including Washington, D.C. Consider attending, letting your voice be heard, and learning from these collaborative opportunities.
Contact your legal and cybersecurity partners. DoD’s approach to implementing the 2016 final cybersecurity rule over the past few years has relied heavily on self-certification. That approach will no longer be viable under the CMMC. Instead, third-parties will audit DoD contractors using the new CMMC tool, and contractors risk losing business by not achieving the levels specified for individual competitions. Preparation for the CMMC will likely require collaboration with your legal and cybersecurity partners. Miles & Stockbridge is committed to staying abreast of CMMC developments and ensuring we are equipped to help our clients tackle the legal aspects of the CMMC.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.