Get Ahead Of Compliance: The Proposed Rule For The Cybersecurity Maturity Model Certification (CMMC 2.0) Is Out!

Jennifer Morris, Lawrence (Chip) Muir, Tracy Pearson
Dunlap Bennett & Ludwig PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

As a lawyer working in a firm with a sophisticated legal team providing robust regulatory, government contract, and cybersecurity services, our Christmas present and holiday reading arrived early with the publication of the proposed rule 32 CFR § 170, also infamously known in Defense Industrial Base (DIB) community as the Cybersecurity Maturity Model Certification Program (CMMC and/or CMMC 2.0). The CMMC Program is designed to ensure cybersecurity requirements are in place as a pre-requisite for a Department of Defense (DoD) contract award or exercise of a new option period.

Government contractors should contact their lawyers and discuss what actions they need to take to prepare for the CMMC 2.0. Govcon companies must understand which of the three compliance levels of the CMMC apply to them, which of their contracts require demonstrable cybersecurity compliance, how to document that compliance, and how flow-down provisions from their teaming partners will affect their contractual relationships. Working together, attorneys will be able to ensure that their govcon clients are able to demonstrate cybersecurity compliance with each control element of any of the three applicable cybersecurity frameworks required by the CMMC.

The new CMMC 2.0 has been anxiously anticipated since November 2021. There are already hundreds of articles written about the purpose, policy, and general verification processes and procedures to ensure that those companies serving the DoD properly protect some of our Nation’s most sensitive information with cybersecurity safeguards. The good news is that the fundamental points of CMMC 2.0 are not new! DoD contractors and subcontractors should be familiar with the cybersecurity standards since many of them are addressed in the requirements for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) set forth in Federal Acquisition Regulation (FAR) 52.204-21, the National Institute of Standards and Technology (NIST) Special Publication 800-171 Rev 2 (NIST SP 800-171 Rev 2), and in some cases NIST SP 800-172. CMMC 2.0 incorporates these well-established cybersecurity requirements for large and small government contractors.

Given the DIB consists of over 220,000 companies[1], it would be an administrative nightmare for the DoD to internally assess and certify every contractor and subcontractor to which it awards contracts. A major aspect of the CMMC is to utilize external partners that will be responsible for contractors’ assessment and verification of cybersecurity requirements. The CMMC Third-Party Assessment Organizations, not to be confused with the most beloved Star Wars droid, will be known as C3PAO(s) and will be accredited by DoD.

Each level will have specific elements that will need to be met depending on the type of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) contained in the company’s contracts. Once the CMMC Program is fully implemented, every DoD Contract will specify the CMMC Level as a pre-requisite to the contract award. Not only is the prime contractor required to be certified at the CMMC Level, but the requirement will be a mandatory flow down for subcontractors at all tiers that will process, store, or transmit FCI or CUI on any contractor system in the performance of an award. The mandatory flow down will substantially change the relationship obligations and contract language between the prime and its lower-tier subcontractors.

In order to best protect a company, executives should include attorneys as part of the internal assessment team to help spot potential pitfalls, and conflicts and leverage the attorney-client privilege. For companies that do not fall under immediate compliance with the CMMC-level requirements, reviewing the CMMC provides a good roadmap to prepare the company for compliance. Early internal assessments, compliance review, and implementing a good Plan of Action & Milestones (POAM) are best practices for companies. While not a C3PAO, Our cyber and technology practice group can assist you with these assessments and initial compliance review.

This is the first of a trilogy of articles that will walk through each of the levels of the CMMC, and discuss the implementation timeline, and necessary compliance elements. The DoD currently anticipates a phased-in approach for the CMMC “intended to minimize the financial impacts to defense contractors, especially small businesses, and disruption to the existing DoD supply chain.[2] (p.87) GovCon companies in the DIB can, and should, start preparing now as the CMMC rolls through the federal rulemaking process.

[1] Cybersecurity Maturity Model Certification (CMMC) Program, 88 Fed. R. 246, 89078 (proposed Dec. 26, 2023)(to be codified at 32 C.F.R. pt. 170).

[2] Id at 8903.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dunlap Bennett & Ludwig PLLC | Attorney Advertising

Written by:

Dunlap Bennett & Ludwig PLLC
Dunlap Bennett & Ludwig PLLC
Contact
more
less

Dunlap Bennett & Ludwig PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide