On November 30, 2020, the U.S. Department of Defense (“DoD”) will begin to roll out the new Cybersecurity Maturity Model Certification (“CMMC”) framework that eventually will require all DoD contractors, subcontractors, and suppliers to receive cybersecurity assessments from third-party assessment organizations.
DoD currently imposes cybersecurity requirements on contractors through Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires that the contractor implement the 110 security controls set forth in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 on any information system that processes, stores or transmits Controlled Unclassified Information. On September 29, 2020, DoD issued an interim rule adopting a new NIST SP 800-171 Assessment requirement for contractors, subcontractors and suppliers that must implement NIST SP 800-171, which is effective November 30, 2020 and separate from the CMMC framework. For more information on the new NIST SP 800-171 Assessment requirement, please see our October 20, 2020 Client Alert on that topic.
The September 29, 2020 interim rule also implements in the DFARS the CMMC framework that DoD has been developing over the past two years. The CMMC framework defines 5 cybersecurity maturity levels against which DoD contractors, subcontractors and suppliers will be assessed to determine the extent and maturity of their information systems’ cybersecurity processes and practices. Going forward, Certified Assessors working for CMMC Third-Party Assessment Organizations (“C3PAOs”) will evaluate DoD contractors’ cybersecurity practices and processes to determine their CMMC certification level, and those C3PAO certifications will be effective for up to three years. The CMMC Accreditation Body (“CMMC-AB”), an accreditation entity independent of DoD, is responsible for managing, controlling and administering the CMMC assessment, certification, training and accreditation process for the defense supply chain. The CMMC-AB establishes the criteria or requirements used to certify C3PAOs and Certified Assessors. The CMMC-AB is still in the early stages of accrediting C3PAOs and Certified Assessors, and it has indicated that it intends ultimately to list approved C3PAOs and Certified Assessors on the CMMC-AB website, under its “Marketplace.” Certified Assessors will be approved to certify contractors up to a specific CMMC level, so it will be important for companies seeking to retain the services of a C3PAO to ensure that the Certified Assessor performing the assessment is authorized to certify contractors to the CMMC level you are hoping to achieve.
The CMMC model, and the cybersecurity requirements that correspond to each CMMC level, are available on DoD’s website. Each CMMC level requires a contractor to have implemented an escalating number of cybersecurity practices and processes, with Level 1 being the least onerous and Level 5 requiring the most robust cybersecurity program. For example:
There are some key differences between the CMMC framework and the existing cybersecurity compliance framework under DFARS clause 252.204-7012. First, there is no “partial credit” under the CMMC: If a contractor cannot demonstrate compliance with all of the security controls, practices and processes mandated for a specific certification level, the contractor cannot be certified at that level, period. A contractor cannot receive certification at the higher level based on a “plan of action” to address shortcomings found during the certification process.
Second, as the CMMC name implies, its framework is designed to assess the “maturity” of a contractor’s cybersecurity processes by assessing the extent to which certain processes have been “institutionalized”—i.e., embedded or ingrained in the operations of an organization. Thus, the CMMC goes beyond an assessment of whether the contractor has implemented designated security controls (in CMMC parlance, “practices”) in its information system; the CMMC requires the further analysis as to whether the contractor has institutionalized certain “processes” that demonstrate the maturity of the organization’s cybersecurity practices. For example, to achieve a CMMC Level 3 certification, the contractor must establish, maintain and resource a plan to implement the required cybersecurity practices. Simply having adopted a written cybersecurity policy would not be enough; the contractor would need to demonstrate that its cybersecurity plan includes the allocation of resources to implement the necessary practices and train its personnel on them.
DoD will utilize a phased rollout of the CMMC requirements, and from November 30, 2020 until September 30, 2025, DoD may include a CMMC certification requirement in some solicitations, but will not require CMMC certificates for all contracts. During this phased rollout period, DoD will only require CMMC certificates for contracts “if the requirement document or statement of work requires a contractor to have a specific CMMC level,” and inclusion of a CMMC requirement in a solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.
Starting October 1, 2025, all DoD solicitations and contracts valued at greater than the micro-purchase threshold, except those exclusively for COTS items, will identify the CMMC level applicable to the contract and will prohibit award to an offeror that does not have a CMMC certificate at the required level.
If a solicitation requires a contractor to have a specific CMMC level, that solicitation will contain new DFARS clause 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement, which will require the contractor to have a current (not older than 3 years) CMMC certificate at the required CMMC level, and maintain the certificate at the required level for the duration of the contract. The successful offeror for the contract must have a certification from a C3PAO at (or above) the designated CMMC level on file with DoD at the time of contract award. Accordingly, an offeror does not need to have its CMMC certification achieved at the time proposals are submitted, but only at the time of award.
DFARS clause 252.204-7021 will require a prime contractor to ensure that its subcontractors and suppliers have the appropriate level of CMMC certification, as determined by the prime contractor, prior to award of a subcontract under a prime contract that includes the clause. The new CMMC clause also will require the contractor to flow down the CMMC clause to its subcontractors, meaning that all subcontractors and suppliers in the supply chain for a DoD contract (other than commercially available off-the-shelf (COTS) suppliers) must have at least a CMMC Level 1 certification or higher, depending on the information they will receive.
DoD contractors, subcontractors and suppliers should anticipate needing to obtain CMMC certification from a C3PAO at some point in the not-too-distant future, especially if they already have contracts that require compliance with the NIST SP 800-171 security controls. Whether a company is a DoD prime contractor, subcontractor or a supplier, it should consider taking the following steps to prepare for the eventual requirement of CMMC certification: