Cybersecurity attacks represent a real threat to our national security and the defense industrial base. To combat these threats, the Department of Defense recently released Cybersecurity Maturity Model Certification v1.0—a conspicuous change in how cybersecurity will be viewed in the performance of DoD government contracts.
Cybersecurity will no longer be viewed primarily as an element of contract performance. Rather, once CMMC is fully implemented, third-party certified and mature cybersecurity practices and processes will be foundational in contracting with the DoD—without the appropriate CMMC certification, contractors will not be considered for contract awards.
CMMC certification will represent contractors’ ticket to get into the game. Without that ticket, contractors will not have a chance to compete for and win DoD contracts.
Five Maturity Levels
CMMC is a maturity model comprised of five levels of maturity across both cybersecurity practices and cybersecurity processes. In total there are 171 practices and five processes across the five levels of maturity. The CMMC practices and processes are organized into 17 capability domains:
- Access Control
- Asset Management
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- Systems and Communications Protection
- System and Information Integrity
Level 1 represents the requirements needed for DoD contracts that do not involve controlled unclassified information (CUI). Level 2 represents a transitional step to protect CUI. Level 3 governs DoD contracts involving the protection of CUI. Finally, levels 4 and 5 represent the highest levels of maturity for protecting CUI and reducing the risk of advanced persistent threats.
The CMMC takes full advantage of multiple sources of existing cybersecurity requirements. In pulling together the CMMC, the DoD incorporated requirements from a variety of sources.
Difficulties for Small, Medium-Sized Businesses
For those contractors who already have systems that comply with FAR Subpart 52.204-21 and applicable NIST standards, becoming CMMC certified should not be a herculean task. However, for small and medium sized businesses, certification could prove difficult, if not impossible.
This will provide opportunities for large businesses to mentor, partner with or even acquire small and medium sized businesses. Improving the cybersecurity posture of small and medium sized businesses is critical because our security is only as strong as the weakest link in the acquisition chain.
To address some of the concerns associated with less cybersecurity mature contractors, the DoD has made it clear that not all procurements are equal and there will be flexibility to assign subcontracts a maturity level lower than that of the prime. For example, if a prime contract is at CMMC Level 3, and a particular subcontract does not involve CUI, that subcontract could be issued at CMMC Level 1.
Another significant change associated with CMMC is the fact that it is a third-party certification system. Currently, DoD contractors self-certify their compliance under the applicable Defense Federal Acquisition Regulations (DFARS) that primarily rely on the NIST requirements. Such self-certifications can lead to potential False Claims Act liability.
Additionally, contractors have struggled with certifying compliance when the NIST requirements are extensive and therefore can lead to more than one interpretation.
The move to a third-party certification is intended to reduce the confusion with determining compliance and may reduce the risk of FCA liability associated with self-certifications of compliance with applicable cybersecurity requirements, but it does nothing to impact performance risks associated with cybersecurity.
It also adds a significant new cost to businesses. As cybersecurity performance and maintaining CMMC certification will be foundational to even obtain DoD contracts, performance risks are heightened. Although it is too early to predict how the DoD would react to a significant cybersecurity event or loss of CMMC certification, contract termination would seem to be a more likely result.
Obtaining CMMC certification will only be the beginning. Contractors will have to be continually improving their cybersecurity capabilities and vigilance in response to new and increasing threats in order to ensure their actual performance is strong and they maintain their CMMC certification at the desired maturity level.
In making the announcement, DoD officials made it clear their intent is to implement CMMC in a “crawl, walk, run” sequence. They intend to: (1) issue a new DFARS clause this spring, (2) include the CMMC requirements in approximately 10 RFIs this summer, and (3) include the CMMC requirements in approximately 10 RFPs this fall.
The DoD does not intend to modify any existing contracts to include the CMMC requirements. It is anticipated that CMMC will be fully implemented in about five to six years as existing contracts end and are replaced by newly competed contracts containing CMMC requirements.
Since government contractors pursuing DoD work will begin seeing these requirements in RFPs later this year, they need to start the process of becoming CMMC certified now. The DOD has additional information online about CMMC and becoming CMMC certified through a third-party assessment.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Ivan Boatner is of counsel in Baker Donelson’s Knoxville, Tenn., and Washington, D.C., offices and is a member of the firm’s Government Enforcement and Investigations Group.
Alisa Chestler, a shareholder in Baker Donelson’s Nashville, Tenn., and Washington, D.C., offices, concentrates her practice in privacy, security, and records management issues; health care and insurance regulatory compliance; and corporate transactions matters.
Joshua Mullen is shareholder in the firm’s Nashville and Washington, D.C., offices. A member of Baker Donelson’s Government Enforcement and Investigations Group, he concentrates his practice in government contracts and complex commercial litigation.