Although, as of late, the coronavirus and its impact have been top of mind for government contractors and, indeed, the entire world, the Department of Defense (DoD) has continued undeterred with its planned implementation of the Cybersecurity Maturity Model Certification (CMMC) program. Below we highlight some recent developments, preview upcoming activities pertaining to CMMC, and offer some recommendations about what contractors can do now to prepare.
DoD Has Issued, and Updated, the CMMC Model.
On January 31, 2020, the long-promised CMMC version 1 was issued, along with accompanying appendices. An updated version (v.1.02) was released on March 18, 2020 to correct various administrative errors. The detailed assessment guide to accompany the CMMC model is expected soon. Information from DoD about CMMC is regularly published on the official website: https://www.acq.osd.mil/cmmc/index.html.
The CMMC Accreditation Body Is Up and Running.
In January 2020, the CMMC Accreditation Body (CMMC-AB) was registered as a Maryland 501(c)(3) nonprofit organization. It has a Board of Directors consisting of industry-leading experts and a chairperson from the University of Virginia, Darden School Foundation. Its website is www.CMMCAB.org.
The DoD has tasked the CMMC-AB with running the operational aspects of CMMC, including the selection and training of those persons who will conduct CMMC evaluations. The relationship between DoD and CMMC-AB is defined in a Memorandum of Understanding that has not been made public.
To date, no certified third party assessment organizations (C3PAOs) have been selected or identified. However, the CMMC-AB has indicated that it expects to start training assessors in the coming months, likely through a combination of online and in-person activities. Assessors will receive a license from the CMMC-AB after completing the required training and passing an examination. The assessors will not work for CMMC-AB but will have to be associated with a C3PAO. Licenses will vary depending on the certification level for which the assessor has been trained. To conduct assessments at the highest levels, assessors will need to have more experience, although the CMMC-AB has not yet determined the specific experiential requirements. Training for certification of CMMC levels 1 through 3 will happen first, with the more complex training for levels 4 and 5 to follow.
On April 22, 2020, the CMMC-AB released its first RFP, for continuous monitoring services. Responses to the RFP were due on May 1, with selection anticipated by May 8.
The CMMC-Implementing DFARS Rule is Imminent.
According to recent public statements by the DoD, the DFARS rule implementing CMMC is expected “any day now.” Industry associations and major contractors are eagerly awaiting the interim rule, and will be certain to supply extensive comments to shape the final rule.
The First Requests for Information Pertaining to CMMC Are Still Expected This Summer.
DoD representatives have repeatedly indicated that the first programs to implement CMMC, the so-called “Pathfinder programs,” will be identified this summer in RFIs laying out the expected forthcoming CMMC requirements. DoD has indicated that it is in active discussions with the prime contractors expected to be part of the Pathfinder programs, so if incumbents have not heard from DoD it may be safe to assume that their programs will not be selected. DoD has also indicated that it will not slow down any program for CMMC, so if the guidance is not in place and/or assessors are not yet trained before a program needs to be renewed, the CMMC requirement may drop out and another program will be selected for Pathfinder status.
DoD Has Provided Additional Guidance Concerning Controlled Unclassified Information.
The absence of a clear definition of controlled unclassified information (CUI) and the lack of a process for identifying CUI has confounded contractors charged with implementation of the current DFARS cybersecurity rule in 252.204-7012. DoD recently attempted to minimize this confusion with a new DoD Instruction, DoDI 5200.48, “Controlled Unclassified Information.” This DoDI cancels the prior DoD Manual 5200.01 vol. 4, “DoD Information Security Program: Controlled Unclassified Information.” DoDI 5200.48 establishes an official DoD CUI Registry, and outlines responsibilities and logistics for the handling, marking and dissemination of CUI. Most helpfully, with respect to contractors, the instruction makes clear that the obligation to mark CUI is in the first instance on DoD. DoD must mark any CUI provided to contractors, and the requirement to mark CUI that is generated by contractors or other non-DoD entities will be specified in the applicable contract.
In addition, the DoD CISO for Assistant Secretary for Defense Acquisition, Katie Arrington, has recently indicated that the DoD intends to do a lot less sharing of CUI with contractors in the future, sharing information that will be housed on contractor systems only when clearly necessary. In turn, we recommend that contractors closely examine their supply chains and determine whether or not they need to share CUI as widely as they have been.
DoD Has Created an Exception from CMMC for Purely Commercial Off-the-Shelf Products.
Although DoD initially indicated it would not do so, the agency has recently carved out an exception to CMMC for companies that exclusively supply commercial off-the-shelf (COTS) products that will not be altered in any way for use by the government.[1] Thus, for example, the supplier of chicken or fuel to a military installation does not need to be CMMC certified. Companies should be careful not to assume they or their subcontractors will fall within this narrow exception. Commercial items more broadly, including commercial services, are not exempt from CMMC, and companies that provide such products and services will need to be CMMC certified to continue supplying to DoD.
CMMC May Expand Beyond DoD.
Other federal agencies are showing interest in the CMMC process. For example, the recent Department of Health and Human Services CIO SP4 draft solicitation has CMMC as an optional item, presumably to accommodate potential future use of the CIO SP4 contract vehicle by DoD customers. The recently released Cyberspace Solarium Commission report suggests implementation of CMMC for civilian agencies and recommends that the FAR adopt more rigorous and adaptable cybersecurity standards.[2] In addition, the report suggests that the Sarbanes-Oxley Act should be amended to include cybersecurity reporting requirements.[3]
So what should companies be doing now to prepare for CMMC?
Most importantly, companies should identify what level of CMMC certification they will need. Those that currently access, process, generate or store CUI will going forward need to be certified at least at CMMC Level 3, which has additional requirements beyond the current NIST SP 800-171 framework. All DoD contractors and subcontractors at any tier, with the exception of exclusively COTS product providers, will need to be certified at least at Level 1.
If your company is not part of a Pathfinder program it will not be among the first to be certified, but that does not mean that the company should wait to start getting its IT systems updated to meet the requisite level’s requirements. Companies should conduct gap analyses to determine what policies, procedures and requirements may be missing, and then come up with plans of action to address any deficiencies long before certification has to take place. Once the process for getting into queue for assessment is identified, those companies that are ready to assess should quickly line up, as the initial demand for assessment will be significant.
We also recommend that contractors coordinate and consult with their agency customers to determine what level of certification will be needed going forward and to push for identification of precisely what contract-related data needs to be protected as CUI. DoD has indicated that only a very small percentage of programs will require Level 4 and 5 certification (the most recently suggestion by DoD is .06% of programs at each level). However, if you are a contractor or subcontractor working on mission critical systems with national security or defense implications, it is likely that you may fall into this small minority of entities that need to be ready for higher-level certification. This certification process will start later, but it will be imperative that the company is prepared to be assessed in order to continue to be considered for these programs.
Finally, even non-DoD contractors must consider that eventually the reach of CMMC, or some close analogue, is going to expand beyond DoD to civilian agencies.
[1] See CMMC FAQs, responses to FAQs 19 and 20, available at: https://www.acq.osd.mil/cmmc/faq.html.
[2] See U.S. Cyberspace Solarium Commission March 2020 report at p. 89 (§ 4.4.3), available at https://www.solarium.gov/.
[3] See id. at p. 90 (§ 4.4.4).