As 2020 begins, one of the biggest changes facing contractors working with the U.S. Department of Defense (“DoD”) is the implementation of DoD’s enhanced cybersecurity regulations, known as the Cybersecurity Maturity Model Certification (“CMMC”) program. CMMC has the potential to be a game changer as cybersecurity becomes a gating item in connection with the contract evaluation process and the focus of increased oversight and scrutiny. CMMC may exclude some companies from DoD work, or at least certain types of procurements, altogether. Further, CMMC likely will create a cottage industry of advisors and evaluators that will either assist companies with implementing CMMC protocols or assess the results of those implementations. Our predictions about the most significant impacts of CMMC in the coming year follow.
- CMMC Cements Cybersecurity as a Key Evaluation Consideration
Cyber and data security have increasingly become key differentiators for companies as agencies have increasingly incorporated cybersecurity compliance into the evaluation process. CMMC ensures that cybersecurity will be a consideration in every DoD procurement, further elevating its import for government contractors. More significantly, whereas certain contractors and subcontractors previously did not have to adhere to DoD cybersecurity standards because they did not house “covered defense information” on their IT systems, CMMC will involve all DoD contractors and subcontractors, whether their IT systems have DoD data or not.
One key advantage of the CMMC program to contractors is that it will take the assessment of security compliance out of the hands of individual government contracting officers and technical evaluators and put it into the hands of neutral third-party assessors, who will apply consistent standards for security level assessment. This will eliminate concerns that certain agencies may not have the broad technical expertise needed to conduct accurate and thorough reviews of contractors’ IT security. Further, at least within DoD, the CMMC process should eliminate situations where multiple assessments are being undertaken simultaneously by different agencies, or even different components within the same agency. Finally, contractors will face less risk of making a misrepresentation as to their security posture that could potentially lead to False Claims Act liability because they will be relying on a neutral third party’s assessment of their cybersecurity protections.
- Some Companies May Opt Out of Certain Procurements at the Highest CMMC Levels, and Others May Decide Not to Do Business with the DoD at All
CMMC involves five different maturity levels, each with increasing security obligations. The DoD will select which maturity level applies to a particular procurement based upon perceived cyber threat level and the sensitivity of information involved.
CMMC Levels 1 and 2 involve basic cyber hygiene – controls expected to be implemented by most companies, whether DoD contractors or not, as a best practice. CMMC Level 3 is most closely analogous to the current DoD cybersecurity requirements for protection of covered defense information, as reflected in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cybersecurity Incident Reporting. In its current form, this clause requires implementation of the NIST 800-171 Rev. 1 security standards for contractor IT systems and/or use of a cloud-based system certified at a minimum security level of FedRAMP Moderate.
In June 2019, NIST introduced the draft SP 800-171b, a further refinement of NIST 800-171 that includes enhanced security requirements for “critical programs” and “high value assets.” The 800-171b document lays out 31 new recommendations for contractors to harden their defense and protect controlled unclassified information (“CUI”)[1] residing on their networks from advanced persistent threats and government-sponsored hackers. These include specific processes for implementing dual-authorization access controls for critical operations, employing network segmentation where appropriate, deploying deception technologies and threat-hunting teams, and establishing security operations centers to engage in continuous monitoring or system and network activity. With its most recent draft of CMMC (version 7), DoD has confirmed that the security standards required for achievement of CMMC Levels 4 and 5 closely resemble many of the enhanced security standards of NIST 800-171b, though many controls are based on other information security standards or are unique to CMMC.
Although DoD has made clear that it does not believe CMMC Levels 1 or 2 will be costly or difficult for most companies to achieve, it remains to be seen how many businesses will be willing to undergo the assessment process in order to have their systems certified at these levels. Predominantly commercial companies, in particular, may simply decide it is more trouble than it is worth and decide to forego future business with DoD. At the highest certification levels, companies that have only recently installed NIST 800-171 Rev. 1 security controls may be reluctant to employ further controls. Although DoD has indicated that security fixes to meet CMMC requirements will be recoverable costs, this is only helpful to companies with cost reimbursement contracts. Even with such contracts, contractors may be hesitant to seek security cost recovery if it may put them at a competitive disadvantage vis-à-vis other offerors.
DoD thus may find itself, especially in the near term, with more limited competitions and without willing contractors to provide certain goods and services. Prime contractors in turn may scramble to secure essential suppliers if their subcontractors are unwilling or unable to achieve necessary certification. This could especially be an issue at CMMC Levels 4 and 5. This said, contractors that already have robust cybersecurity programs may find themselves at a competitive advantage and embrace the new system.
- Cybersecurity Consulting Firms Must Decide Which Side of the Fence They Think Will Be Most Lucrative
The CMMC program will rely heavily on certified independent third-party auditing organizations (“C3PAOs”) to conduct audits of contractors and subcontractors to assess their CMMC security levels. DoD plans to select a non-profit CMMC accreditation body to operate the certification program and to oversee the C3PAOs that will issue credentials to contractors. These C3PAOs are expected to conduct the vast majority of the estimated 300,000+ security audits required for CMMC certification, although DoD has indicated that some of the higher‑level assessments may be performed by DoD organizations such as the Defense Contract Management Agency (“DCMA”) or the Defense Counterintelligence and Security Agency (“DCSA”).
With implementation of the DFARS network penetration and cybersecurity clause (DFARS 252.204-7012), numerous IT consulting companies saw an opportunity to advise contractors on how to strengthen their IT security networks and how to segregate DoD work in a cost‑effective and compliant manner. A quick internet search demonstrates that these same companies, and presumably many more to follow, are posturing to provide CMMC consulting advice to contractors pre-CMMC assessment. Without a doubt, there will be tremendous demand for such assistance.
On the other side of the fence, DoD will need hundreds of C3PAOs to conduct CMMC assessments, not just initially, but on an ongoing basis. According to statements made by DoD, companies that serve as C3PAOs under CMMC will not be permitted to assist contractors and subcontractors in getting their IT systems up to speed for CMMC review. IT consulting companies thus will need to assess where the grass may be greener and choose a position accordingly.
- DoD and Contractors Should Expect Delays and Bumps in the Road to Full Rollout of CMMC
Over the past seven years or so, DoD has been at the forefront of efforts to protect contractor systems that house sensitive information and critical infrastructure. As many recall, however, the rollout and implementation of DFARS 252.204-7012 was not as straightforward as DoD had planned. The clause was modified multiple times in response to contractor protestations, implementation was delayed more than once, and the final word on what constituted “compliance” with the clause ultimately deviated from the original intent. In the end, DoD indicated that the existence of a system security plan and a plan of actions and milestones, not full implementation of both, was sufficient to constitute implementation of the clause requirements.
Against this historical backdrop, DoD’s aggressive timeline for rollout of CMMC has created stress throughout the contracting community. To date, DoD has consistently maintained that it will adhere to its planned schedule for rollout of CMMC and will include CMMC requirements in certain RFPs beginning in June 2020 and in most by late Fall. It is difficult to imagine how this schedule will be achievable. Notably, although it released a Request for Information from interested parties in October, DoD has not yet issued a solicitation for the CMMC accreditation position, much less selected an accreditation body, and no C3PAOs have been chosen to conduct assessments. Even once these entities are in place, it will take an extremely long time for the entire defense industrial base to be assessed. It remains unclear how certain contractors will be prioritized for review, although DoD has stated that it will roll out the program in a strategic way, beginning with the contractors that support the most “critical programs and technologies.”
- CMMC Will Usher in a New Wave of Cybersecurity Regulations
DoD has already announced that following implementation of CMMC, it will begin a follow-on effort – currently (and uncreatively) called CMMC 2 – that will examine and restrict the products that contractors use to secure their systems.
While a government-wide FAR clause along the lines of CMMC is a long way off, additional guidance concerning the protection of CUI may be on the horizon. Except for DoD’s efforts, agencies have yet to develop and implement coordinated policies for protection of CUI as mandated by Executive Order 13556 and subsequent National Archives and Record Administration CUI guidelines. A FAR rule on this topic was expected in 2019; it remains to be seen whether one will materialize in 2020.
It is also likely that certain agencies that regularly deal with national security and other sensitive information, such as the Department of Homeland Security, will further modify and refine their cybersecurity standards and make more frequent use of cybersecurity as an evaluation criteria. For contractors’ sake, one can only hope that any new cybersecurity requirements will hew closely to CMMC and that other agencies appreciate that the benefits of the DoD standard will be minimal if civilian agencies do not adopt something similar.
Finally, while, as noted above, CMMC may provide some False Claims Act protection, we do not expect the recent trend of the use of cybersecurity-related misrepresentations serving as the basis for False Claims Act suits to decline outside the DoD realm. In fact, CMMC may only serve to brighten the spotlight already shining on cybersecurity compliance.
[1] “Controlled Unclassified Information,” or CUI, is any unclassified information to which special access controls or security protocols apply, such as export controlled information, information considered “for official use only,” etc. “Covered defense information” essentially is any form of CUI that pertains to the DoD.