Cybersecurity. It’s never over, is it? In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with formal cybersecurity certification as early as next year. The program, known as the Cybersecurity Maturity Model Certification (CMMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.
Moreover, as announced clearly and repeatedly by the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber, Katie Arrington, during events on May 23, 2019, and June 12, 2019, certain cybersecurity costs will be allowable under certain circumstances. This means that not only is DoD again in the process of facilitating the acquisition of cybersecurity capabilities throughout its entire supply chain, but now the DoD recognizes that it should actually pay for what it requires of contractors.
A Certification Years in the Making
Over the many years we have written and spoken about cybersecurity issues, we’ve seen defense contractors wrestle with how and when to apply existing cybersecurity standards to their systems when selling to the Government. Most notably the question arises — or should arise — when accepting a contract or subcontract containing FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, or DFARS 252.204-7012, Safeguarding Covered Defense Information. While the appearance of those clauses may be sufficient for some contractors to take affirmative actions, some still fall short. Unfortunately, leaving controlled unclassified information (CUI) and covered defense information (CDI) unsecure results in significant potential liability for contractors (as evidenced by the first False Claims Act case now proceeding in the United States District Court for the Central District of California premised on failing to meet an amalgam of DoD and NASA cybersecurity requirements). That is where the CMMC comes in.
As currently envisioned, the CMMC will be included in DoD contracts where CDI is present. It will provide federal contractors with a tiered, five-level cybersecurity maturity model ranging from basic hygiene to state of the art, and intended to reflect the award’s specific needs for security controls and institutionalized cybersecurity processes. Moreover, CMMC Levels 1 through 5 may be included in Sections L and M of forthcoming solicitations and will be used by acquiring agencies as go/no go evaluation factors. As explained, these levels will be used as minimum benchmarks that must be met by contractors as a condition precedent to bidding on a particular project. Presently, it appears to be contemplated that if a company is compliant with DFARS 252.204-7012 and is applying the safeguard requirements found in NIST SP 800-171, that company would likely be identified as possessing a Level 3 certification and would be eligible to bid only on projects requiring security up to Level 3. If that same company wanted to bid on contracts requiring Level 4 or Level 5 security, it would be required to first undergo additional security enhancements that, assumedly, will be defined in the final program/model.
Beyond serving as the baseline against which contractors will be judged, the CMMC is intended to be cost effective enough so that small businesses can achieve the minimum, Level 1, yet adaptive enough to keep up with pending threats. Facilitating its rollout and use, the DoD also envisions the use of third-party security certifiers to conduct audits, collect metrics, and aid in risk mitigation efforts up and down the entire procurement supply chain, which is the portion of acquisitions that remains DoD’s persistent concern. In fact, third parties play a significant role in the life of CMMC. The standard is being created with the aid of Johns Hopkins University’s Applied Physics Laboratory and Carnegie Mellon University’s Software Engineering Institute, and the final CMMC process is expected to be shepherded through and maintained by Carnegie Mellon after its adoption.
Cybersecurity Costs Will Be Allowable for Certain Types of Contracts
Beyond the architecture of the CMMC, perhaps the most notable announcement associated with this unveiling is DoD’s recognition that cybersecurity is something worth paying for. Of course one could argue that cybersecurity has always been an allowable cost in cost-type contracts. It is a cost that contractors generally sweep into the pile of general and administrative (G&A) expenses or as part of the basic overhead expenses they can charge the Government in their indirect rates. But by publicly professing the allowability of cybersecurity expenses, DoD appears to be doubling down on its insistence that contractors properly secure defense data. Ultimately, the takeaway from this announcement shouldn’t be the application of the appropriate cost principle; it should be that DoD is willing to foot the bill. Accordingly — in the Government’s mind at least — contractors will be foreclosed from the oft-heard (but never valid) excuse that cybersecurity compliance is too costly an endeavor to undertake. For the unfortunate companies holding onto that mindset, this announcement is DoD’s checkmate.
The Good and the Bad
There is a lot to unpack with the CMMC and very little announced guidance with which to do it.
As an affirmative tool for contractors, it appears that the CMMC will demand more due diligence from acquiring agencies and contracting officers before certain cybersecurity standards are provided to contractors. That could be a positive development. At present, contractors are often left uncertain or completely confused as to why cybersecurity controls are included in their contracts or to what specific data those controls should apply. As most companies know all too well, CUI and CDI identification has not been the Government’s strongest skill. The inclusion of clearer guidelines in Sections L and M, with the requisite security level necessary for contract performance, may provide contractors with more certainty as to what specifically must be done with what type of data. It will also provide an incentive for contractors to become compliant or risk proposal rejection. This change, and recognition that enhanced security may not be necessary for every acquisition, could allow small and medium-sized businesses more economic freedom to compete with major prime contractors. With various economies of scale, smaller businesses could focus their limited cybersecurity dollars on more robust, lower-level certifications (for example, Level 3), versus trying to keep up with larger companies able to fund systems capable of chasing and winning Level 4 and Level 5 opportunities. Moreover, DoD’s efforts suggest a commitment to working with contractors to make this program a success. Recognizing what most contractors are dealing with, DoD appears to understand that if it is to work, cybersecurity is not something that can simply be mandated with an iron fist. With a reported 70% of Government intellectual property and data resident on contractor information systems, DoD understands that industry must be engaged and encouraged to recognize that data security is an important and mutually beneficial part of federal procurement.
The challenge facing contractors, of course, is that the Government again is fiddling with its security requirements by allowing a sliding scale of protection. While, in practice, this may allow for the application of more exacting standards by the Government purchaser, there is also the very real chance that every acquisition will bear a Level 5 requirement. If the application of DFARS 252.204-7012 has revealed anything, it is that contracting officers are reluctant, or outright afraid, not to include the clause in every single contract they draft — whether warranted or not. Giving contracting officers a sliding scale does not immediately hinder that practice and DoD appears aware of that. Accordingly, “reeducation” is underway this summer through revisions to DoD’s acquisition manuals (DOD Directive 5000, et seq) to make them a more concise and user-friendly length, and the insertion of CMMC requirements into courses for project managers and contracting officers at Defense Acquisition University. Moreover, for contractors confused about just how much security is enough, the application of a tiered system may lead to additional confusion or, perhaps, additional protests as contractors attempt to dissuade acquiring activities from demanding enhanced security requirements on certain procurements.
While it seems simple to say that there is a single standard, in practice there is a single standard (CMMC) with multiple sub-standards (levels) applying one guideline (NIST SP 800-171) to varying degrees of enhancements. Note also that this push for a single standard arrives alongside three other changes:
- The recently released update to NIST SP 800-171, called “Revision 2;”
- The newly created 800-171 supplement for enhanced security, NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets; and
- The impending comprehensive update expected in SP 800-171, called “Revision 3.”
These new additions to contractors’ cybersecurity requirements will surely create additional confusion in the near and short term. In other words, once put into practice, CMMC might not be as simple as it appears.
Adding to that complexity is the manner in which CMMC requirements will or may address cloud computing services employed by and/or offered by contractors. There is already a significant amount of confusion into just how much security should be demanded of contractors’ cloud service providers, and the application of CMMC on top of that may add some interesting wrinkles. Similarly, FedRAMP-qualified contractors and those that have already met the DoD’s Security Requirements Guide authority-to-operate requirements should pay particular attention to the application of CMMC’s various levels to their respective cloud products.
Listen Closely During Upcoming Events
As with any soft opening, additional word is being spread, and the DoD is in the process of setting up websites, FAQs, and industry days to provide more contractors with more details about the program. While a simple Google search on “CMMC” will return very little at present, a website is forthcoming, and the official word about the program is expected to be announced during the Department of the Navy Gold Coast Small Business Procurement Event in San Diego, CA, July 24-26, 2019. Following that announcement, DoD plans an eleven-city CMMC whistle-stop tour of listening sessions and industry days in San Antonio, TX; Huntsville, AL.; Tampa, FL.; Boston, MA; Washington D.C.; Phoenix, AZ; Detroit, MI; Colorado Springs, CO.; Seattle, WA; and Kansas City, MO. The CMMC is expected to launch in full by January 2020 — approximately five months from today. This release date anticipates that contractors will have sufficient time to obtain the CMMC certification by June 2020, when they should begin seeing certification requirements in contract requests for information and before actual solicitations are released containing the CMMC’s go/no go requirements in the fall of 2020.
So Now What?
Cybersecurity compliance is growing more crucial by the day. While DoD is currently in the midst of determining how a contractor may be assessed for CMMC compliance, that developmental process should in no way hinder contractors’ efforts to align with the existing requirements of DFARS 252.204-7012. Operate in conformance with System Security Plans. Keep marching toward meeting Plans of Actions and Milestones (POAMs). Do not stop. If a contractor wishes to remain eligible for future DoD awards, nothing in the proposed construction of CMMC suggests that contractors should stop those efforts. At the very least, compliance with NIST SP 800-171 may mean that contractor systems are operating up to Level 3 and open to awards for contracts at that level by next fall. Moreover, with cybersecurity as an allowable cost, make sure you are prepared to properly segregate and account for those costs. If you have or need additional security requirements, don’t be shy in properly allocating those costs — just be prepared to do it correctly since the Government, while investing in cybersecurity, will still be unwilling to pay for data security enhancements not attributed to its acquisitions. For cloud service providers and cloud products, there may be a little more uncertainty. With third-party auditors being contemplated and cloud providers often unwilling to show too much of what lies behind the curtain, contractors should expect more guidance on how best to accommodate the ubiquitous use of cloud computing, or, in the absence of guidance, consider how best to navigate new cloud-related services and contracts on their own in light of these changes.
Have any questions? Give us a call or send us an e-mail. We’re always here to help.