As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC). At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions. What’s unique about the CMMC rollout is the lack of written guidance on the program. DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months. Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.
That word of mouth rollout continued during a July 9 presentation at the National Defense Industrial Agency Procurement Division Meeting in Washington, D.C. During this presentation, Ms. Arrington both reconfirmed some previously discussed details about the CMMC program and provided additional insight into program components that will be of interest to contractors doing business with DoD when the program comes to fruition.
What Was Reconfirmed
Ms. Arrington’s July 9 presentation reconfirmed a number of previous public statements from DoD representatives regarding certain details of the CMMC program, such as:
- Certification of CMMC status will be a technical, pass/fail requirement to be evaluated at the proposal stage. DoD’s concern with increased cybersecurity threats makes it imperative that only CMMC-certified contractors should be doing business with DoD. Ms. Arrington suggested that revisions to Sections L and M of RFPs that include the certification process could be fast-tracked and implemented without regulatory changes to the Defense Federal Acquisition Regulation Supplement (DFARS).
- Cybersecurity costs (including costs associated with obtaining certification) will be allowable for certain types of contracts.
- The CMMC is intended to be a cost-effective and flexible standard to meet the limitations of small businesses.
- Third-party certifiers/auditors, after participating in a training program and being endorsed by DoD, will assess CMMC compliance. Ms. Arrington also revealed a number of new details about certain facets of the CMMC program. The most significant details are summarized below.
New Details on the CMMC Program
- CMMC compliance will be required for all DoD contracts AND all tiers of contractors – DoD believes that to protect against threats to its supply chain, all companies doing business with DoD must be certified, at a minimum, as meeting CMMC Level 1 standards. Let us say that again: Regardless of whether the contract places Covered Defense Information (CDI) in the hands of a contractor, a contractor selling to DoD must be certified to at least Level 1 standards. Further, the certification requirement applies to all tiers of subcontractors. Yes, that means all companies in the DoD supply chain, including the second, third, and fourth subcontracting tiers and beyond, must be CMMC certified before they can be used in the performance of work under a DoD contract. What’s more, prime contractors will be responsible for collecting these certifications.
- Real-time, “holistic” scoring of a contractor’s cybersecurity compliance – In addition to the ongoing CMMC certification process, DoD contractors will also receive real-time, remote scoring of their cybersecurity measures during contract performance, similar to a person’s credit rating. A CMMC certification “gets the contractor in the door,” but DoD is also concerned with a contractor’s ability to maintain CMMC security standards during contract performance. DoD views real-time monitoring as a tool to assist certified contractors in fixing system vulnerabilities. Ms. Arrington suggested that there were tools already in place to conduct the real-time monitoring and scoring, but did not provide details as to how it can be accomplished.
- No change to the DFARS – At this time, DoD does not anticipate revising the DFARS, including DFARS 252.204-7012, to address the CMMC program. However, a revision will be made in the future. The CMMC standard applicable to a particular acquisition will be reflected in RFP Sections L and M. There was no discussion of any of the pending revisions to the NIST Special Publications or the long-gestating FAR Case addressing broader and/or more enhanced cybersecurity requirements.
- A more defined time line for CMMC implementation – By January 2020, DoD aims to finalize CMMC standards and begin certifying contractors. Additionally, DoD is targeting June 2020 and September 2020 to begin incorporating CMMC requirements into RFIs and RFPs, respectively.
- CUI and CDI will be redefined – The National Archives and Records Administration is currently revising the definitions of Controlled Unclassified Information (CUI) and Covered Defense Information (CDI). Revising the scope of CUI/CDI will likely impact the cybersecurity requirements (e.g., CMMC levels) for protecting such data. Stay tuned for updates.
- CMMC compliance certification expiration – The length of time a CMMC certification will last is still up for debate. However, Ms. Arrington stated that she prefers a “biannual” certification requirement, although a more frequent certification requirement is not off the table.
- Revising DODI 5000.2 – DoD will be revising the “Cybersecurity in the Defense Acquisition System” section of DoD Instruction 5000.2, “Operation of the Defense Acquisition System” acquisition manual, and will issue the revised section as a separate instruction. The revision draft is due in October 2019, and a final version is anticipated in January 2020.
Plainly, DoD still has a lot of work to accomplish if it is targeting a CMMC rollout in just over four months. That is going to be challenging, because it’s clear that the CMMC is very much a work in progress. Additional details about the program are being unveiled on a rolling basis throughout the remainder of 2019. Although the lack of definitive guidance may give DoD contractors heart palpitations, the “word of mouth” rollout of the program also provides a forum for real-time industry comments on the known details of the program. Certainly, DoD is interested in receiving industry feedback on the CMMC program, and it has already scheduled listening sessions and industry days in eleven cities before the anticipated mid-2020 launch.
In the meantime, DoD contractors should not take their foot off the gas in the race to comply with the existing requirements of DFARS 252.204-7012. Most DoD contractors are already bound by the provisions of the clause and must comply. Both existing contractors and new entrants to the DoD marketplace are well advised to seek counsel to understand the compliance obligations in this ever-changing landscape – and to begin preparations for when the DoD-sanctioned certifier knocks on the door.