After months of review, on November 4, 2021, the Department of Defense (DoD) finally unveiled its new version of the Cybersecurity Maturity Model Certification (CMMC 2.0). Well, almost. In a blink-and-you’ll-miss-it moment, the Department posted, then quickly removed, new federal regulations in/from the Federal Register highlighting the changes in CMMC. Most of those changes, however, were ultimately described on the OUSD Acquisition & Sustainment website, which remain posted and available. In conducting its review of CMMC 1.0, the DoD focused largely on clarifying the standard and reducing the cost impact on the Defense Industrial Base (DIB). The result? A “been there, already had to do that” standard that should leave the DIB relatively pleased and the burgeoning CMMC accreditation industry mildly perplexed. In place of the five-tiered, third-party-assessed cybersecurity framework addressing data confidentiality, integrity, and availability, the new CMMC 2.0 presents as a three-tiered, largely self-assessed bolstering of the NIST SP 800-171 safeguarding requirements already required to be implemented by contractors in possession of “Covered Defense Information” (CDI) under DFARS 252.204-7012.
On May 12, 2021, the Biden administration unveiled a rather expansive executive order intent on “Improving the Nation’s Cybersecurity.” The lengthy and sweeping order is a comprehensive national cybersecurity overhaul. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the order also prescribes:
Akin to the exasperations of the newly minted “homeschool teachers” the pandemic has created, the Biden administration’s recent Executive Order on Improving the Nation’s Cybersecurity (Order) is a mix of sound logic and utter frustration. The lengthy and sweeping Order is resoundingly one of the most comprehensive national cybersecurity overhauls to date and ushers the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) into a forward-leaning position of leadership that has been missing since its inception. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the Order also prescribes (i) the implementation of cyber incident sharing requirements between the Government and private industry; (ii) the necessary demands of security on software development; and (iii) the inclusion of software bills of materials, operational technology (e.g., industrial machining), and the internet of things in the fabric of cybersecurity regulations. Set against the backdrop of an ambitious timeline that calls for drastic changes before the end of this fiscal year—i.e., September 30, 2021—the Order requires that the Federal government scale administrative mountains at breakneck speed while simultaneously working with the industry and developing new regulations with which contractors will have to comply in short order. Accordingly, while a brief summary of the Order is provided below, the size and magnitude of the Order call for a larger analysis. Accordingly, we have prepared a user-friendly Analysis of the Order that includes considerations for manufacturers and government contractors. Additionally, to better explain the compliance timeline associated with the Order, a listing of the EO Key Dates is provided for convenience.
Undoubtedly a great film for its day, the 1982 classic Poltergeist might not have aged as well as the filmmakers had hoped. But the vivid imagery, jump scares and creepy marketing the PG-rated “family” movie employed remain burned into the minds of many. For those unfamiliar with the Spielberg classic, a “poltergeist” is largely understood as a ghost or other supernatural being responsible for physical disturbances such as loud noises and thrown-around objects. As seasoned Government contractors know all too well, the same could be said of cybersecurity regulations. Don’t believe us? Just ask your information technology and information security professionals about the coffee mug shards scattered in the corner or the stapler embedded into the computer monitor. Constantly evolving cybersecurity regulations, arriving seemingly out of nowhere, are a fact of contractor life and are as sure to strike as that creepy clown doll in the rocking chair. As if on cue, more have arrived. Was that a crash we heard?
In the seminal holiday film A Christmas Story, nine-year-old Ralphie Parker uses his diligently earned Little Orphan Annie Secret Society decoder pin to decrypt the secret message from Annie to her fans, only to express disappointment and confusion when he realizes the “secret code” he decrypted is nothing more than a marketing ploy to sell more Ovaltine. Although neither drinking copious amounts of Ovaltine nor possessing a Little Orphan Annie decoder pin are requirements of a federal contractor’s cybersecurity program, the use of encryption—like that employed by Ovaltine and its plucky propagandist—cannot be avoided. The challenge, of course, is approaching encryption in a manner that avoids the same irritating bewilderment experienced by Ralphie Parker. Modern encryption, while inherently and necessarily enigmatic, need not be overcomplicated, and that’s a good thing, because federal contractors, namely Department of Defense contractors, now face specific standards of encryption necessary to meet and maintain certain federal cybersecurity standards or bear the significant risk commensurate with noncompliance. Whether a contractor falls under the auspices of Federal Acquisition Regulation 52.204-21, Defense FAR Supplement 252.204-7012, or the newly unveiled Cybersecurity Maturity Model Certification (CMMC), contractor use of encryption is poised to be a critical element of compliance for the Federal Government over the next decade. This means that contractors must have a working knowledge of federal encryption standards to understand not only how such standards apply to the storage and handling of data but also whether the contractor can truly comply with those standards or have the wherewithal to understand the type of information technology products they are permitted to provide the Government.
There’s an often mistranslated Taoist adage that counsels “A journey of a thousand miles begins with a single step.” So it is presently with the Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC), which continues its cybersecurity journey with the recently released update of standard CMMC .6.
So you want to acquire a government contractor? Makes sense, and you’re not alone. Over the past few years, the federal contracting landscape continues to evolve as a result of mergers and acquisitions (M&A), primarily involving the acquisition of small and midsize contractors by larger entities as a means to quickly expand into new federal markets. This trend is especially prevalent in the information technology (IT) market, where the acquisition of small or midsize IT firms with new capabilities can provide larger firms with shiny new toys to share with their roster of government clients to gain a larger share of the federal IT “pie,” if not create—almost overnight—new IT market leaders in areas such as cloud computing, cybersecurity, software, and predictive intelligence.
As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and planned updates to NIST publications, but also weigh those efforts against Defense Contract Management Agency’s (DCMA) auditing efforts, the revised Contractor Purchasing System Review (CPSR) Guidebook, and the new Cybersecurity Maturity Model Certification (CMMC) program. Information on how these efforts align along with practical guidance for weathering these changes can be found at Part 1 accessible here and Part 2 accessible here.
DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provided much-needed guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. The Feature Comment addresses certain changes to the NIST, the auditing effort underway by DCMA, and the Cybersecurity Maturity Model Certification (“CMMC”) program that will likely be implemented by DOD in the coming months.
Part 1 can be accessed here
As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC). At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions. What’s unique about the CMMC rollout is the lack of written guidance on the program. DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months. Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.