In January, the Department of Defense (“DoD”) released more information on its much-anticipated Cybersecurity Maturity Model Certification (“CMMC”) framework. While a final rule is not expected until the fall, contractors need to begin preparing now so they do not miss out on DoD contract opportunities.
What Is the CMMC?
The CMMC is a certification system that all DoD prime and subcontractors must comply with to be eligible to compete for and perform future DoD contracts. Under the new CMMC requirements, an accreditation body tapped by DoD will begin training third-party assessors in the spring of 2020, who will in turn certify defense contractors under the CMMC. There will be five CMMC certification levels, of ascending sophistication:
- Level 1 – Basic Cyber Hygiene
- Level 2 – Intermediate Cyber Hygiene
- Level 3 – Good Cyber Hygiene
- Level 4 – Proactive
- Level 5 – Advanced / Progressive
The contractor must comply with a combination of the following cybersecurity safeguards, depending on the certification level a contractor wants to achieve: (1) FAR 52.204 (Basic Safeguarding of Covered Contractor Information Systems); (2) NIST Special Publication 800-171 Revision 1 (“NIST Requirements”); (3) select subsets of a supplement to the NIST Requirements called NIST SP 800-171B; and (4) up to 171 “practices” identified in the CMMC. Though this may sound like a lot for contractors to process, DoD has released helpful appendices that put many of the requirements in easy-to-understand terms.
When Will I Need to Comply with the CMMC?
DoD says that contractors can expect to see CMMC requirements as part of Requests for Information starting in June 2020. A final rule is expected to be issued in the fall of 2020. With that said, DoD is expected to roll out these requirements gradually, so that the CMMC will not be fully implemented until 2026.
What Certification Level Do I Need?
This is one of the major outstanding questions. As an initial matter, the CMMC will not apply to contractors’ existing contracts, unless a contract is specifically modified to include the CMMC. For a new contract, the solicitation will identify the CMMC level the contractor must hold to be eligible to compete for that particular contract.
As a general rule, if a contractor is performing non-sensitive work (e.g., food services, groundskeeping, etc.), the contractor will need to be certified only at CMMC level 1 or 2. If a contractor anticipates that its future DoD contracts will involve the use or handling of controlled unclassified information (“CUI”), then the contractor should anticipate a requirement to be certified at CMMC level 3 or higher. Contracts involving classified information will likely require a level 4 or 5 CMMC certification. Most contracts are expected to require a CMMC level 3 certification. Fortunately, if contractors are compliant with DoD’s current cybersecurity requirements, DFARS 252.204-7012 (Safeguarding covered defense information and cyber incident reporting), then they should be well-positioned to achieve CMMC level 3 certification.
Why Should I Comply with the CMMC?
Contractors should comply with the CMMC to ensure breadth of opportunities in competing for future DoD contracts. DoD will use the CMMC as a Go/No-Go criterion when it evaluates offerors. In other words, if a solicitation states that offerors must be certified at CMMC level 3, and your company is certified only at CMMC level 2, then you will be ineligible to compete for that contract.
Strong CMMC compliance might also make contractors more competitive in DoD procurements. DoD has indicated that contractors who exceed the designated CMMC level will receive a higher rating than contractors who simply meet the designated CMMC level. For example, if a procurement requires contractors to have a CMMC level 3, and two contractors’ proposals are equal in all respects, but one contractor has a CMMC level 3 and another has CMMC level 4, the latter contractor may win the award on that basis.
Finally, contractors who knowingly fail to comply with or recklessly disregard the CMMC expose themselves to potential liability under the False Claims Act (“FCA”). Cybersecurity is an increasingly critical priority to DoD and the United States given recent efforts from adversaries such as Russia and China to steal sensitive Government information. Recent cases also show that courts are now entertaining FCA lawsuits premised on a contractor’s failure to comply with current DoD cybersecurity regulations. If contractors fail to diligently comply with the CMMC, and do not alert the Government to those deficiencies, they are at risk of significant FCA liability.
What Should I Do Now?
First, contractors should determine the kind of future DoD contracts they will compete for, to gauge what CMMC level will likely be required to be eligible to compete for new work. Remember, if a contractor expects that it will be handling or using CUI, it should anticipate a requirement to be certified at CMMC level 3, if not higher.
Second, contractors should make sure they comply with current DoD cybersecurity regulations. Currently, defense contractors are required to “self-certify” that they comply with DoD’s cybersecurity requirements under DFARS 252.204-7012. However, many contractors still do not meet these requirements. They should quickly bring their cybersecurity protocols into compliance with DFARS 252.204-7012, or they will not be certified above CMMC level 2.
Finally, contractors should review the guidance DoD has provided to date to start preparing their organizations for the CMMC. While we do not know the exact shape of the final CMMC rule, DoD has identified the “practices” and other regulatory requirements that contractors must meet for each CMMC level. If contractors start implementing these “practices” and requirements now, they will be in a strong position once the CMMC is officially implemented.