Michael Joseph Montalbano Archives - Page 2 of 4 - Government Contracts Navigator

Understanding the Basics of CMMC Level 3

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1 and CMMC Level 2. In this post, we discuss the most demanding CMMC level – CMMC Level 3.

What contracts will be subject to CMMC Level 3?

Unlike with CMMC Levels 1 and 2, DoD has not announced specific criteria for when CMMC Level 3 will apply. DoD has only stated that CMMC Level 3 will apply to contracts “supporting its most critical programs and technologies.” We know that CMMC Level 2 will apply to contracts where the contractor will receive Controlled Unclassified Information (“CUI”), so we can probably assume that CMMC Level 3 will, at a minimum, apply to contracts with the most sensitive CUI. DoD estimates that less than 1% of defense contractors will obtain a CMMC Level 3 verification once the rule has gone into full effect, which suggests that relatively few contracts will require CMMC Level 3 certification.

What are the requirements of CMMC Level 3?

There are three steps the contractor must satisfy to obtain a CMMC Level 3 certification. First, the contractor must obtain a CMMC Level 2 certification. This means that a Certified Third-Party Assessor Organization (“C3PAO”) will need to assess any contractor information system that stores, processes, or transmits CUI for compliance with the NIST SP 800-171 rev. 2 security requirements. Note that because the proposed CMMC rule requires a CMMC Level 2 certification—a third party assessment—a CMMC Level 2 self-assessment will not suffice.

Understanding the Basics of CMMC Level 2

Michael Joseph Montalbano ●

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1. In this post, we discuss the basics of CMMC Level 2.

What contracts will be subject to CMMC Level 2?

CMMC Level 2 will apply to all DoD contracts where the contractor will receive Controlled Unclassified Information (“CUI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. CUI is information that requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and government-wide policies. The Government currently recognizes 20 categories of CUI, all of which are listed on the National Archives website. Those CUI categories include information related to defense, export-controlled information, intelligence, and procurements. While not as prevalent as Federal Contract Information, CUI is still often used in the performance of DoD contracts and DoD estimates that approximately 36 percent of defense contractors will obtain a CMMC Level 2 verification once the rule has gone into full effect.

Understanding the Basics of CMMC Level 1

Michael Joseph Montalbano ●

In this series, we have provided an overview of the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule and its implementation timeline. Now, we delve deeper into the three CMMC security levels, starting with CMMC Level 1.

What contracts will be subject to CMMC Level 1?

CMMC Level 1 will apply to all DoD contracts where the contractor will receive Federal Contract Information (“FCI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. FCI is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Types of documents that could contain FCI include contracts, modifications, statements of work, technical drawings, and government communications to the contractor. Given the broad definition of FCI, contractors can expect that nearly all non-COTS, DoD contracts will involve FCI and will therefore be subject to CMMC Level 1.

The Department of Defense Issues Proposed Timeline for CMMC Implementation

Michael Joseph Montalbano ●

On December 26, 2023, the Department of Defense (“DoD”) issued the long-awaited proposed rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. In our previous post, we discussed how the CMMC program comprises three levels with increasing cybersecurity requirements. Contractors will be required to either conduct a self-assessment or undergo a third-party assessment (the latter referred to as a certification assessment) to demonstrate compliance with their applicable CMMC Level.

DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years:

Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.

The Department of Defense Releases Proposed CMMC Rule

Michael Joseph Montalbano ●

The Department of Defense (“DoD”) has released a draft of its proposed Cybersecurity Maturity Model Certification (“CMMC”) Program rule just in time for the holidays. The rule—which is scheduled to be published December 26, 2023—is over 200 pages, and we will publish follow-up articles as we have time to analyze the new requirements. At a high level, here is what DoD has proposed:

Tiered Model: CMMC requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. Those levels range from CMMC Level 1 (the most basic level) to CMMC Level 3 (the most advance level).
Assessment Requirement: CMMC requires certain contractors at CMMC Levels 2 and 3 to undergo third-party assessments, which allows DoD to verify the implementation of the CMMC cybersecurity standards.
Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors handling sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

The FAR Council Proposes Standardizing Cybersecurity Requirements

Michael Joseph Montalbano and Oliver E. Jury ●

On October 3, 2023, the FAR Council proposed two potentially significant cybersecurity rules. We discussed FAR Case No. 2021-017, which would impose a range of new cyber incident reporting requirements on nearly all government contractors, earlier this week. This post discusses FAR Case No. 2021-019, which seeks to standardize cybersecurity contractual requirements across federal agencies.

Who Will the Standardization of Cybersecurity Contractual Requirements Affect?

Under the proposed rule, the FAR Council would promulgate two new FAR clauses, FAR 52.239-YY (Federal Information Systems Using Non-Cloud Computing Systems) and FAR 52.239-XX (Federal Information Systems Using Cloud Computing Services). As drafted, the rule would affect contracts that involve the development and maintenance of federal information systems (“FIS”).

What is an FIS? The proposed rule defines FIS as “an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization, on behalf of a government agency.”

FAR 52.239-YY would be required in contracts acquiring FIS services that include (or are anticipated to use) non-cloud computing services during contract performance. The proposed clause would require flowdown to subcontractors at all tiers (provided those subcontractors may use non-cloud computing services). There would be no exception for acquisitions below the simplified acquisition threshold or acquisitions for commercial products, including commercially available off-the-shelf (“COTS”) items and commercial services, “because Government data and systems require protection regardless of dollar value.”

The FAR 52.239-XX requirements would largely mirror those in FAR 52.239-YY, albeit for contractors using cloud-based computing services during performance. Contractors would need to comply with both proposed clauses if they use both non-cloud and cloud-based computing services in support of contract performance.

The FAR Council Proposes New Cyber Incident Reporting Requirements

Michael Joseph Montalbano and Oliver E. Jury ●

On October 3, 2023, the FAR Council issued two proposed cybersecurity rules that could have significant implications for both Government prime and subcontractors. This post discusses the first rule, FAR Case No. 2021-017, which, if implemented, will impose an array of new cyber incident reporting requirements on nearly all government contractors. The second rule, FAR Case No. 2021-019, seeks to standardize cybersecurity contractual requirements across Federal agencies. We discuss the first rule in further detail here.

Who Would Have to Comply with the New Cyber Incident Reporting Rule?

Under the proposed cyber incident rule, the FAR Council intends to promulgate a new FAR clause, FAR 52.239-ZZ. In its current form, FAR 52.239-ZZ would apply to all contracts where “information and communications technology” (“ICT”) is used or provided in the performance of the contract.

What is ICT? ICT is just about anything computer related. ICT includes computers and their peripheral equipment, telecommunications equipment, computer software, and electronic documents. In other words, if a contractor uses a computer or related device in the performance of a government contract, then FAR 52.239-ZZ would likely apply.

How to Manage a Potential Whistleblower

Dominique L. Casimir, Jennifer A. Short, and Michael Joseph Montalbano ●

The federal False Claims Act (“FCA”) is one of the United States’ most effective tools to detect and prevent fraud against the Government. One reason the FCA is so effective is that it encourages the employees of an organization to come forward as claimants and receive a share of any financial recovery to the Government. Recognizing the central role of these whistleblowers in the FCA’s enforcement scheme, Congress included an anti-retaliation provision in the statute that protects them when they report suspected fraudulent conduct. Under the FCA’s anti-retaliation provision, employees, contractors, or agents can sue for damages on their own behalf if they are “discharged, demoted, suspended, threatened, harassed, or in any other manner discriminated against in the terms and conditions of employment because of lawful acts done” in connection with a reported FCA violation. 31 U.S.C. § 3730(h)(1). Likewise, nearly every state also affords some degree of whistleblower protection, either statutorily or in the common law.

Accreditation Body Releases CMMC Assessment Guidance

Michael Joseph Montalbano ●

In July 2022, the Accreditation Body (“AB”) of the Cybersecurity Maturity Model Certification program (“CMMC”) released a 47-page CMMC Assessment Process guide (“CAP Guide”). The CAP Guide outlines the assessment process for contractors seeking a CMMC level 2 certification, which, as we discussed in earlier posts, is the required certification level for all contractors who expect to receive or store Controlled Unclassified Information (“CUI”).

The CAP Guide has been widely criticized by members of the Defense Industrial Base for being overly complicated and contrary to the Department of Defense’s (“DoD”) stated intention to reduce the complexity and cost of the CMMC program for small businesses. However, assuming it is adopted by the DoD, the CAP Guide includes helpful guidance for contractors that are beginning to prepare for their CMMC level 2 assessment.

Blank Rome Runs and Raises Money for Veterans Non-Profit

Attorney Michael Montalbano and Blank Rome’s Government Contracts group are raising money for Salute, Inc., a non-profit organization that provides financial assistance to U.S. veterans and their families. The fundraiser will culminate on October 9 with Michael running the Chicago marathon on behalf of both Salute, Inc. and Blank Rome. Michael provided the following statement about the fundraiser:

Many of our clients are led by or employ U.S. veterans. I have seen these veterans accomplish tremendous feats, whether it is developing state-of-the-art technology for the Government or supporting U.S. bases across the world.

I was looking for a veterans organization to support when I found that Salute, Inc. was sponsoring runners for the Chicago marathon. I have been an avid runner since law school, so I thought this was a good opportunity to both run the marathon and raise money for a good cause, supporting individuals who are such an integral part of the Blank Rome Government Contracts legal practice.

When I approached the head of our Government Contracts practice group, Justin Chiarodo, about the fundraiser, he immediately encouraged me to take on this challenge. He said to reach out to the attorneys in our practice group. They have a deep appreciation for our veteran clients and would certainly donate to this cause.

Justin was absolutely right. The attorneys and staff in my practice group and across the firm were eager to donate to the fundraiser. Within a few days, we exceeded our initial fundraising goal, and I am proud to say that we recently surpassed our revised fundraising goal.

As for training, I am on target to run the marathon on October 9. My goals are just to finish the race and raise money to help Salute, Inc. continue its important mission. Thanks to the support of my colleagues both of those goals are well within sight.

If you are interested in supporting this fundraiser, you can learn more and donate by clicking here.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: