Category: Cybersecurity

Understanding the Basics of CMMC Level 3

Michael Joseph Montalbano 

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1 and CMMC Level 2.  In this post, we discuss the most demanding CMMC level – CMMC Level 3.

What contracts will be subject to CMMC Level 3?

Unlike with CMMC Levels 1 and 2, DoD has not announced specific criteria for when CMMC Level 3 will apply.  DoD has only stated that CMMC Level 3 will apply to contracts “supporting its most critical programs and technologies.”  We know that CMMC Level 2 will apply to contracts where the contractor will receive Controlled Unclassified Information (“CUI”), so we can probably assume that CMMC Level 3 will, at a minimum, apply to contracts with the most sensitive CUI.  DoD estimates that less than 1% of defense contractors will obtain a CMMC Level 3 verification once the rule has gone into full effect, which suggests that relatively few contracts will require CMMC Level 3 certification.    

What are the requirements of CMMC Level 3?

There are three steps the contractor must satisfy to obtain a CMMC Level 3 certification.  First, the contractor must obtain a CMMC Level 2 certification.  This means that a Certified Third-Party Assessor Organization (“C3PAO”) will need to assess any contractor information system that stores, processes, or transmits CUI for compliance with the NIST SP 800-171 rev. 2 security requirements.  Note that because the proposed CMMC rule requires a CMMC Level 2 certification—a third party assessment—a CMMC Level 2 self-assessment will not suffice.

Continue reading “Understanding the Basics of CMMC Level 3”

Understanding the Basics of CMMC Level 2

Michael Joseph Montalbano 

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1. In this post, we discuss the basics of CMMC Level 2.

What contracts will be subject to CMMC Level 2?

CMMC Level 2 will apply to all DoD contracts where the contractor will receive Controlled Unclassified Information (“CUI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. CUI is information that requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and government-wide policies. The Government currently recognizes 20 categories of CUI, all of which are listed on the National Archives website. Those CUI categories include information related to defense, export-controlled information, intelligence, and procurements. While not as prevalent as Federal Contract Information, CUI is still often used in the performance of DoD contracts and DoD estimates that approximately 36 percent of defense contractors will obtain a CMMC Level 2 verification once the rule has gone into full effect.

Continue reading “Understanding the Basics of CMMC Level 2”

Understanding the Basics of CMMC Level 1


Michael Joseph Montalbano 

In this series, we have provided an overview of the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule and its implementation timeline. Now, we delve deeper into the three CMMC security levels, starting with CMMC Level 1.

What contracts will be subject to CMMC Level 1?

CMMC Level 1 will apply to all DoD contracts where the contractor will receive Federal Contract Information (“FCI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. FCI is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Types of documents that could contain FCI include contracts, modifications, statements of work, technical drawings, and government communications to the contractor. Given the broad definition of FCI, contractors can expect that nearly all non-COTS, DoD contracts will involve FCI and will therefore be subject to CMMC Level 1.

Continue reading “Understanding the Basics of CMMC Level 1”

The Department of Defense Issues Proposed Timeline for CMMC Implementation

Michael Joseph Montalbano 

On December 26, 2023, the Department of Defense (“DoD”) issued the long-awaited proposed rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. In our previous post, we discussed how the CMMC program comprises three levels with increasing cybersecurity requirements. Contractors will be required to either conduct a self-assessment or undergo a third-party assessment (the latter referred to as a certification assessment) to demonstrate compliance with their applicable CMMC Level.

DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years:

  • Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.
Continue reading “The Department of Defense Issues Proposed Timeline for CMMC Implementation”

The Department of Defense Releases Proposed CMMC Rule

Michael Joseph Montalbano 

The Department of Defense (“DoD”) has released a draft of its proposed Cybersecurity Maturity Model Certification (“CMMC”) Program rule just in time for the holidays. The rule—which is scheduled to be published December 26, 2023—is over 200 pages, and we will publish follow-up articles as we have time to analyze the new requirements. At a high level, here is what DoD has proposed:

  • Tiered Model: CMMC requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. Those levels range from CMMC Level 1 (the most basic level) to CMMC Level 3 (the most advance level).
  • Assessment Requirement: CMMC requires certain contractors at CMMC Levels 2 and 3 to undergo third-party assessments, which allows DoD to verify the implementation of the CMMC cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors handling sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
Continue reading “The Department of Defense Releases Proposed CMMC Rule”

Starting December 4th, Contractors Must Rid Supply Chains of Covered Articles and Sources Subject to FASC Orders

Robyn N. Burrows ●

Effective December 4, 2023, a new interim rule will prohibit contractors from delivering or using covered articles and sources subject to exclusion or removal orders issued under the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”). The rule is intended to eliminate certain technology from the federal supply chain that foreign adversaries might exploit to commit malicious cyber acts. The interim rule allows the executive branch through the Federal Acquisition Security Council (“FASC”) to exclude certain technologies and manufacturers from federal procurements and even to require removal of covered articles from federal or contractor information systems during performance.

The rule imposes a host of new obligations, including certification, monitoring, and reporting requirements. This post provides practical guidance on the rule and several compliance tips to help contractors prepare for the December deadline.

Background

Congress passed Section 202 of the FASCSA to protect the information and communications technology (“ICT”) supply chain against threats and vulnerabilities that may lead to data and intellectual property theft, damage to critical infrastructure, or national security harm. The Act established the FASC as an interagency council authorized to make recommendations for orders that would require the removal of covered articles from agency information systems (removal orders) or the exclusion of sources or covered articles from agency procurement actions (exclusion orders) (collectively referred to as “FASCSA orders”).

In August 2021, the FASC issued a final rule establishing procedures for recommending removal and exclusion orders. The FASC evaluates supply chain risk based on several non-exclusive factors and sends its recommendations to the Secretaries of Homeland Security and Defense and the Director of National Intelligence to consider when deciding whether to issue a FASCSA order. If a FASCSA order is issued, agencies are required to implement the exclusion or removal order.

Continue reading “Starting December 4th, Contractors Must Rid Supply Chains of Covered Articles and Sources Subject to FASC Orders”

The FAR Council Proposes Standardizing Cybersecurity Requirements

Michael Joseph Montalbano and Oliver E. Jury ●

On October 3, 2023, the FAR Council proposed two potentially significant cybersecurity rules. We discussed FAR Case No. 2021-017, which would impose a range of new cyber incident reporting requirements on nearly all government contractors, earlier this week. This post discusses FAR Case No. 2021-019, which seeks to standardize cybersecurity contractual requirements across federal agencies.

Who Will the Standardization of Cybersecurity Contractual Requirements Affect?

Under the proposed rule, the FAR Council would promulgate two new FAR clauses, FAR 52.239-YY (Federal Information Systems Using Non-Cloud Computing Systems) and FAR 52.239-XX (Federal Information Systems Using Cloud Computing Services). As drafted, the rule would affect contracts that involve the development and maintenance of federal information systems (“FIS”).

What is an FIS? The proposed rule defines FIS as “an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization, on behalf of a government agency.”

FAR 52.239-YY would be required in contracts acquiring FIS services that include (or are anticipated to use) non-cloud computing services during contract performance. The proposed clause would require flowdown to subcontractors at all tiers (provided those subcontractors may use non-cloud computing services). There would be no exception for acquisitions below the simplified acquisition threshold or acquisitions for commercial products, including commercially available off-the-shelf (“COTS”) items and commercial services, “because Government data and systems require protection regardless of dollar value.”

The FAR 52.239-XX requirements would largely mirror those in FAR 52.239-YY, albeit for contractors using cloud-based computing services during performance. Contractors would need to comply with both proposed clauses if they use both non-cloud and cloud-based computing services in support of contract performance.

Continue reading “The FAR Council Proposes Standardizing Cybersecurity Requirements”

The FAR Council Proposes New Cyber Incident Reporting Requirements

Michael Joseph Montalbano and Oliver E. Jury ●

On October 3, 2023, the FAR Council issued two proposed cybersecurity rules that could have significant implications for both Government prime and subcontractors. This post discusses the first rule, FAR Case No. 2021-017, which, if implemented, will impose an array of new cyber incident reporting requirements on nearly all government contractors. The second rule, FAR Case No. 2021-019, seeks to standardize cybersecurity contractual requirements across Federal agencies. We discuss the first rule in further detail here.

Who Would Have to Comply with the New Cyber Incident Reporting Rule?

Under the proposed cyber incident rule, the FAR Council intends to promulgate a new FAR clause, FAR 52.239-ZZ. In its current form, FAR 52.239-ZZ would apply to all contracts where “information and communications technology” (“ICT”) is used or provided in the performance of the contract.

What is ICT? ICT is just about anything computer related. ICT includes computers and their peripheral equipment, telecommunications equipment, computer software, and electronic documents. In other words, if a contractor uses a computer or related device in the performance of a government contract, then FAR 52.239-ZZ would likely apply.

Continue reading “The FAR Council Proposes New Cyber Incident Reporting Requirements”

Accreditation Body Releases CMMC Assessment Guidance

Michael Joseph Montalbano 

In July 2022, the Accreditation Body (“AB”) of the Cybersecurity Maturity Model Certification program (“CMMC”) released a 47-page CMMC Assessment Process guide (“CAP Guide”). The CAP Guide outlines the assessment process for contractors seeking a CMMC level 2 certification, which, as we discussed in earlier posts, is the required certification level for all contractors who expect to receive or store Controlled Unclassified Information (“CUI”).

The CAP Guide has been widely criticized by members of the Defense Industrial Base for being overly complicated and contrary to the Department of Defense’s (“DoD”) stated intention to reduce the complexity and cost of the CMMC program for small businesses. However, assuming it is adopted by the DoD, the CAP Guide includes helpful guidance for contractors that are beginning to prepare for their CMMC level 2 assessment.

Continue readingAccreditation Body Releases CMMC Assessment Guidance

Is Your Company Prepared for the New Cyber Incident Reporting Requirements?

Michael J. Montalbano

On March 11, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Law includes new reporting requirements for companies who experience cyber incidents or make ransomware payments.

Under the Law, covered entities that experience covered cyber incidents must report the incident to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred. Covered entities must also notify CISA within 24 hours of making a ransomware payment.

The new cyber reporting law tasks CISA with creating more precise definitions for who constitutes a “covered entity” and what constitutes a “cyber incident.” Even the general language of the statute, however, provides some guidance for companies.

Continue reading “Is Your Company Prepared for the New Cyber Incident Reporting Requirements?”