Cybersecurity is not a new concern, but its attention has grown significantly in recent years due to the increasing sophistication of persistent threats to the defense base from foreign and domestic actors alike. By some accounts, the USG loses approximately $600 billion each year to cyber-related thefts. These concerns have been the driver for DoD’s Cybersecurity Maturity Model Certification (CMMC) initiative as a necessary means for establishing a unified framework of systems, controls and standards to safeguard national security interests. If you’ve been following this space, you know that CMMC represents the most ambitious cybersecurity overhaul in DoD history – a change which will impact every contractor (both prime and subs alike) within the entire defense base. After spending 2019 working closely with industry, academia, and other stakeholders issuing interim drafts based on thousands of public comments, with the January 31, 2020 release of Version 1.0, the DoD CMMC program is now finally live. Version 1.0 reflects DoD’s final certified system of cybersecurity controls and processes that contractors (and their teams) will need to have in order bid on future DoD procurements. DoD has confirmed that there will be no exceptions – if a contractor lacks the certification level set forth in a solicitation, it will not be able to participate in the procurement.
Under Version 1.0, there will be 17 domains (i.e., security disciplines) with a total of 43 capabilities for achieving the objectives under those domains, which in turn will be implemented by up to 171 technical practices depending on which of five progressively more rigorous certification levels that a contractor may seek to obtain. In addition, there will be up to five processes intended to demonstrate the maturity or effectiveness of a company’s institutional procedures aimed at monitoring, maintaining and promoting an organizational culture of compliance.
With regard to the certification levels themselves, depending on the type of work contractors do or may wish to do and the sensitivity/classification of the information that they may receive or handle (i.e., federal contract information, controlled unclassified information or more sensitive information), contractors will need to obtain one of five available levels of cybersecurity certification, each with increasingly complex requirements, controls and processes needed to obtain that certification (for example there are 17 practices for Level 1 whereas there are 130 practices for Level 3). The five certification levels are as follows: Level 1 (Basic Cyber Hygiene); Level 2 (Intermediate Cyber Hygiene); Level 3 (Good Cyber Hygiene); Level 4 (Proactive); and Level 5 (Advanced/Progressive). Significantly, unlike under current defense acquisition regulations, where contractors may self-certify their compliance with a cybersecurity plan, CMMC 1.0 will require contractors of all sizes (large and small) and in all roles (prime contractors and subcontractors) to undergo an independent cybersecurity audit performed by an approved third-party CMMC assessment entity in order to receive a CMMC certification level. However, even with CMMC 1.0, contractors will still be required to comply with any currently applicable DoD cybersecurity regulations as those regulations may contain obligations or requirements beyond CMMC 1.0.
This area is fast moving and still developing, but here are the key takeaways we see at present:
1. DoD will cautiously roll out CMMC 1.0 by selecting a handful of “pathfinder” procurements this year to begin implementing the program and evaluate the success and challenges of the phase-in period. Specifically, DoD plans on selecting 10 RFIs in Q3 and 10 RFPs in Q4 incorporating CMMC certifications for those procurements. Moreover, these pathfinder procurements are expected to consist of a mix of Level 1 to Level 5 CMMC certifications, which DoD expects will impact 150 contractors in the supply chain. However, DoD has announced that all defense procurements – including those for commercial items – will be subject to CMMC requirements by 2026.
2. To this end, DoD has constituted a 13-member CMMC Accreditation Body (AB) drawn from industry, the cybersecurity community and academia. The AB will be responsible for selecting and training a group of Certified Third-Party Assessment Organizations (C-3PAOs) that will conduct the actual audit assessments for contractors for certification purposes. Although no firm date has been set to conclude this process, we anticipate a target date around early spring 2020.
3. In or around Q2 of 2020 (most likely March or April), we further anticipate the establishment of a CMMC Marketplace where contractors can find C-3PAOs that have been selected and qualified by the AB, learn about those organizations, and schedule a CMMC audit for their organization. Moreover, in or around June 2020, DoD plans to offer additional resources through the Defense Acquisition University to further educate contractors about the CMMC 1.0 rollout, which we expect should be of most benefit and utility to small businesses.
4. As there are approximately 300,000 companies in the DoD supply chain, we can expect a surge by contractors to get certified as soon as possible, as the lack of certification will amount to a barrier to entry to the DoD marketplace that few companies can ill afford the time, delay and opportunity cost to waste.
5. Given the likelihood of a first-come, first-served scramble by contractors to become certified and the significant audit queue that is equally likely follow, it is essential for contractors (if they haven’t already) to conduct an internal gap analysis regarding the present state of their organization’s cybersecurity readiness, including reviewing existing controls, systems, practices and identifying areas of vulnerability, including potential solutions to resolve those weaknesses. To conduct an effective analysis, contractors will need to review the types of sensitive government information they handle or will handle on DoD contracts. This assessment will be critical in identifying the appropriate level of certification that will be needed and what steps the company will need to undertake to obtain that certification. Contractors must resolve these issues before going into an audit (perhaps even conducting a “dry” run) to ensure that they pass review the first time and do not waste time by having to go through the process a second time. We cannot underscore enough the importance of being overprepared before entering an audit, since audit details – to include process, sufficiency, timing and length – remain unknown at this time.
7. As CMMC 1.0 requirements will also apply to subcontractors, prime contractors should evaluate their supply chains to identify qualified partners who will be able to support upcoming procurement opportunities. The same considerations discussed above apply to subcontractors, as they also will need to be positioned (and certified) to participate on prime contractor teams when procurement opportunities arise. An additional consideration, however, is that prime contractors and their subcontractors do not necessarily need to have the same CMMC certification level. For example, a Level 3 prime contractor may only need Level 1 certified subcontractors because, for example, those firms may not be handling controlled unclassified information. The bottom line is that the barriers to entry imposed by CMMC 1.0 require significant upfront preparation on the part of all parties to ensure that they are well positioned, and not barred, from pursuing forthcoming DoD procurements as they arise. Thus, it is doubly important to think well ahead about the role and work that each party is contemplating to perform.
8. DoD plans on implementing a new rule in the Defense Federal Acquisition Regulation in late spring/early summer 2020 implementing CMMC, but no exact timeframe has been identified.
9. Finally, contractors should track their costs relating to CMMC 1.0 compliance and certification as such expenses may be reimbursable by the government.
If you are interested in gaining more insight on CMMC, join Howard Roth who will be speaking at the PNDC webinar, “Understanding and Complying with the Department of Defense’s (DOD) New Cybersecurity Maturity Model Certification (CMMC)” on Thursday, April 9th.
For more information on how to navigate these cybersecurity changes, contact Howard Roth.