Billee Elliott McAuliffe, Cybersecurity & Data Privacy Practice Group Leader

At the end of January 2020, the Department of Defense (DoD) released its Cybersecurity Maturity Model Certification (CMMC) Version 1.0, which sets forth a five-level framework for cybersecurity processes and best practices for government contractors to curtail the theft of intellectual property and sensitive information. The CMMC draws from existing cybersecurity standards and is designed to enhance the cybersecurity posture of all contractors and suppliers in the supply chain of DoD. The CMMC aims to minimize the risk of loss from a cybersecurity incident at any point in the supply chain, stating that such loss, “can undercut U.S. technical advantages and innovation as well as significantly increase risk to national security.”

Application

All prime contractors and subcontractors hoping to obtain new work with DoD during or after 2026 must reach at least Level 1 by Fiscal Year 2026. CMMC requirements are limited to future work and will not affect existing contracts or apply retroactively.

Timing

DoD plans to issue implementing regulations in summer 2020 as well as start a “Pathfinder Program” in which several contractors will test the certification process. It expects to issue an initial 10 Requests for Information with CMMC requirements in June 2020 and 10 Requests for Proposal in October 2020, with each contract expected to involve up to 150 subcontractors.

CMMC certification will deepen a company’s cybersecurity commitment internally and externally. To obtain certification at a given level, contractors are required to not only implement level-specific practices, but also achieve a certain level of maturity regarding the implementation of such practices. For example, Level 1 simply requires contractors to “perform” the practices, whereas Level 3 requires all the related practices to be “managed,” and Level 5 requires all the practices to be “optimized.”

Changes

The most significant change for prime contractors and subcontractors is the replacement of the “self-attestation” model for certifying compliance with cybersecurity standards. CMMC certification requires assessment by an outside auditor.

Subcontractor-specific Considerations

Imposing cybersecurity compliance on subcontractors and all other levels of the supply chain was a key focus of the regulators. Ellen M. Lord, Undersecretary of Defense for Acquisition and Sustainment, noted in a recent press conference, “We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain.” DoD also recognizes potential “flow down” issues and notes that subcontractors might not be required to meet the same certification level as the prime contractor. The required certification mainly depends on the data involved, including whether there is any controlled unclassified information (CUI), which requires a higher level of protection. For example, if a subcontractor does not receive any CUI from the prime contractor, then it would suffice for the subcontractor to meet Level 1, even though the prime contractor needs to achieve Level 3. Subcontractors therefore might be in a more reactive role. 

To help subcontractors comply with Levels higher than 1, prime contractors could facilitate subcontractors’ certification for a specific contract (or series of contracts) by providing a compliant, secure network within which subcontractors can work. Collaboration like this could reduce the burden on small companies that lack the sophistication or staff to ensure the requisite cybersecurity on their own. 

Overall Benefits and Burdens

Below are some of the anticipated benefits and burdens of CMMC certification.

Benefits

• Allow for long-term planning, since a CMMC certification will last for three years and is valid across any DoD branch or government agency. 
• Decrease potential liability under the False Claims Act through use of neutral, third-party certification.
• Self-care benefit of increased data hygiene and cybersecurity for businesses as protection against breaches or hacks. 

Burdens

• Potential increase in cost of compliance, depending on the level of certification needed for a given contract and the company’s prior level of cybersecurity.
• Potential costs of “over-compliance” (i.e., a prime contractor undertakes significant cost to attain Level 4 to be eligible for a specific contract, but then is not chosen).
• Competitive concerns from a limited pool of certified businesses and the Pathfinder Program because companies receiving early contracts might be more likely to be chosen again.

Next Steps

To help them decide whether to seek CMMC certification, prime contractors and subcontractors should begin evaluating their current DoD contracts to determine whether they currently have access to CUI and the activities related to that information. Prime contractors should also evaluate vetting procedures for their subcontractors. Prime contractors and subcontractors having access to CUI might also consider conducting pre-audit assessments to help them prepare for evaluations of their CMMC practices by official auditors.

Cybersecurity requirements constantly evolve, and the CMMC requirements are no exception. If you need any assistance with preparing for CMMC certification, assessing contracts, or determining the most effective path forward for developing and maintaining compliant processes and equipped personnel, please contact one of the authors above or another member of Lewis Rice's Cybersecurity & Data Privacy Group.