New Cybersecurity Certification Required for DoD Contractors

May 20, 2020

At the end of January 2020, the Department of Defense (DoD) released its Cybersecurity Maturity Model Certification (CMMC) Version 1.0, which sets forth a five-level framework for cybersecurity processes and best practices for government contractors to curtail the theft of intellectual property and sensitive information. The CMMC draws from existing cybersecurity standards and is designed to enhance the cybersecurity posture of all contractors and suppliers in the supply chain of DoD. The CMMC aims to minimize the risk of loss from a cybersecurity incident at any point in the supply chain, stating that such loss, “can undercut U.S. technical advantages and innovation as well as significantly increase risk to national security.”

Application

All prime contractors and subcontractors hoping to obtain new work with DoD during or after 2026 must reach at least Level 1 by Fiscal Year 2026. CMMC requirements are limited to future work and will not affect existing contracts or apply retroactively.

Timing

DoD plans to issue implementing regulations in summer 2020 as well as start a “Pathfinder Program” in which several contractors will test the certification process. It expects to issue an initial 10 Requests for Information with CMMC requirements in June 2020 and 10 Requests for Proposal in October 2020, with each contract expected to involve up to 150 subcontractors.

CMMC certification will deepen a company’s cybersecurity commitment internally and externally. To obtain certification at a given level, contractors are required to not only implement level-specific practices, but also achieve a certain level of maturity regarding the implementation of such practices. For example, Level 1 simply requires contractors to “perform” the practices, whereas Level 3 requires all the related practices to be “managed,” and Level 5 requires all the practices to be “optimized.”

Changes

The most significant change for prime contractors and subcontractors is the replacement of the “self-attestation” model for certifying compliance with cybersecurity standards. CMMC certification requires assessment by an outside auditor.

Subcontractor-specific Considerations

Imposing cybersecurity compliance on subcontractors and all other levels of the supply chain was a key focus of the regulators. Ellen M. Lord, Undersecretary of Defense for Acquisition and Sustainment, noted in a recent press conference, “We know that the adversary looks at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain.” DoD also recognizes potential “flow down” issues and notes that subcontractors might not be required to meet the same certification level as the prime contractor. The required certification mainly depends on the data involved, including whether there is any controlled unclassified information (CUI), which requires a higher level of protection. For example, if a subcontractor does not receive any CUI from the prime contractor, then it would suffice for the subcontractor to meet Level 1, even though the prime contractor needs to achieve Level 3. Subcontractors therefore might be in a more reactive role. 

To help subcontractors comply with Levels higher than 1, prime contractors could facilitate subcontractors’ certification for a specific contract (or series of contracts) by providing a compliant, secure network within which subcontractors can work. Collaboration like this could reduce the burden on small companies that lack the sophistication or staff to ensure the requisite cybersecurity on their own. 

Overall Benefits and Burdens

Below are some of the anticipated benefits and burdens of CMMC certification.

Benefits

  • Allow for long-term planning, since a CMMC certification will last for three years and is valid across any DoD branch or government agency. 
  • Decrease potential liability under the False Claims Act through use of neutral, third-party certification.
  • Self-care benefit of increased data hygiene and cybersecurity for businesses as protection against breaches or hacks. 

Burdens

  • Potential increase in cost of compliance, depending on the level of certification needed for a given contract and the company’s prior level of cybersecurity.
  • Potential costs of “over-compliance” (i.e., a prime contractor undertakes significant cost to attain Level 4 to be eligible for a specific contract, but then is not chosen).
  • Competitive concerns from a limited pool of certified businesses and the Pathfinder Program because companies receiving early contracts might be more likely to be chosen again.

Next Steps

To help them decide whether to seek CMMC certification, prime contractors and subcontractors should begin evaluating their current DoD contracts to determine whether they currently have access to CUI and the activities related to that information. Prime contractors should also evaluate vetting procedures for their subcontractors. Prime contractors and subcontractors having access to CUI might also consider conducting pre-audit assessments to help them prepare for evaluations of their CMMC practices by official auditors.

Cybersecurity requirements constantly evolve, and the CMMC requirements are no exception. If you need any assistance with preparing for CMMC certification, assessing contracts, or determining the most effective path forward for developing and maintaining compliant processes and equipped personnel, please contact one of the authors above or another member of Lewis Rice's Cybersecurity & Data Privacy Group. 

Firm Highlights
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
Diversity & Inclusion

Lewis Rice Launches “Next Level” Diversity and Inclusion Programs

More
Client Alert

The New Standard Contractual Clauses: Scope, Impact, and Next Steps

More
News

Claims Filed for Compensation in North Carolina Ecusta Trail Rail-to-Trail Case

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
Client Alert

EEOC Issues Updated Guidance on COVID Vaccination Policies

More
Client Alert

DOL Publishes Cybersecurity Guidance for Benefits Plans

More
News

Michael D. Mulligan, Mysun Charitable Foundation Recognized at Greensfelder Park Ribbon Cutting Ceremony

More
Client Alert

First-Issued Interim Final Rule Gives Guidance on No Surprises Act

More
Client Alert

Missouri Supreme Court Reverses Overtime Wages Judgment Resulting from Employer-Mandated Screenings Under the Portal-to-Portal Act

More
News

A Lawyer’s Guide to the Galaxy Podcast Named Among Best Copyright Law Podcasts for 2021 by Welp Magazine

More
News

Jeannine Moentmann Becomes President of St. Louis Paralegal Association for 2021-2022

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
Client Alert

The Changing Workplace Following the Latest CDC Mask Guidance

More
Client Alert

Missouri Supreme Court Holds that Public Governmental Bodies May Not Charge for Attorney Review Time

More
News

Lewis Rice Welcomes 2021 Summer Associates

More
News

Jeremy P. Brummond Presents at Webinar for Experienced Construction Attorneys

More
Client Alert

Colorado Joins the Bandwagon, Enacts Comprehensive Privacy Law

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More