Department of Defense Formally Implements Cybersecurity Maturity Model Certification Requirements for Department of Defense Contractors

On November 30, 2020, the U.S. Department of Defense (“DoD”) will begin to roll out the new Cybersecurity Maturity Model Certification (“CMMC”) framework that eventually will require all DoD contractors, subcontractors, and suppliers to receive cybersecurity assessments from third-party assessment organizations.

Existing Cybersecurity Requirements for DoD Contractors

DoD currently imposes cybersecurity requirements on contractors through Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires that the contractor implement the 110 security controls set forth in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 on any information system that processes, stores or transmits Controlled Unclassified Information. On September 29, 2020, DoD issued an interim rule adopting a new NIST SP 800-171 Assessment requirement for contractors, subcontractors and suppliers that must implement NIST SP 800-171, which is effective November 30, 2020 and separate from the CMMC framework. For more information on the new NIST SP 800-171 Assessment requirement, please see our October 20, 2020 Client Alert on that topic.

The CMMC Framework

The September 29, 2020 interim rule also implements in the DFARS the CMMC framework that DoD has been developing over the past two years. The CMMC framework defines 5 cybersecurity maturity levels against which DoD contractors, subcontractors and suppliers will be assessed to determine the extent and maturity of their information systems’ cybersecurity processes and practices. Going forward, Certified Assessors working for CMMC Third-Party Assessment Organizations (“C3PAOs”) will evaluate DoD contractors’ cybersecurity practices and processes to determine their CMMC certification level, and those C3PAO certifications will be effective for up to three years. The CMMC Accreditation Body (“CMMC-AB”), an accreditation entity independent of DoD, is responsible for managing, controlling and administering the CMMC assessment, certification, training and accreditation process for the defense supply chain. The CMMC-AB establishes the criteria or requirements used to certify C3PAOs and Certified Assessors. The CMMC-AB is still in the early stages of accrediting C3PAOs and Certified Assessors, and it has indicated that it intends ultimately to list approved C3PAOs and Certified Assessors on the CMMC-AB website, under its “Marketplace.” Certified Assessors will be approved to certify contractors up to a specific CMMC level, so it will be important for companies seeking to retain the services of a C3PAO to ensure that the Certified Assessor performing the assessment is authorized to certify contractors to the CMMC level you are hoping to achieve.

The CMMC model, and the cybersecurity requirements that correspond to each CMMC level, are available on DoD’s website. Each CMMC level requires a contractor to have implemented an escalating number of cybersecurity practices and processes, with Level 1 being the least onerous and Level 5 requiring the most robust cybersecurity program. For example:

• Level 1 corresponds to the basic safeguarding requirements from Federal Acquisition Regulation (“FAR”) clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, and all DoD contractors, subcontractors and suppliers, other than suppliers of exclusively COTS items, will be required to satisfy at least Level 1 for contracts that include CMMC requirements.
  
  
• Level 3 is most similar to DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, as it includes all 110 security controls from NIST SP 800-171, but it also adds a requirement to implement 20 additional security practices and 3 processes not included in NIST SP 800-171.

There are some key differences between the CMMC framework and the existing cybersecurity compliance framework under DFARS clause 252.204-7012. First, there is no “partial credit” under the CMMC: If a contractor cannot demonstrate compliance with all of the security controls, practices and processes mandated for a specific certification level, the contractor cannot be certified at that level, period. A contractor cannot receive certification at the higher level based on a “plan of action” to address shortcomings found during the certification process. 

Second, as the CMMC name implies, its framework is designed to assess the “maturity” of a contractor’s cybersecurity processes by assessing the extent to which certain processes have been “institutionalized”—i.e., embedded or ingrained in the operations of an organization. Thus, the CMMC goes beyond an assessment of whether the contractor has implemented designated security controls (in CMMC parlance, “practices”) in its information system; the CMMC requires the further analysis as to whether the contractor has institutionalized certain “processes” that demonstrate the maturity of the organization’s cybersecurity practices. For example, to achieve a CMMC Level 3 certification, the contractor must establish, maintain and resource a plan to implement the required cybersecurity practices. Simply having adopted a written cybersecurity policy would not be enough; the contractor would need to demonstrate that its cybersecurity plan includes the allocation of resources to implement the necessary practices and train its personnel on them.

Phased Rollout of CMMC

DoD will utilize a phased rollout of the CMMC requirements, and from November 30, 2020 until September 30, 2025, DoD may include a CMMC certification requirement in some solicitations, but will not require CMMC certificates for all contracts. During this phased rollout period, DoD will only require CMMC certificates for contracts “if the requirement document or statement of work requires a contractor to have a specific CMMC level,” and inclusion of a CMMC requirement in a solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

Starting October 1, 2025, all DoD solicitations and contracts valued at greater than the micro-purchase threshold, except those exclusively for COTS items, will identify the CMMC level applicable to the contract and will prohibit award to an offeror that does not have a CMMC certificate at the required level.

If a solicitation requires a contractor to have a specific CMMC level, that solicitation will contain new DFARS clause 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement, which will require the contractor to have a current (not older than 3 years) CMMC certificate at the required CMMC level, and maintain the certificate at the required level for the duration of the contract. The successful offeror for the contract must have a certification from a C3PAO at (or above) the designated CMMC level on file with DoD at the time of contract award. Accordingly, an offeror does not need to have its CMMC certification achieved at the time proposals are submitted, but only at the time of award. 

Subcontractors

DFARS clause 252.204-7021 will require a prime contractor to ensure that its subcontractors and suppliers have the appropriate level of CMMC certification, as determined by the prime contractor, prior to award of a subcontract under a prime contract that includes the clause. The new CMMC clause also will require the contractor to flow down the CMMC clause to its subcontractors, meaning that all subcontractors and suppliers in the supply chain for a DoD contract (other than commercially available off-the-shelf (COTS) suppliers) must have at least a CMMC Level 1 certification or higher, depending on the information they will receive.

DoD Contractors, Subcontractors and Suppliers Should Be Prepared for CMMC Rollout

DoD contractors, subcontractors and suppliers should anticipate needing to obtain CMMC certification from a C3PAO at some point in the not-too-distant future, especially if they already have contracts that require compliance with the NIST SP 800-171 security controls. Whether a company is a DoD prime contractor, subcontractor or a supplier, it should consider taking the following steps to prepare for the eventual requirement of CMMC certification:

• Review draft solicitations and requests for information for future contracts to see whether they mention an anticipated CMMC level for that type of requirement;
  
  
• Review the CMMC model to determine the CMMC level the company currently meets, and any steps needed to meet the anticipated CMMC level that will apply to the company’s type of work (for most companies currently performing contracts subject to DFARS 252.204-7012, that would be CMMC Level 3);
  
  
• Monitor the CMMC Accreditation Body’s website for a list of approved C3PAOs and Certified Assessors that are authorized to perform CMMC assessments and approved to certify your organization to the CMMC Level for which you are seeking to qualify;
  
  
• If the company is pursuing a contract that requires CMMC certification, ensure that the requisite CMMC certification is obtained as soon as possible, as it must be obtained before the award of the contract;
  
  
• Develop internal controls regarding how to flow down future CMMC requirements to subcontractors and suppliers, including (i) determining how best to identify and determine which subcontractors or suppliers will require access to, or may create, CUI under a DoD contract; (ii) using that information to determine and document the basis of designating the appropriate CMMC level for each subcontract or purchase order; and (iii) requiring documentation or confirmation from subcontractors or suppliers that they have been certified to the necessary CMMC level prior to award of a subcontract or issuance of a purchase order;
  
  
• Have discussions with members of the company’s supply chain to determine whether all necessary suppliers will be able to meet the CMMC requirements that will apply to them, and begin to explore alternative sources if certain key suppliers appear unable or unwilling to obtain the required CMMC certification.

To discuss how the new DoD CMMC requirements may impact your business from a government contracts perspective, contact David T. Ralston (dralston@foley.com), Frank S. Murray (fmurray@foley.com), Erin L. Toomey (etoomey@foley.com) or Julia Di Vito (jdivito@foley.com). To discuss how the new DoD CMMC requirements may impact your business from a cybersecurity perspective, contact Jennifer L. Urban (jurban@foley.com) or Samuel D. Goldstick (sgoldstick@foley.com).