Department of Defense Cybersecurity Maturity Model Certification Update: New Contract Requirements Coming for the Defense Industrial Base
As we have previously reported, the Department of Defense (DoD) is implementing a Cybersecurity Maturity Model Certification (CMMC) framework—DoD's latest effort to combat cybersecurity vulnerabilities that threaten the Defense Industrial Base (DIB), the US economy and national security. The CMMC is a consolidated framework of cybersecurity controls and practices that apply to contractor-owned and contractor-operated information systems that store or transmit federal contract information (FCI) or controlled unclassified information (CUI).
DoD intends to roll-out the CMMC in phases. Those phases include developing assessment and certification procedures and authorities; training stakeholders, including industry, on the CMMC; and incorporating the CMMC into DoD contracts. We summarize here recent developments in CMMC roll-out and implementation in light of the COVID-19 pandemic and the CMMC Advisory Board (CMMC-AB) Memorandum of Understanding (MOU) with DoD executed on March 23, 2020.
These key developments include the following DoD statements and confirmations:
- DoD will implement the CMMC by revising DFARS 252.204-7012, as soon as October 2020, rather than using ad hoc mechanisms such as class deviations or individual contract clauses.
- DoD intends to accept reciprocity for other recognized federal certifications under FedRAMP and the DoD Cloud Computing Security Requirements Guide (SRG).
- DoD will exempt commercial off-the-shelf item suppliers from the CMMC.
Updates on the Implementation of CMMC and the Impact of COVID-19
Prior to the COVID-19 pandemic, DoD expected to begin implementing the CMMC and applying those requirements to contractors and their supply chains in or around March 2020. That process was to start with a "pathfinder" program to allow DoD to determine how the CMMC compliance requirements will impact industry. Contractors could expect DoD to incorporate the CMMC into requests for information (RFIs) beginning in June 2020 with contract awards incorporating the CMMC starting in Fiscal Year (FY) 2021. The CMMC would be phased in over the next five years with the goal of incorporating it into every new DoD contract in FY 2026.
Then COVID-19 hit. DoD initially hoped to avoid delaying the CMMC rollout,1 and in many cases, DoD has been successful. DoD and the CMMC-AB timely entered into their MOU, which will govern CMMC-AB operations and accreditation requirements.2 DoD has also indicated that COVID-19 has not delayed training for certified third-party assessment organizations (C3PAOs), which, along with accreditation bodies, are charged with training, certifying and monitoring CMMC assessors.3
But as everyone has learned, even the best-laid plans have succumbed to the reality of COVID-19 and its devastating impact on the US and global economies. One open question has been how DoD would implement the CMMC. It seemed that DoD may utilize solicitation clauses to do so because DoD had not definitely stated whether it would issue a new Defense Federal Acquisition Regulation Supplement (DFARS) clause or potentially revise DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. DoD has recently confirmed that it intends to use the latter approach and implement the CMMC by revising DFARS 252.204-7012 and does not appear inclined to implement the CMMC in the interim through other mechanisms, such as class deviations. DoD expects to complete this rule change in October 2020 and has stated that CMMC requirements will be included in solicitations only after the final rule is issued.
DoD's intent to implement the CMMC by revising DFARS 252.204-7012 raises questions about how DoD will "phase-in" the CMMC. DoD has indicated that it will not modify existing contracts to incorporate the CMMC. This will lead to a natural phasing in of the CMMC because contractors will not be required to comply with the CMMC until the contract is recompeted. However, this is only one aspect of DoD's planned phase-in approach. DoD previously suggested that it would initially incorporate the CMMC into only certain solicitations, but the revised DFARS 252.204-7012 will presumably have an effective date beginning on which DoD would be required to include that clause in all covered solicitations, unless of course DoD intends to make multiple revisions to DFARS 252.204-7012 that gradually broaden that clause's applicability (an unlikely approach given statutory rulemaking requirements) or to develop alternative clauses for different types of contracts.
CMMC-AB MOU with DoD
On March 24, 2020, the CMMC-AB and DoD entered into their anticipated MOU. That agreement establishes the responsibilities of the CMMC-AB and DoD as the CMMC is implemented and enforced. As the MOU explains, the CMMC-AB's principal responsibility is to "manage, control, and administer CMMC assessment, certification, training, and accreditation processes with respect to the [Defense Supply Chain (DSC)]."4 Notably, the CMMC-AB is an independent organization and is not a regulatory or government authority; nor does the CMMC-AB receive any government funding. Rather, DoD has sole authority to administer, maintain, and update the CMMC.
The MOU also indicates that DoD has recognized and intends to implement industry's recommendations that there be reciprocity between the CMMC and other information security programs, including the Federal Risk and Authorization Management Program (FedRAMP) and the SRG.5 Adopting reciprocity was a central industry objective, particularly for cloud computing, because of industry's position that FedRAMP and SRG requirements generally meet or exceed many CMMC standards.6 Allowing for reciprocity is expected to reduce compliance burdens and costs. However, the MOU is not a regulation, and industry will need to see DoD's proposed DFARS rule implementing the CMMC to determine whether and the extent to which DoD will allow for reciprocity. That said, the MOU is promising on this issue.
CMMC and Commercial-Off-the-Shelf Item Contractors
DoD's CMMC Frequently Asked Questions (FAQ) initially indicated that the CMMC would apply to "[a]ll companies doing business with the DoD." DoD recently updated its FAQ to exempt commercial-off-the-shelf (COTS) item contractors from the CMMC.7
Is Government-wide CMMC on the Horizon?
DoD often spearheads government contracting programs with other agencies adopting the same or similar programs in the future. This is often because DoD is by far the agency that obligates the most funds to federal contacts. For example, in FY2017, DoD obligated more funds to federal contracts than all other agencies combined.8
In April 2020, DoD and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) began discussing how CMMC could be applied to companies that contract with civilian agencies.9 Katie Arrington, DoD's Chief Information Security Officer for Acquisition and Sustainment, stated that CMMC "will become a federal standard for the whole of government rapidly."10 That same month, CISA confirmed that it will be issuing cybersecurity guidance for non-defense agencies that fall within DHS's 16 critical infrastructure sectors that may adopt many of the CMMC's standards. At least initially, this guidance will be voluntary. Additionally, civilian agencies will likely benefit from the CMMC because civilian agencies often contract with companies that do business with DoD.
* * *
As DoD moves forward with implementing the CMMC, it is important that current and prospective defense contractors expeditiously implement CMMC standards to ensure that they are well-positioned to compete for future defense contracts. Non-COTS item companies that fail to do so will find themselves ineligible to compete for DoD contracts.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Daniel Wilson, DoD Cybersecurity Rollout May Be Delayed By COVID-19, Law360 (May 22, 2020).
Wilson,supra, n.1. CMMC certifications will typically be valid for three years. DoD Frequently Asked Questions (FAQ) No. 15.
See Industry Mar. 26, 2020 Letter to DoD.
DoD FAQ No. 19 ("Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification." (emphasis added)).
Moshe Schwartz, et al., Defense Acquisitions: How and Where DoD Spends Its Contracting Dollars, Congressional Research Service (July 2, 2018), at 2.
Jackson Barnett, CMMC standards for non-defense contractors could be coming, FedScoop (Apr. 16, 2020).