Takeaways

In response to the theft of hundreds of billions of dollars’ worth of sensitive data due to malicious cyber activity, DoD has started rolling out a certification program known as CMMC to certify the cybersecurity maturity of DoD contractors and their supply chain.
Companies throughout the DoD supply chain will need to be certified if they are to receive, and potentially continue to perform, DoD work that requires the possession of sensitive but unclassified information.
Volume 1.0 of the CMMC Model is anticipated to be released in January 2020 and to take effect in June 2020.

DoD is in the process of developing the CMMC framework in order to enhance the protection of sensitive data within the Federal supply chain. As we previously reported in client alerts of December 2017, May 2018 and October 2018, DoD’s efforts to enhance these protections began with the implementation of the DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. This sensitive data includes Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The CUI Registry provides information on the specific categories and subcategories of CUI. FCI is information that is not intended for public release and is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

As the latest draft of the CMMC Model (version 0.6) explains, “[t]he theft of hundreds of billions of dollars of intellectual property (IP) due to malicious cyber activity threatens the U.S. economy and national security.” According to DoD, the majority of this IP theft is attributable to insufficient cybersecurity maturity and ineffective implementation of controls necessary to protect CUI and FCI. DoD has identified, and independent industry organizations have agreed, that the self-certification requirements currently employed to establish cybersecurity within the defense industrial base have been insufficient to protect this sensitive data. Because CUI and FCI are shared with defense contractors and their supply chain, DoD is aiming to make cybersecurity a foundation of all DoD acquisitions. To that end, DoD is working to develop the CMMC certification process in order to measure the ability of entities to protect sensitive information. Entities that are not certified at the required level will not be awarded new contracts that require them to generate or store CUI or FCI, and they potentially will not able to continue performance of existing contracts.

The CMMC framework will be used to certify contractors’ compliance with various cyber security requirements from a variety of sources. Under this framework, independent third-party assessment organizations will audit contractors’ cyber security compliance and will certify a contractor’s maturity level. The latest draft of the CMMC Model states that CMMC will consist of five maturity levels ranging from Level 1, Basic Cyber Hygiene to Level 5, Advanced/Progressive, with a Level 3 roughly equating to all of the current requirements of NIST SP 800-171r1. Importantly, any entity that will receive CUI or FCI, including subcontractors or suppliers at any tier, will need to be certified at the applicable maturity level. The cost of certification is not yet known; however, DoD anticipates that assessments for lower-level certifications will be less expensive than assessments for higher level certifications. Although DoD is considering ways to minimize costs to enable small businesses to come into compliance with certification requirements, DoD is not planning to grant CMMC waivers or to exempt any groups of businesses from the requirements.

On November 7, 2019 DoD released the latest version (version 0.6) of the CMMC Model. The final model is anticipated to be released in January 2020 to support training requirements. In June 2020, contractors will begin seeing CMMC requirements in DoD Requests for Information. By Fall 2020, contractors will encounter CMMC requirements as go/no-go evaluation criteria in DoD solicitations. In preparation for CMMC implementation, contractors should review the latest draft CMMC Model and begin taking steps to implement the requirements for their desired certification level. Failure to certify at the appropriate level will disqualify contractors from award of new DoD contracts and potentially could prevent continued performance of current contracts.