Takeaways

DoD has released the final version of the CMMC framework.
DoD anticipates that CMMC requirements will appear in a limited number of solicitations starting in October 2020 and that they will appear in all DoD solicitations by 2026.
DoD officials have emphasized the importance of small and medium contractors complying with CMMC requirements, while recognizing that compliance may be more burdensome for these contractors.

DoD has released the highly anticipated final Model Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework. As we have reported in client alerts in December 2017May 2018October 2018 and December 2019, the development of the CMMC framework is part of DoD’s efforts to enhance the protection of sensitive data within the Federal supply chain. The CMMC framework adds a verification and audit component to DoD’s cybersecurity requirements. It is anticipated that all contractors throughout the DoD supply chain will need to reach some level of CMMC certification if they are to receive future DoD contracts and subcontracts.

Model Version 1.0 of the CMMC framework includes five levels of cyber security maturity. Level 1, Basic Cyber Hygiene is the baseline compliance level and requires contractors to have practices in place that are equivalent to those required by Federal Acquisition Regulation (FAR) 52.204-21 to handle Federal Contractor Information (FCI). Level 2, Intermediate Cyber Hygiene includes a select subset of practices from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (Revision). DoD officials have described Level 2 as a transitional phase during which DoD will assist contractors, especially small contractors, in achieving compliance with Level 3. Level 3, Good Cyber Hygiene, is the level of compliance that contractors must achieve to handle Controlled Unclassified Information (CUI). At this level, contractors must have in place all of the controls from NIST 800-181 (Revised). Level 4, Proactive and Level 5, Advanced/Progressive, add additional controls for contractors working on the most sensitive contracts. These include controls derived from sources such as NIST, the International Standards Organization, the Aerospace Industries Association, the United Kingdom Cyber Essentials, the Austria Cyber Security Center Essential Eight Maturity Model, and others.

In addition to CMMC Model Version 1, DoD has released a draft schedule for calendar year 2020 outlining the time frame of the CMMC rollout. The draft schedule (CMMC Draft Schedule: CY20) states that initial requests for information (RFI) with CMMC requirements will be issued in June 2020 and that initial requests for proposals (RFP) with CMMC requirements will be released in October 2020. During a press briefing regarding the rollout, DoD officials stated that the CMMC rollout will begin with 10 RFIs and 10 RFPs in 2020 and that each contract will involve about 150 subcontractors. DoD officials have emphasized that the full CMMC rollout will be incremental and that CMMC requirements will not appear in all DoD contracts until 2026.

DoD officials have also acknowledged that attaining CMMC certifications may be challenging for small and medium contractors because of the costs and technical requirements involved in reaching CMMC compliance. Although DoD officials continue to emphasize the importance of minimizing the burden of CMMC compliance on small and medium contractors, these officials have explained that such compliance is crucial because small and medium contractors are a major source of both innovative technologies and of cyber vulnerabilities. Therefore, small and medium contractors must endeavor to fully understand the CMMC technical and audit requirements and must begin implementing processes and procedures to meet these requirements sooner rather than later. Failure to achieve CMMC compliance will prevent otherwise qualified contractors from receiving future DoD awards.