DoD’s New Contractor Cybersecurity Certification Policy – Key Takeaways

The Department of Defense (DoD) recently finalized the 1.0 version of its Cybersecurity Maturity Model Certification (CMMC), which seeks to improve defense industrial base (DIB) supply chain security by certifying defense contractors’ cybersecurity practices. The new framework will begin impacting new DoD contracts later this year.

The initial announcement and draft framework that was released last June included limited details beyond that there would be multiple certification/maturity levels based on third-party assessments and that all DoD contractors would require a CMCC certification for contract eligibility. Now after multiple drafts circulated for public comment and dozens of meetings and working group sessions with industry and other stakeholders the Office of the Under Secretary of Defense for Acquisition & Sustainment OUSD(A&S) has refined the model with additional details on how it will be implemented.

CMMC Key Details

The full CMMC Model v1.0 is publicly available, but here is a summary of the most important details.

• CMMC will be included in a DFAR update to come in late spring or early summer 2020.
• CMMC requirements will be included in new contract competitions and not applied retroactively to contracts already awarded. So under the general contract pattern of one base year plus 4 extensions, the DoD expects to roll out CMMC between FY 2021 and FY 2026 as current contracts progress through their traditional lifecycle.
• CMMC will be included in a handful of select Requests for Information (RFIs) in June 2020 and in corresponding Requests for Proposal (RFPs) in September 2020, once the DFAR is updated. These RFIs/RFPs will designate specific CMMC certification levels that are required. Expect roughly 10 of each and expect them to cover most if not all of the certification levels. (See below.)
• CMMC will be included as a technical requirement on Other Transaction Authority (OTA) acquisitions and others that fall outside of the DFAR.
• The OSD and the service acquisition executives (SAE) are working to identify several pathfinder projects for the future RFI/RFPs for CMMC inclusions. These will most likely focus on critical priorities like nuclear modernization, missile defense and similar national defense and security elements. It is unclear which, if any, information technology programs will be included.
• CMMC training is under development with the Defense Acquisition University (DAU) and is expected to be available in June to correspond with the initial RFIs.
• The specific CMMC certification will be required at time of contract award. (Note: this is a moderation of the original plan to require certification at the time of proposal submission in order to be considered on the competition.)
• The CMMC Accreditation Body (AB), with 13 members from the DIB, cybersecurity industry and academia was established earlier in January to oversee the training, quality and administration of the individual CMMC third-party assessment organizations (C-3PAO) who will perform the role of certifying DIB companies in CMMC levels.
• DoD is currently drafting a memorandum of understanding (MOU) with the AB with roles, responsibilities and rules, including conflict of interest (COI) rules that will prevent an assessor from certifying their own company.
• C-3PAOs are currently being vetted with the hopes them being certified in the March or April 2020 timeframe. After the CMMC AB certifies C-3PAOs companies will be able to schedule CMMC assessments for specific levels through a CMMC marketplace portal.
• Small business certification and support is a key focus for the DoD and OUSD(A&S) is working with industry to streamline and control associated costs to expedite certifications and limit financial burdens. (Certification-related expenditures will be an allowable cost on DoD contracts.)
• CMMC Certification Levels 1 through 5 integrate progressive cybersecurity practices and processes and build on each other as an organization matures its cyber-posture.
  • Level 1 addresses basic cyber hygiene practices that simply protect federal contract information (FCI) (e.g. use of antivirus software and password expiration/changing rules.) Level 1 is for companies that do not touch government Controlled Unclassified Information (CUI).
  • Level 2 designates intermediate cyber hygiene and is a transition phase to create security processes and document them in preparation for handling CUI. Level 2 is also intended to help small businesses to mature their cybersecurity.
  • Level 3 is for any contractors that have CUI touch their systems. Currently under current DFAR clause 252.204-7012 these firms are self-attesting that they have implemented all 110 NIST 171-110-Rev1 controls (i.e. protecting CUI). CMMC certification will replace this self-certification and be included in the forthcoming DFAR update. The progression from Level 1 to Level 3 is significant as companies will move from 17 cybersecurity controls to 110.
  • Levels 4 and 5 are for “critical technology companies” to ensure the NIST controls are reviewed and optimized.
• The previously expected flow-down requirement where all subcontractors would be required to have the same level of certification as their prime appears to be off the table, IF the sub does not touch CUI. That said, all contractors will need Level 1 certification, but subs that do not process CUI on a contract where the prime does will not be required to reach the same Level 3+ certification like the prime. DoD says they recognize that cybersecurity is not one-size-fits-all.

Overall there are no major surprises in the final release of CMMC, which is largely due to the frequent communication and high degree of industry engagement by the DoD. It is noteworthy that the DoD adjusted some of their initial expectations, plans and timelines from their original draft proposal to adjust to the complexity and scope of the endeavor. Further, they are working to mitigate unnecessary costs and disruptive burdens to DIB suppliers, especially small and mid-size companies. That said, the DoD leadership responsible for CMMC has been clear that while they seek to minimize its impacts to industry they will not do so at the cost of national security.

Current and potential defense contractors that have yet to take note of CMMC and engage with the OUSD(A&S) – and now the CMMC AB – must get off the sidelines or risk being left there. While full CMMC implementation will take several years, these new contracts will be awarded piecemeal over the time horizon. Failure to begin preparing now may jeopardize a company’s competiveness sooner than they realize.