The Pentagon Issues the Acquisition Rule for its New Contractor Cybersecurity Certification Program

On September 29 the Department of Defense (DoD) issued an interim rule under the Defense Federal Acquisition Regulation Supplement (DFARS): Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041). The new interim rule is a much anticipated element of the DoD’s implementation of their new Cybersecurity Maturity Model Certification (CMMC) framework and includes the contractor cybersecurity requirements for new defense contracts.

Observations and Implications

One immediate observation is that DoD released the rule as an interim rule rather than a proposed (i.e. draft) rule. In some ways that is not a huge surprise since the DoD has said from the onset that they are committed to the CMMC program. Then again, the terminology that the DoD has used has been “draft rule” where industry may comment before the Pentagon issues its final rule. The difference may have no real impact (I am not a contract attorney), but in a context where terminology and set expectations really matter these things get noticed.  The interim rule will take effect on November 30, 2020. Comments on the interim rule should be submitted in writing to DoD on or before November 30 to be considered in the formation of a final rule, which will be released presumably by the end of calendar 2020.

Some of the questions that have been posed by defense industrial base (DIB) companies focus on whether CMMC will apply to Commercial-of-the-shelf (COTS) products. Another big question has been whether cloud service providers that have spent time, effort and cost to obtain FedRAMP certifications will also need to expend resources to obtain CMMC certifications in addition to FedRAMP, or will there be reciprocity between the CMMC and FedRAMP programs.

DoD addressed the COTS question explicitly in the interim rule. CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items, “excluding acquisitions exclusively for COTS items…” However, the DoD did not discuss the CMMC-FedRAMP reciprocity issue, which may mean they are still figuring out how to accomplish that or that they have determined it is either out of scope for the current rule or that it will take a separate DFAR rule.

A Federal News Network article draws attention to several issues that caught the attention of contract lawyers and others in the federal market community who have been closely watching the development of CMMC. Possibly the biggest issue is what appears to be an unanticipated addition to the CMMC rule requiring companies working at medium or high security levels to be assessed by the government on how they comply with the standards outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (as required by DFARS clause 252.204-7012.) The addition of the assessment appears to overlap the CMMC assessment requirement and was not anticipated by many CMMC watchers. DoD does say in the rule that “the NIST SP 800-171 DoD Assessment Methodology provides a means for the Department to assess contractor implementation of these requirements as the Department transitions to full implementation of the CMMC (emphasis added). That inclusion is not insignificant in a five-year CMMC implementation timeline as firms may need to expend additional resources to comply with the 800-171 requirement as well as obtain CMMC assessments.

The interim rule also leaves some ambiguity as to how prime contractors will flow-down the CMMC security requirements to their subcontractors. As the program has evolved there has been some discussion about whether subs would be able to have a less stringent CMMC level than the prime contractor based on the scope of work or information processed by the sub. The interim rule requires primes to include the CMMC requirements clause(s) in all subcontracts and other contractual instruments. Primes are also required to ensure prior to awarding a subcontract that the subcontractor has a current CMMC certificate “at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor” (emphasis added.) This appears to leave it up to the prime contractor to determine the CMMC level appropriate for each subcontract and some have noted that this could be an area of risk exposure to the prime contractor if DoD takes issue with the CMMC level chosen by the prime.

Overall, the interim rule for CMMC is a welcome and much anticipated addition to the process of bringing the program to fruition. The comment period is open for several weeks, so vendors have an opportunity to provide input into the final rule. Take advantage of that opportunity.