By Lori Ann Lange
Changes related to the COVID-19 crisis and the construction and surety industries are still occurring; some data in this article may have changed from the time of article submission and the publication date.
As contractors (and subcontractors) doing business with the Department of Defense (DoD) should be aware, DoD remains very concerned about protecting sensitive information, such as controlled unclassified information (CUI) and covered defense information (CDI), from cyberattacks. For several years now, DoD has required contractors that have access to CUI/CDI to comply with the security and cyber incident reporting requirements specified in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. DoD contractors that may have CUI/CDI residing on or transiting within their systems are required to implement an adequate cyber security based primarily on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
Recently, DoD has begun expanding its cybersecurity requirements through the Cybersecurity Maturity Model Certification (CMMC) Program. CMMC builds upon the requirements of DFARS 252.204-7012 and NIST SP 800-171 and establishes maturity levels that range from basic cyber hygiene to advanced practices that contractors, depending upon the type of work they perform, will need to meet. CMMC is not intended to and will not replace DFARS 252.204-7012 or NIST SP 800-171.
What is CMMC?
CMMC is a certification program established by DoD in consultation with key DoD stakeholders, including the University Affiliated Research Centers, Federally Funded Research and Development Centers, and the Defense Industrial Base sector. It is designed to measure a contractor’s ability to protect CUI as well as a class of information known as Federal Contract Information (FCI). FCI is a category of information that is less sensitive than CUI and that is provided by the government or generated by a contractor for the government under a DoD contract. Like CUI, FCI is not intended for public release.
In January 2020, DoD issued the CMMC Model v.1.0. The CMMC Model was updated as CMMC Model v.1.02 in March 2020. The CMMC Model is available at https://www.acq.osd.mil/cmmc/.
As DoD has described it, CMMC is a unified cybersecurity standards for future DoD acquisitions. CMMC combines various cybersecurity standards and best practices to reduce the risk of cyber threats. CMMC measures a contractor’s cybersecurity maturity to determine the contractor’s specific level of maturity and thus its ability to receive CUI and FCI.
CMMC organizes processes and cybersecurity best practices into seventeen domains. Each domain is a different area of cybersecurity concern. The domains are: (1) Access Control; (2) Asset Management; (3) Audit and Accountability; (4) Awareness and Training; (5) Configuration Management; (6) Identification and Authentication; (7) Incident Response; (8) Maintenance; (9) Media Protection; (10) Personnel Security; (11) Physical Protection; (12) Recovery; (13) Risk Management; (14) Security Assessment; (15) Situational Awareness; (16) System and Communications Protection; and (17) System and Information Integrity. Each domain has key sets of capabilities required for cybersecurity.
Each domain also has processes and practices, which are the activities required by the contractor to achieve a capability. Processes are the plans the contractor has in place concerning cybersecurity and related systems. Practices, on the other hand, are the actions the contractor takes to implement cybersecurity. The processes and practices that a contractor has to meet depend upon the CMMC level.
When Does CMMC Take Effect?
CMMC is being rolled out in a phased basis over five years. Originally, the plan was for CMMC requirements to begin appearing in ten selected Requests for Information (RFIs) beginning in June 2020. Through these RFIs, DoD will seek information from contractors regarding the appropriate CMMC level for different types of procurements.
DoD had planned to amend the DFARS to address CMMC in June 2020. However, this schedule has slipped due to the requirement to have a public meeting before the rule is issued. DoD now expects to publish the new DFARS rule in the Fall of 2020.
Beginning in the fall of 2020, DoD plans to include CMMC requirements in a few selected solicitations. CMMC phase-in will continue during FY 2021-2026. By the end of FY 2026, CMMC requirements will be in all DoD solicitations and resulting contracts. DoD has advised that CMMC will apply to new contracts only and that it does not plan to modify existing contracts to include CMMC.
How Does CMMC’s Certification Requirement Differ From DFARS 252.204-7012?
One key feature of CMMC is the change from voluntary certification to third-party assessments. Under the current cybersecurity regime, contractors subject to DFARS 252.204-7012 perform a self-assessment and self-certify their compliance with NIST SP 800-171. Under CMMC, contractors can no longer self-certify. Instead, contractors must be assessed by third-party organizations known as Certified Third-Party Assessment Organizations (C3PAOs) before they can be certified to the appropriate level. One apparent reason for this change is DoD’s concern that many DoD contractors subject to DFARS 252.204-7012 still are not fully compliant.
Another key feature is the apparent elimination of the contractor’s ability to rely on Plans of Action and Milestones (POAMs) to demonstrate compliance with cybersecurity requirements. POAMs are plans developed by contractors that identify areas where the contractor is not yet fully compliant with cybersecurity requirements, such as NIST SP 800-171. They generally outline the measures the contractor still has to take to become compliant and the time to complete them. Under DFARS 252.204-7012, contractors may have a POAM in place and still comply with DFARS 252.204-7012. This is expected to change under CMMC. DoD has indicated that contractors must be fully compliant with the requirements specified for the CMMC level to be certified to that level.
What Are the CMMC Levels?
CMMC has five levels, each with its own set of processes and practices. Each level builds on the previous level. Contractors will be certified to a specific level depending upon their cybersecurity processes and practices.
Level 1 (Basic Cyber Hygiene) is essentially equivalent to the standards required under FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. It requires the contractor to meet seventeen practices, including limiting information system access to authorized users; authenticating or verifying the identities of users and devices before allowing them access to information systems; sanitizing or destroying information system media containing FCI before disposal or reuse; and providing and updating malicious code protection.
DoD has stated that Level 1 should be similar to the types of protections many people use in their private lives such as virus protection software and strong passwords. It is anticipated that the majority of DoD contractors will only have to be certified to Level 1.
Level 2 (Intermediate Cyber Hygiene) is the stepping stone between Level 1 and Level 3. It requires the contractor to meet seventy-two practices—Level 1’s seventeen practices plus an additional fifty-five practices. These additional fifty-five practices are a subset of the NIST SP 800-171 practices required to protect CUI. DoD anticipates that Level 2 will not be used often.
Level 3 (Good Cyber Hygiene) is equivalent to NIST SP 800-171. Level 3 encompasses all of the security requirements in NIST SP 800-171 as well as additional practices. Contractors that have access to or create CUI will have to have at least a Level 3 certification. Level 3 requires the contractor to meet 130 practices—Level 2’s seventy-two practices plus an additional fifty-eight practices. DoD anticipates that a number of contractors will need to be Level 3 certified.
Level 4 (Proactive) focuses on protecting CUI from what DoD calls Advanced Persistent Threats (APTs). Level 4 requires the contractor to meet 156 practices—Level 3’s 130 practices plus an additional twenty-six practices. These additional twenty-six practices enhance the contractor’s detection and response capabilities to address and adapt to APTs’ changing tactics, techniques, and procedures.
Level 5 (Advanced/Progressive) similarly focuses on protecting CUI from APTs. Level 5 requires the contractor to meet 171 practices—Level 4’s 156 practices plus an additional fifteen practices. These fifteen practices increase the depth and sophistication of cybersecurity capabilities.
Who Must Be Certified?
DoD contractors and subcontractors at all tiers must be certified to at least Level 1, except for contractors and subcontractors that sell commercial off-the-shelf (COTS) products. When fully implemented, CMMC will require that every DoD solicitation specify a specific certification level required of the contractor. The contractor must be certified to at least the specified level in order to be eligible for contract award. CMMC certification will be a Go/No Go decision in covered solicitations.
DoD has advised that contractors may have “enclaves” such as segments, business units, etc. within the company. These enclaves may be certified to different CMMC levels. However, the enclave being awarded the contract and performing the work must be at least certified to the specified CMMC level.
Subcontractors (except COTS product suppliers) will need to be certified to some level. However, not all subcontractors necessarily will need to be certified to the same level as the prime contractor. The subcontractors’ level of certification will depend, at least in part, on the type of work to be performed by the subcontractor and whether the subcontractor will have access to CUI. It is anticipated that the CMMC rule will address how subcontractor CMMC compliance will be determined.
The CMMC Accreditation Body will certify C3PAOs and maintain a list of certified C3PAOs. Contractors will be responsible for contacting a certified C3PAO, which will assign an assessor to the contractor. The assessor will conduct the assessment and determine whether the contractor may be certified to a specific level. Certifications are expected to be valid for three years. Whether the contractor has the right to appeal an assessor’s determination is not yet known but may be addressed in the upcoming CMMC rule.
As of the writing of this article, the cost of a CMMC assessment has not been determined. It is likely that the cost will depend upon the level of certification and probably the contractor’s state of preparedness. DoD has stated that the cost should be reasonable and will be an allowable cost under the Cost Principles.
What Should DoD Contractors Do Next?
Companies that do business with DoD—either as a contractor or a subcontractor—should begin to planning for CMMC. Some of the actions companies should take include the following:
- Evaluate the CMMC level you think you might need. Review your existing contracts to determine whether you had access to CDI/CUI. If your contracts require access to CDI/CUI, you can anticipate that you will need to be certified to at least Level 3. If you do not require access to CDI/CUI, you probably only need a Level 1 certification.
- Review and discuss the CMMC Model, especially the processes and practices, with your IT department or personnel. Review your existing cybersecurity program against the CMMC processes and practices. Understand where you may fall short and the steps you need to take to meet the CMMC requirements. Implementing the required processes and procedures likely will take a significant investment of time and money so you do not want to wait until there is a solicitation with a CMMC requirement that you want to bid on to get started.
- Consider whether you should have a pre-assessment performed. Many consulting companies can perform CMMC pre-assessments that will identify deficiencies in your cybersecurity program.
Lori Ann Lange is Chair, Government Contracts Practice in the Washington, DC office of the law firm Peckar & Abramson. She specializes in government contract law, bid protests, and corporate compliance counseling. She represents a range of government contractors, including construction contractors, major defense contractors, informational technology contractors, and service contractors. She can be reached at email@example.com or 202.293.8815 ext. 7103.
Find Out More
Access this NASBP Virtual Seminar on cybersecurity in the construction industry: https://learn.nasbp.org/p/CybersecurityConstructionIndustry. Access other NASBP Virtual Seminars here: https://learn.nasbp.org/. Access free NASBP Podcast episodes here: https://letsgetsurety.org/episodes/.