Starting in June 2019, the Department of Defense (“DoD”) has been working on a new cybersecurity certification program – Cybersecurity Maturity Model Certification (“CMMC”). The timeline for this new program has been aggressive – version R0.4 was released to the public on August 30, 2019, for comments, version R0.6 is due to be released this month, version 1.0 is due to be released January 2020, the first Request for Information is due to include the certification in June 2020, and the first Solicitations will include this requirement in Fall 2020.
The genesis of the CMMC relates to the overwhelming perception that the self-certifications required pursuant to DFARS 252.204-7012 has failed with regard to small and medium size businesses. Or in other words, many small and medium size businesses have submitted proposals and received contracts that include the clause but have not made any or only minimal effort to be compliant with the 110 controls listed in NIST SP 800-171. DFARS 252.204-7012 requires contractors who receive contracts that contain “covered defense information” (“CDI”) to “implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.” Id. 7012(b)(ii)(A). The question then became, does my DoD contract contain CDI? Unfortunately, the answer has in many cases been quite murky. For some contracts, the contract expressly states that certain information is CDI and describes the information, those are the easy contracts. However, many contracts contain the clause but then never provided any other information regarding CDI and contractors who received those contracts have, according to many in the industry, not implemented any of the NIST SP 800-171 controls. (At the Annual Federal Bar Association Conference this past September, a chart was provided that showed the vast majority of defense industrial base companies had inconsistent cyber hygiene practices with low level attacks consistently succeeding.)
DoD published an overview briefing on the CMMC R0.4 (“Briefing”) that describes the Model Framework as part of this initial release. According to the Briefing, the CMMC model framework consists of 18 domains, based on cybersecurity “best practices.” Id. at 8. The domains are comprised of capabilities, that are then comprised of practices and processes mapped to five levels – CMMC Level 1 through Level 5. Id. Page 9 of the Overview describes the different levels. At a minimum, every DoD contractor and subcontractor will have to meet at least Level 1 (potentially even sellers of COTS products).
If you want more information regarding the CMMC or would like to discuss this further, contact MWL Counsel Jody Reed.
Part 2 will be published next week!