New DoD Cybersecurity Requirements for 2020 – Part 2

In my previous blog, I describe the basic requirements for the new Cybersecurity Maturity Model Certification (“CMMC”) program. In this blog, I describe the potential impacts on contractors.

So, what is different about CMMC and why should every Department of Defense (“DoD”) contractor care? First, unlike the current DFARS 252.204-7012 requirements, this certification will apply to every DoD contractor, including lower tier subcontractors in the supply chain. Second, this certification will require a third party, who has been approved by DoD to certify the cybersecurity level that a company attains, will be making the assessment. Thus, each company as part of its 2020 budgets, must include some allocation of costs for potentially becoming more cybersecure and for a third-party auditor to confirm the company’s cybersecurity level.

Unlike a company’s accounting system, a cybersecurity system is a dynamic system that changes every day. A company may review its accounting system once or twice a year to make sure it is compliant or that the system is working properly. However, a cybersecurity system must be continuously monitored. Every time Microsoft, or any other software vendor that a company is using issues a new patch, it requires an action by the company. In some cases, all that is required is to upload the patch and document the upload. In other cases, a company may need to create a Plan of Action and Milestones (“POAM”) to address the particular cyber issue.

In Part 1, I discussed the concerns related to many companies “certify” (may be an implied certification) that they are compliant to NIST SP 800-171, when in fact they may or may not have been fully compliant. This creates the potential for the government to claim that a contractor has submitted false claims. Thus, it is highly recommended that the third-party cyber auditor work under the auspices of the Attorney-Client Privilege. It is very likely that many companies will not be fully compliant with the NIST SP 800-171 requirements. Once the non-compliance has been determined, the contractor may face an action by the government regarding a false claim for every invoice submitted for DoD contracts from December 31, 2017. And, while there may be valid arguments regarding why the contractor was not required to be compliant with the NIST standard, it will still cost a company money to defend such allegations. However, if the audit is conducted under the Attorney-Client Privilege the company gets to control the message.

If you want more information regarding the CMMC or would like to discuss this further, contact MWL Counsel Jody Reed.