As we’ve written in the past, the Department of Defense is in the midst of rolling out a new five-tier standard for cybersecurity—the Cybersecurity Maturity Model Certification or CMMC—that the DoD seemingly hopes will become the standard for other federal agencies. Recent events support that thinking. Last week the CMMC standard finally made its first appearance in a federal solicitation, but it was one issued by a different agency than most might expect.
The request for contractors to “monitor, prepare for and participate in acquiring [a] CMMC certification” came from the General Services Administration in its Request for Proposals for the 8(a) Streamlined Technology Acquisition Resource for Services (STARS) III government-wide IT contract. The RFP reserved “the right to require CMMC Level 1 certification as mandatory [for contractors] to be considered for the 8(a) STARS III option” and certain other opportunities. The unexpected requirement is notable not only because the GSA beat the DoD to the punch with this requirement but also because the GSA appears to have independently decided to incorporate the new standard without any coordination with the DoD.
In fact, the DoD itself actually planned to wait until the updates to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 were complete before including the CMMC standard in its own contracts and RFPs. But when discussing the GSA’s decision to adopt the standard for its requirements, the DoD’s Chief Information Security Officer and the lead for the CMMC program, Ms. Katie Arrington, expressed her belief that CMMC could quickly become a federal requirement and even an international standard. Indeed, there are some suggestions that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and other unnamed federal agencies may also be following the progress of CMMC’s development and could certainly join the GSA in the future, either by adopting the CMMC standard outright or requiring another civilian standard.
For these reasons, federal contractors for any agency may want to pay attention to the way the DoD’s release of the CMMC progresses and consider whether complying with the new standard may be worthwhile even if they do not presently perform any DoD work. So far the DoD has continued on its path toward implementing CMMC with little delay.
The latest updates from the DoD and the CMMC Accreditation Body (CMMC-AB), which will be responsible for certifying the CMMC assessors that will, in turn, certify contractors, have either revealed or confirmed several notable details.
The Details
CMMC standards will apply to all DoD contractors and subcontractors, but there is one notable exception.
Eventually all of the approximately 300,000 DoD contractors and subcontractors in the Defense Industrial Base using any “unclassified networks that handle, process, and/or store Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)” will need to comply with the CMMC standards in order to obtain a DoD contract. The requirement will also apply to subcontractors, whose required CMMC level will be based on the level of information that they handle rather than the CMMC level of the prime contract that they support.
The latest information makes clear, however, that suppliers furnishing only commercial off-the shelf (COTS) items will be exempt from the new standards and will not have to achieve any level of CMMC certification.
CMMC certification will generally last for 3 years.
Under the current plan most contractors will be able to use their CMMC certifications for three years, but a cybersecurity incident may require a company to obtain an earlier re-assessment.
The DoD plans to spend the next 5 fiscal years (“FYs”) rolling out the new standard.
The DoD expects to release 15 initial “pathfinder” contracts and to certify 1,500 contractors in FY 2021, intending to adjust on the basis of those initial assessments and certifications as it expands the program over the next five fiscal years. As mentioned above, the DoD plans to include the CMMC requirements in RFPs after the final DFARS Rule 2019-D04 that will officially implement the CMMC standards goes into effect.
The current expectation is that this will happen in November 2020, but no awards of those contracts are likely in this calendar year. While the CMMC certifications will not be necessary until the time of award, contractors should be able to start applying for certification soon. The CMMC-AB expects the first group of assessors to graduate by early August.
The CMMC-AB has already put out several iterations of guidance outlining the requirements for CMMC certification.
On January 30, 2020, the CMMC-AB released a draft model of the requirements for each level of CMMC. An updated version with minor changes was released on March 18, 2020. The requirements consist of 17 domains (different areas requiring security measures), which further contain five different levels of processes and 43 capabilities, which then fall into 171 individual practices.
The existing guidance still fails to address some aspects of the CMMC certification process, such as how contractors will be able to challenge unfavorable assessments or resolve disagreements with specific findings in the reviews. The CMMC-AB has stated, however, that it is working to develop an adjudication process that it hopes will alleviate those concerns.
Where does all of this leave contractors?
While there are no final CMMC requirements yet and contractors still cannot even apply for a certification, there are some steps that contractors can take to be ready as soon as those final requirements come out. Contractors for any agency are likely to benefit from being able to comply with the CMMC standard—even more so during the early years of implementation while there is a lack of CMMC-certified contractors and subcontractors.
The CMMC-AB’s most recent version of the model requirements does not necessarily contain everything that the assessors will eventually require of contractors for certification, but it does offer a good guide. Because the CMMC Level 3, for example, is close to the requirements with which DoD contractors already have to comply under DFARS 252.204-7012, that may be a good place for most future applicants to start. Then again, an early step toward achieving any CMMC Level of compliance is likely a good one.
