Business concerns working with the Federal Government typically must store government information on their information technology (IT) systems as required to perform the contract. Doing so imposes a number of contractual obligations upon the contractor to protect and safeguard “federal contract information” (FCI) or “controlled unclassified information” (CUI) from cyber attacks or other data security breaches.
Specifically, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting (DEC 2019), mandates a defense contractor’s (and its subcontractor’s) IT system provide “adequate security” when it processes, stores, or transmits covered defense information (CDI) in performance of a defense contract. CDI is defined and distinguished by an extensive list of categories available at https://www.archives.gov/cui/registry/category-list. The DoD must mark or identify in the contract any CDI provided to the contractor. Compliance with the clause, which is not applicable in contracts for commercial-off-the-shelf purchases, requires implementation of security requirements for protection of CUI under the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 current at the time of the solicitation. The NIST lists 110 IT security controls many defense contractors find difficult to attain despite the mandate. Primes must flow down this clause to its subcontractors if performance will involve CDI. Further, DFARS 252.204-7008 provides a contractor’s submission of an offer serves as its representation of compliance with DFARS 252.204-7012 (and the NIST). Currently, the DoD does not monitor a contractor’s compliance with the clause; rather, contractors self-regulate compliance with the clause and the NIST’s 110 controls. This will all change very soon.
In an effort to strengthen and provide basic, uniform safeguard standards for government CUI and FCI (the latter as specified in FAR 52.204-21) in the hands of defense contractors while prompting improvements to their IT systems’ cybersecurity, DoD developed the Cybersecurity Maturity Model Certification (CMMC) program. Collaboratively created by stakeholders consisting of the DoD and the Defense Industrial Base (DIB), among others, the CMMC is aimed at building upon the existing cybersecurity mandates in DFARS 252.204-7012 and NIST SP 800-171 rev. 2, while combining the 15 less restrictive requirements in FAR 52.204-21. Simply put, the “CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to its subcontracts in a multi-tier supply chain.” Last month, DoD released CMMC Version 1.02, which sets forth its framework for five certification levels of cybersecurity health to protect FCI and CUI. The certification verifies a contractor has implemented appropriate processes and practices commensurate with the requisite cybersecurity maturity level. The five-level maturity certifications rate a contractor’s existing cyber hygiene program to reduce risk of certain diverse cyber threats and attacks against a contractor’s IT system vulnerabilities. Each higher level is cumulative such that the contractor must demonstrate the requisite processes and practices for a specified CMMC level and the preceding lower levels to support its current certification level.
The CMMC model consists of 17 security-related “domains,” such as system “access control,” “risk management,” or “physical protection.” Each domain consists of certain processes and capabilities that span the five certification levels. In total, there are 43 capabilities associated with the 17 domains, and a total of 171 practices (i.e., controls) also span across the five certification levels. For instance, Level 1 certification is achieved when a contractor’s IT system demonstrates basic cyber hygiene by meeting 17 practices. It serves to satisfy all the safeguarding requirements in FAR 52.204-21 for FCI. Most federal subcontractors will need at least a Level 1 certification to perform a government contract and protect FCI. If the DoD contract involves CUI, however, the contractor, and possibly its subcontractor, will need to be certified at CMMC Level 3. This certification level demonstrates “Good Cyber Hygiene” through implementation of 130 cybersecurity practices including all controls in NIST SP 800-171, revision 1, plus 20 more good cyber hygiene practices. Level 2 merely serves as a transition step between levels 1 and 3, but for certification at levels 4 (Proactive) and 5 (Advanced / Progressive), the prime contractor and subcontractor must demonstrate protection of CUI and practices that reduce risk of Advanced Persistent Threats. Certification at these levels will require the contractor’s IT system implement from 156 to 171 cybersecurity practices.
A third-party nonprofit selected by the DoD will serve as the accreditation body that develops the standards for assessing a contractor’s certification. Certification actually will be bestowed by assessors from “Certified Third-Party Assessment Organizations” or C3PAOs approved by the CMMC accreditation body. These assessors will evaluate a contractor’s IT system and provide the certification level, which will be valid for three years. Certification will be prospective and not retroactive for current contracts. In June 2020, the DoD plans to issue requests for information for its first contracts requiring contractors meet CMMC certification by award. In September 2020, the DoD hopes to publish requests for proposal (RFPs) for these contracts.
It remains to be seen how DoD’s CMMC process will evolve over time from these initial RFPs and awards. What is certain is more information is required on how DoD will implement and administer the CMMC Program, how contractors will be assessed for initial certification, and how this will be integrated in the procurement process from formation to administration. Defense contractors would be wise to review internal cybersecurity system protocols now against the requirements of FAR 52.204-21, DFARS 252.204-7012, the current NIST SP 800-171, and the proposed CMMC certification levels and to determine what is required to achieve the minimum CMMC level to remain competitive for DoD procurement opportunities in the future. For more information on the DoD CMMC see https://www.acq.osd.mil/cmmc/draft.html.