On January 30, 2020, the Department of Defense ("DOD") released its Cybersecurity Maturity Model Certification ("CMMC") v.1.0, after releasing several draft versions of the document over the past year. In an effort to enhance supply chain security, the CMMC sets forth unified cybersecurity standards that DOD contractors and suppliers must meet to participate in future DOD acquisitions. Select Requests For Proposals ("RFPs") may include the CMMC requirement later this year, but widespread use is not expected until 2026. Through the CMMC, DOD adds cybersecurity as a foundational element to the current DOD acquisition criteria of cost, schedule, and performance.
We previously discussed DOD's proposed CMMC approach in June 2019. As a reminder, the current cybersecurity model under DFARS 252.204-7012 requires contractors to self-certify that they meet certain requirements. By contrast, the CMMC requirement involves a certification process based on review by a third-party assessment organization. Eventually, DOD plans for each RFP to specify the required CMMC level for that acquisition, creating a "go/no-go" decision based on whether the contractor meets the certification level at the time of award.
Importantly, all companies doing business with the DOD, regardless of their size or function, will have to obtain certification. However, recognizing security is not a "one size fits all," the required CMMC level for a prime contractor may be different than the CMMC level for subcontractors further down the supply chain. For example, if the program involves Controlled Unclassified Information ("CUI"), the prime contractor likely will need to have at least a CMMC Level 3. However, if a subcontractor is not touching CUI, it may only need to have a CMMC Level 1.
The CMMC Accreditation Body ("AB") is a private, non-profit organization charged with selecting and training CMMC third-party assessment organizations ("C3PAOs"). The C3PAOs ultimately will be responsible for assessing and certifying contractors. Certifications will be good for three years, and they are company-specific, meaning once a company is certified, any DOD branch or agency will accept the certification. The DOD and AB currently are drafting a CMMC Memorandum of Understanding ("MOU") that will outline the parties' rules, roles, and responsibilities.
CMMC Maturity Levels
The CMMC includes five levels of certification, with five being the highest or most secure. The levels are cumulative; they measure maturity and describe a set of practices and processes according to the type and sensitivity of the information, and the associated range of threats. This table provides a snapshot of the focus areas, number of practices, and requirements at each level:
Source of information: CMMC v.1, Sec. 2.7.1, available at https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf
The DOD has expressed its commitment to a "crawl, walk, run" approach to implementing the CMMC. FY 2020 is expected to be a busy year, and upcoming events include the release of some initial RFIs with CMMC requirements, and initial training across the various CMMC levels. Some RFPs may contain the CMMC requirement as early as FY 2021. These initial RFPs will focus on certain priority areas, including missile defense, nuclear modernization, Other Transactions Agreements ("OTAs"), Small Business Innovation Research ("SBIR") programs, and Small Business Technology Transfer ("STTR") programs. Overall, DOD is anticipating a five-year rollout period, with all new DOD contracts containing the CMMC requirement beginning in FY 2026.
Any company doing business with DOD will need to comply with CMMC requirements. Companies should review current CMMC materials, track new releases, and aim to comply with the requirements in preparation for a C3PAO audit, as soon as possible.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.