The cybersecurity posture of government contractors was an area of intense focus and ongoing regulatory development for the federal government in 2021. The coming year will also include many anticipated cybersecurity-related changes and developments. Below we highlight just a few.
The Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Program was developed with the goal of fortifying the cybersecurity of the defense industrial base. As originally designed in 2019, CMMC contemplated third-party review of the IT systems of all DoD contractors, with those systems to be rated at security levels ranging from 1 to 5, and the security requirements increasing in rigor based on the nature of the information to be accessed, stored, and processed on the relevant systems.
The CMMC interim rule went into effect on November 30, 2020, with a final rule originally expected in 2021. Among other things, that rule required DoD contractors that handle controlled unclassified information (CUI) to register in the Supplier Performance Risk System (SPRS) and report assessment scores in accordance with the DoD Assessment Methodology (based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171). This process gained traction in 2021 and remains in effect. The nature of CMMC, however, has changed rather significantly.
In response to growing pressure from defense contractors, and faced with the daunting task of third party certification of the entire defense industrial base, DoD partially reversed course in November 2021 and instead announced a revised CMMC 2.0 framework. Under the new framework, only three levels will be used, and those companies seeking Level 1 certification will now be able to annually self-assess and attest to compliance. Entities seeking Level 2 certification can self-assess against the NIST SP 800-171 requirements unless they will have access to "critical national security information," in which case third-party review is required Level 3 will require external assessments in all instances, which DoD has indicated it expects to be conducted by the government.
Gone too are CMMC-unique requirements over and above the NIST guidelines. CMMC Level 2 will now be aligned with NIST SP 800-171, designed for protection of CUI, and CMMC Level 3 will include some subset of the NIST SP 800-172 requirements. In another significant change, full compliance will not be required in order for companies to obtain certification at any given level; plans of actions and milestones to address gaps in compliance will be permissible.
Late in 2021, DoD released several key documents relating to
CMMC 2.0. These included: a
CMMC 2.0 Model Overview document, CMMC Self-Assessment Scoping
Level 1 and
Level 2, and CMMC Assessment Guides for
Level 1 and
Level 2. Level 3 guidance is still under development, but
DoD has said it will release implementing regulations for CMMC 2.0 as soon as possible, with an estimated timeline of somewhere between nine and 24 months from the initial CMMC 2.0 announcement in November 2021. The agency will not mandate CMMC prior to that time, or include CMMC requirements in any solicitations, until the final rules are issued. However, DoD has indicated that it is considering offering financial rewards or other incentives to companies that have already demonstrated CMMC compliance, and suggested that contractors that implement enhanced cybersecurity prior to the time CMMC applies universally may have a competitive advantage over contractors that put off compliance.
We expect other federal agencies to watch the CMMC 2.0 rollout closely, and perhaps adopt the same or similar requirements for contractors. We will also monitor how CMMC 2.0 will compare to pending federal rules pertaining to protection of CUI, now long overdue.
Elevated Cyber Fraud Enforcement
Last fall the Department of Justice (DOJ) created a new Civil Cyber-Fraud Initiative to use the power of the False Claims Act (FCA) to initiate suits against federal contractors that fall short of their regulatory and contractual cybersecurity obligations.
DOJ has identified three categories of conduct that will be a focus for FCA enforcement:
- knowingly providing "deficient" cybersecurity products or services to the government;
- knowingly misrepresenting cyber security practices and protocols and, as a result, failing to comply with regulatory and contractual cybersecurity obligations; and
- knowingly failing to fulfill their regulatory and contractual obligations to report cybersecurity incidents and breaches.
Because the FCA requires actual knowledge, reckless disregard, or deliberate ignorance of the truth, not every cyber incident or cybersecurity failure will result in potential liability. But certain contractor activities are more likely to pose an elevated risk, particularly if contractors seek to evade their obligations to notify the U.S. government after experiencing an incident. The DFARS 252.204-7012 cybersecurity and data breach reporting requirements are perhaps the most common source of cyber requirements for government contractors, but they are by no means the only ones, as many other agencies embed their own specifications into contracts. The Federal Risk and Authorization Management Program (FedRAMP), the authorization process for cloud-based products and services, also presents risk, both at the initial stage, when information is submitted to obtain an authority to operate, and on an ongoing basis, with guidelines requiring contractors to regularly conduct testing and report vulnerabilities. Moreover, with the forthcoming CMMC 2.0 expansion of reliance on self-assessment, there is increased risk of IT security teams conducting improper or incomplete assessments. Contractors therefore must tread carefully to be certain that they are fully compliant with all applicable requirements, and that their statements to the government with respect to cybersecurity are accurate and complete.
To reduce the risk of cyber fraud enforcement or an FCA claim, whether initiated by DOJ or by an internal whistleblower potentially looking to obtain a qui tam bounty, contractors should take care to address each of the following:
- Implement and maintain formal and thorough cybersecurity policies that meet the minimum requirements of FAR 52.204-21 and, as applicable, the more rigorous requirements of agency contract clauses, including, for example, DFARS 252.204-7012;
- Develop detailed incident response policies and procedures that include timely notice to government agencies as required by the terms of the company's government contracts and subcontracts;
- Monitor cybersecurity developments, including new regulatory requirements and best practices;
- Address cybersecurity vulnerabilities as soon as practicable, especially those that are the subject of serious alerts (such as the recent Log4j notification); and
- Foster an overall culture of cyber compliance, starting at the top with board oversight and management, and including employee training at all levels.
The White House and Congress Will Impose Additional Cybersecurity Regulatory Requirements and Reporting Obligations
Incidents such as the hacking of SolarWinds' Orion product, the ransomware attack on a major U.S. gas pipeline, and the recent detection of the ubiquitous and devastating Log4j vulnerability have wreaked havoc on government agencies and private industry alike. These types of events and, more specifically, the desire to limit fallout from such incidents, will continue to shape cybersecurity policy in 2022.
The Biden administration will continue its efforts to protect federal government networks from cybersecurity threats and to promote notifications of incidents by federal contractors to their federal agency customers-goals that were outlined in the President's May 2021 Executive Order on Improving the Nation's Cybersecurity (hereinafter, the "Cyber EO") Federal agencies (and contractors operating their information systems) will need to follow the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks developed by the Cybersecurity and Infrastructure Security Agency (CISA) in shaping overall defensive cyber operations and planning and conducting cybersecurity vulnerability and incident response activities.
There are two open FAR cases related to the Cyber EO -- one focused on increasing cybersecurity requirements for contractors (No. 2021-019) and the other on enhancing contractors' cyber threat and incident reporting obligations (No. 2021-017). Interim and/or final rules are expected to be issued by the FAR Council in 2022.
Activities are also underway at NIST, CISA, and the Office of Management and Budget (OMB) to define and phase in a compliance and evaluation plan for critical software, and to develop policies regarding software bills of materials and labeling requirements. Because the Cyber EO encompasses not only information technology (hardware and software), but also operational technology, including physical access systems (readers and controllers), fire alert and suppression systems, and the host of other internet of things-connected devices used within government and by government contractors, regulatory changes impacting these operational technologies are also underway. Contractors should expect new and modified contract language to reflect evolving policy and guidance from CISA and NIST, and to incorporate new FAR clauses.
On the legislative front, the 2022 National Defense Authorization Act (NDAA) as passed includes several technology policy provisions, including a requirement that DoD examine how CMMC impacts small businesses, and a pilot program for the Secretary of Defense to work with the director of CISA and the White House's national cyber director on agreements with internet companies to thwart cyberattacks. However, perhaps even more significant are the proposed NDAA provisions that were not included in the final bill, including a cyber incident reporting provision that would have required critical infrastructure providers and government contractors to report cyber incidents within 72 hours, and a separate provision that would have required the reporting of ransomware payments to the government. A version of these reporting mandates may be incorporated into standalone legislation in the coming year, or attached to other must-pass legislation. We will be watching these and other developments closely in the year ahead.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved