This article provides background about the Cybersecurity Maturity Model Certification, describes its structure and principal features, and discusses implementation.
The Department of Defense ("DoD") issued its long-awaited final Cybersecurity Maturity Model Certification ("CMMC"),1 which DoD hopes will combat the immense toll cyber threats have taken on the Defense Industrial Base ("DIB"), the U.S. economy, and national security.2 The final CMMC provides a comprehensive framework of cybersecurity controls and policies that defense contractors must implement depending on the nature of the information that their information systems will process, store, or transmit. This article provides background about the CMMC, describe its structure and principal features, and discuss implementation. While this is a DoD-specific effort that does not apply to other agencies, DoD is working with civilian agencies, including the Department of Homeland Security Cybersecurity and Infrastructure Security Agency with the goal of making this a government-wide program.3
The CMMC and associated DoD guidance suggest that DoD intends to implement the CMMC through procurement-specific solicitation provisions rather than by issuing new Defense Federal Acquisition Regulation Supplement ("DFARS") clauses or revising existing DFARS clauses, such as DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." However, as discussed below, the CMMC will materially change what defense contractors must do to safeguard information and will in some respects override aspects of the DFARS 252.204-7012 regime (e.g., eliminating the self-assessment system). As the CMMC is phased in, defense contractors must continue to ensure that they comply with all DFARS 252.204-7012 requirements, which remain relevant for nearly all defense contracts and contractors.
It is unclear whether and how the novel coronavirus ("COVID-19") will impact DoD's planned rollout of the CMMC. In March 2020, Katie Arrington, DoD's Chief Information Security Officer for Acquisition, suggested that COVID-19 would not delay implementation of the CMMC.4 Circumstances on the ground have certainly changed since March, with all but eight states issuing some form of stay-at-home order that, as a practical matter, will impede the abilities of DoD to train and deploy accreditors and companies to access to develop information technology ("IT") and cybersecurity infrastructure necessary to implement the CMMC. However, contractors that want to be well-positioned to compete for government contracts subject to the CMMC and that want to have an advantage over their competitors should heed DoD's warning that it will do its best to stay on track by taking the steps necessary to implement the standards reflected in the CMMC.
DoD's release of the CMMC is its latest effort to expand cybersecurity requirements to contractors and their supply chains. The modern government cybersecurity system began in earnest in 1988 when Congress enacted the Computer Security Act ("CSA"), which required the National Bureau of Standards – now the National Institute for Standards and Technology ("NIST") – to create guidelines for securing government information systems.5 In 2002, Congress replaced the CSA with the Federal Information Security Modernization Act (amended through the Federal Information Security Modernization Act of 2014 ("FISMA")). FISMA requires agencies to, among other things, (1) comply with information security standards developed and implemented in most instances by the Office of Management and Budget ("OMB") and NIST and (2) develop information security programs, which must include periodic risk assessments to test vulnerabilities and potential impacts of unauthorized intrusions.6
Although FISMA requires agencies to apply cybersecurity standards to "information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency,"7 there has been substantial uncertainty about how these standards apply to contractors and whether and how contractors must incorporate these security standards into their supply chains. For most federal contractors, the Federal Acquisition Regulation ("FAR") contains a limited provision at FAR Subpart 4.19 and contract clause FAR 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems,"8 which establish baseline security standards for any information system "owned or operated by a contractor that processes, stores, or transmits" "federal contract information" ("FCI") (i.e., "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government").
DoD contractors, however, have been subject to a broader and evolving set of standards since DoD first implemented cybersecurity standards for the defense supply chain at DFARS 252.204-7012, which has been captioned since 2015 "Safeguarding Covered Defense Information and Cyber Incident Reporting." This regulation currently applies to any "unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits" controlled unclassified information ("CUI") that qualifies as "covered defense information" ("CDI") under the rule.9 Contractors must protect these information systems by, among other things, implementing the security controls in NIST Special Publication ("SP") 800-171r1.10 It also directs contractors to report cyber incidents.11 However, this system has lacked verification and enforcement mechanisms, such as independent audits, though the risk of False Claims Act liability looms over potentially noncompliant contractors, as illustrated by the recent decision in United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc.
DoD has determined that more must be done to harden the DIB's and defense supply chain's cyber infrastructure. Enter the CMMC, which DoD announced in May 2019 as a consolidated framework of cybersecurity controls and practices that will apply to contractor-owned and contractor-operated information systems that store or transmit FCI or CUI. The final CMMC follows seven drafts, with the first issued in May 2019 and the seventh issued in December 2019.
CMMC v1.0 incorporates not only the baseline requirements established in FAR 52.204-21 and the cybersecurity controls and practices provided in NIST SP 800-171r1 but also those in Draft NIST SP 800-171B and guidance from other organizations.12 The CMMC also imposes audit and accreditation requirements to provide a mechanism for verifying and enforcing compliance. These requirements will ultimately apply to all contractors and subcontractors throughout the supply chain.13
1. CMMC Model v1.0 Briefing, https://www.acq.osd.mil/cmmc/docs/CMMC_v1.0_Public_Briefing_20200131_v2.pdf; CMMC Model v1.0 https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf; CMMC Model v1.0 Appendices, https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Appendices_20200203.pdf.
2. DoD noted that "[t]he Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016." CMMC Model v1.0, supra n.1, at 1.
3. Jackson Barnett, FedScoop (Apr. 16, 2020), https://www.fedscoop.com/cmmc-federal-standards-for-acqusition/.
4. Mariam Baksh, Nextgov (Mar. 26, 2020), https://www.nextgov.com/cybersecurity/2020/03/coronavirus-will-not-delay-pentagons-contractor-cybersecurity-program-official-says/164152/.
5. Computer Security Act of 1987, Pub. L. No. 100-235 (Jan. 8, 1988).
6. 44 U.S.C. § 3554.
7. Id. § 3554(a)(1)(A)(ii).
8. 81 Fed. Reg. 30439 (May 16, 2016).
9. DFARS 252.204-7012(a). CUI is any unclassified information subject to "safeguarding or dissemination controls." 32 C.F.R. § 2002.4(h). Categories and subcategories of CUI are identified in the CUI Registry. https://www.archives.gov/cui/registry/category-list. CDI is CUI that "is (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract." DFARS 252.204-7012(a).
10. DFARS 252.204-7012(b).
11. DFARS 252.204-7012(c).
12. CMMC Frequently Asked Questions (FAQs), at Question 8, https://www.acq.osd.mil/cmmc/faq.html (last visited Feb. 6, 2020).
13. Id. at Question 21 ("[A]ll companies doing business with the Department of Defense will need to obtain CMMC.").
Originally published by Pratt's Government Contracting Law Report, LexisNexis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.