On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment.  The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains.  In its overview briefing for the new model, DoD describes the draft CMMC framework as a “unified cybersecurity standard” for DoD acquisitions that is intended to build upon existing regulations, policy, and memoranda by adding a verification component to cybersecurity protections for safeguarding Controlled Unclassified Information (CUI) within the DIB.  As discussed in a prior post, the model describes the requirements that contractors must meet to qualify for certain maturity certifications, ranging from Level 1 (“Basic Cyber Hygiene” practices and “Performed” processes) through Level 5 (“Advanced / Progressive” practices and “Optimized” processes), with such certification determinations to generally be made by third party auditors.

The CMMC establishes a new framework for defense contractors to become certified as cybersecurity compliant.  DoD has stated that it intends to release Version 1.0 of the CMMC framework in January 2020 and will begin using that version in new DoD solicitations starting in Fall 2020.  Notwithstanding the pendency of these deadlines, a large number of questions remain outstanding.  DoD is seeking feedback on the current version of the model by September 25, 2019.

Overview of the Current CMMC Framework Draft

At its core, the current version of the CMMC framework consists of a matrix, composed of “Domains,” “Capabilities,” and “Practices and Processes.”  Domains are comprised of Capabilities, and Capabilities are comprised of Practices and Processes.  The model contains 18 different Domains of “key sets of capabilities for cybersecurity,” 14 of which use the same terminology as the security requirement families in NIST Special Publication (SP) 800-171.  The model adds Asset Management, Cybersecurity Governance, Recovery, and Situational Awareness to the NIST SP 800-171 security requirement families.  The 18 Domains are:

  • Access Control
  • Asset Management*
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Cybersecurity Governance*
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Recovery*
  • Risk Assessment
  • Security Assessment
  • Situational Awareness*
  • System and Communications Protection
  • System and Information Integrity

* – Domain is not one of the 14 NIST SP 800-171 security requirement families.

Each Domain lists certain Capabilities, which are “achievements to ensure cybersecurity within each domain.”  In total, to achieve the highest level of certification — Level 5 — contractors must comply with more than 80 different individual Capabilities, such as the ability to “detect and report events” and the ability to “implement threat monitoring based on defined requirements.”

Capabilities are comprised of much more detailed “Practices” and “Processes” that contractors must adhere to.  Practices are similar to security controls, and DoD has described them as “activities required by level to achieve a capability.”  Processes, by contrast, are intended to detail the maturity of the institutionalization of the practices.

Although the NIST SP 800-171 controls are referenced in the model (and “coverage” of all NIST SP 800-171 rev 1 security controls is a requisite for meeting Level 3 certification), many of the practices have been informed by other sources, such as ISO 27001:2013, AIA NAS 9933, and the CERT Resilience Management Model, in addition to best practices gathered from DIB members.  Many of requirements, particularly for Level 5 certification, would be new for contractors, and cite to DIB best practices as a source.  Noticeably absent are citations to NIST SP 800-171B, which NIST published in draft form in June 2019 with enhanced security requirements designed to protect designated “high value assets” or “critical programs” that contain CUI of interest to advanced persistent threats.  Accordingly, there remain questions about how these controls should be interpreted and whether additional guidance for implementation will accompany future versions of the model.

Unlike NIST SP 800-171, which is implemented through a regulation — i.e., DFARS clause 252.204-7012 — DoD plans to implement the requirements of the model on a purely contractual basis.  The required CMMC level applicable to a procurement will be listed in the solicitation in sections L and M and will be a “go/no-go decision.”

DoD has stated that the model is still being refined, that practices within the model have not yet been cross-referenced across Domains, and that it anticipates a reduction in size of the model as it is further developed.  DoD indicated in the overview briefing accompanying the model that it intends to use independent third party organizations to conduct audits and certify contractors.  DoD has released neither the methodology to handle maturity level trade-offs, nor the assessment guidance for these third-party certifiers.  Nonetheless, as stated above, DoD plans to have a final version of the CMMC framework released in January 2020, included in RFIs starting in June 2020, and included in RFPs starting in Fall 2020.

Open Questions and Issues for Contractors

The draft CMMC framework provides significant information about the specific requirements that DoD may impose on contractors seeking certain certification thresholds, but leaves open many important questions for contractors.

  • Implementation Deadlines. The CMMC introduces a significant number of new controls and requirements.  Even the most sophisticated of contractors will likely find compliance difficult and the continued maturation of the model will make compliance with DoD’s ambitious deadlines a challenge across the DIB.
  • Determination of Appropriate CMMC Level for Contracts. The guidance offers no insight into how DoD will determine the CMMC certification level required for each contract solicitation or whether it intends to standardize a process for making such determinations across the Departments or even within requiring activities.  Existing FAQs on DoD’s CMMC website only state that “[t]he government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer.”
  • Allowable Costs. DoD has consistently said that the costs of compliance with the CMMC would be allowable.  Presumably these costs would be recovered in contractors’ overhead rates.  However, to the extent that commercial item contractors — including many small business — contract with the government on a price basis, the costs of implementation would not be separately reimbursable by the government.
  • Meeting a Certification Level. The CMMC framework does not provide guidance on  how each of the Capabilities within the various Domains are to be weighed against one another, and similarly, how compliance with each of the respective Practices within Capabilities are to be weighed against one another.  It is unclear, for example, whether compliance with each Practice or Capability will be given equal weight, whether DoD will assign some relative level of importance to each Practice or Capability, or whether this will be largely left to the discretion of the auditor.  Although DoD has stated that “[a] methodology to handle maturity level trade-offs is planned” and that “[d]etailed assessment guidance is still under development,” it is not apparent whether the forthcoming guidance will address any of these points.  Nor is it clear the extent to which prior guidance on Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented (i.e., Impact Guidance, which we previously discussed here) may apply to the model.
  • Audit Determinations. It is not clear what recourse, if any, contractors might have to challenge a CMMC certification determination by an auditor.  Although DoD has stated that “[s]ome of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA),” for lower-level assessments, auditors appear to be vested with a great deal of discretion.  For example, DoD recognized “the challenges of being 100% compliant with some practices,” and suggested that an “[a]ssessment of process institutionalization helps to mitigate this concern.”  However, it is not clear how auditors are expected to balance overall compliance with Practices against efforts that contractors have taken towards process institutionalization (e.g., Procedures).
  • Subcontractor Compliance Requirements. DoD has not yet issued any guidance on the certification level required for subcontractors, including whether the prime contractor is responsible for making this determination or if all subcontractors must meet the level assigned to a particular contract regardless of the data that flows to those subcontractors.
  • Implementation by Policy vs. Regulation. Ordinarily, we would expect these types of requirements for DoD contracts to be addressed through the regulatory process.  Making the change through policy allows DoD to implement the requirements more quickly, but does leave open the possibility of divergence among the Departments such as what the DIB has seen over the past year with the unique cybersecurity requirements being issued by the Navy and other Departments.
  • Protest Considerations. It is not clear whether contractors will have any ability to appeal or successfully protest the CMMC level at which DoD has designated a contract, and if so, whether this will be the only mechanism available to contractors to ensure that agencies give second thought to a particular CMMC level.  For example, in the pre-award context, prospective offerors may consider protesting the level assigned to a particular procurement as overly restrictive of competition.  Although deference is usually provided to agencies in the area of national security, the viability and success of this and other protest grounds remains to be seen.

As stated above, contractors have until September 25, 2019 to comment on the current version of the model.  Given the number of issues outstanding, only some of which are discussed here, interested contractors should offer their comments as early as possible in the process.  There is a comment matrix available on the CMMC website, along with instructions for submitting comments.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain and cybersecurity requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts…

Ryan Burnette is a government contracts and technology-focused lawyer that advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and supply chain security. Ryan also advises on FAR and DFARS compliance, public policy matters, agency disputes, and government cost accounting.  He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and 252.204-7020; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; software and artificial intelligence security, attestations, and bill of materials requirements; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he developed and implemented government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year. While in government, Ryan worked on several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, GSA Schedules and interagency acquisitions, competition requirements, and suspension and debarment, among others.

Additionally, in the wake of significant incidents affecting the program, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared employees and contractors. These efforts resulted in the establishment of a new federal bureau to conduct and manage background investigations.