On December 13, the Department of Defense (“DoD”) released the latest version of its Cybersecurity Maturity Model Certification (“CMMC”).  This is the third iteration of the draft model that DoD has publicly released since it issued the first draft in October.  (We previously discussed Version 0.4 and Version 0.6 of the CMMC in prior blog posts.)

DoD describes the CMMC as “a DoD certification process that measures a DIB sector company’s ability to protect FCI [Federal Contract Information] and CUI [Controlled Unclassified Information].”  DoD has stated publicly that it intends to begin incorporating certification requirements into solicitations starting in Fall 2020, with compliance audits beginning in late 2020 or early 2021.  Depending the sensitivity of the information that contractors will receive in the course of performing work for DoD, they will be expected to demonstrate compliance through third party audits with the requirements set forth under one of five certification levels.  This applies even where contractors will not be handling FCI or CUI in the course of performing their contracts.[1]

The two most significant updates to the model in this version of the draft are (i) the addition of “Practices” for obtaining Level 4 and 5 certifications, and (ii) an expansion of “clarifications” section, which now covers the requirements of Levels 2 and 3 of the model, in addition to Level 1.  These changes and others are discussed in more detail below.  Given the expected release in late January 2020, it is likely that the requirements in this draft will closely resemble those that will be set forth in Version 1.0 of the CMMC framework, which is anticipated to serve as the basis for the first contractor audits.

Addition of Practices to Levels 4 and 5

Version 0.7 of the CMMC retains the matrix format that we have seen in prior versions.  This matrix is composed of “Domains,” “Capabilities,” “Practices,” and “Processes.”  Each domain consists of multiple Capabilities, and each Capability consists of multiple Practices.  Capabilities are general achievements to ensure cybersecurity objectives are met within each Domain.  Practices more specifically outline the technical requirements necessary to achieve compliance with a given Capability, while Processes measure how well Practices have been implemented across a contractor’s business.

Domains

 

Key sets of capabilities for cybersecurity.
Capabilities Achievements to ensure cybersecurity within each domain.
Practices & Processes Activities required by level to achieve a capability.

Although it is not yet clear how DoD intends to draw the line between classifying contracts at one of the five certification levels, DoD has previously indicated that although Level 3 will be the baseline certification necessary for contractors that handle CUI, Level 4 and 5 certifications will apply to CUI associated with DoD “critical programs and technologies.”  The CMMC does not define “critical programs and technologies,” but adopts 33 enhanced security requirements for “Critical Programs and High Value Assets” from NIST’s Draft Special Publication (“SP”) 800-171B.  That draft publication provides a set of enhanced security requirements to protect the confidentiality of CUI in nonfederal contractor systems from advanced persistent threats (APTs).  The NIST publication does not define the terms critical program or high value asset other than to state that these would be programs “likely to attract attention from” APTs.

Version 0.4 of the CMMC contained a litany of Practices and Processes necessary for obtaining Level 4 and 5 certifications.  However, DoD subsequently removed all Practices and Processes for these levels in Version 0.6, pending further evaluation of public comments.  Version 0.7 now contains what we expect to be a near-final set of Practices necessary for obtaining Level 4 and 5 certifications, and relegates all Processes to much simplified table that is intended to apply across all Domains.

As compared against the initial public release of the CMMC, the requirements in Levels 4 and 5 are greatly consolidated.  Nonetheless, they still represent a significant set of compliance obligations that contractors must follow in order to perform work on contracts designated at either of these two certification levels.  Level 4 now incorporates 13 controls set forth in the draft  NIST SP 800-171B, and Level 5 certification requirements includes requirements for an additional five controls from draft NIST SP 800-171B.

Consistent with what we have seen for Levels 2 and 3 in prior drafts, Levels 4 and 5 also include requirements from a number of other sources, including from the CMMC working groups.  In addition to retaining new standards that may make this model dependent on foreign government updates, this version continues the practice of including multiple controls for certain practices, thereby increasing the possibility of conflicting guidance.  Moreover, standards that are pulled from NIST SP 800-171B in some cases appear to have been incorporated into the CMMC on a modified or a partial basis.  For this reason, even those contractors that have implemented sophisticated cybersecurity controls in line with the standards set forth in NIST publications should closely review how these requirements and others have been described in the CMMC to ensure that they will be compliant with all applicable Practices at the time that they undergo an audit.

New Practice and Process Clarifications

Perhaps the most helpful update for contractors is the inclusion of new clarification sections for Level 2 and 3 Practices that build upon the Level 1 clarifications that we saw in Version 0.6 of the model, in addition to new clarifications of Processes.  These sections includes brief “discussions” of the requirements, “clarifications” to further explain DoD expectations, and in some cases, “examples” that describe scenarios where compliance is appropriately demonstrated within an organization.  The inclusion of clarifications for Level 3 in this draft is an unexpected but welcome addition, as Version 0.6 of the CMMC indicated that Version 1.0 would only feature clarifications for Levels 1 and 2.

We expect that these clarifications will be vital to understanding and interpreting the very brief and limited descriptions of Practices and Processes that are set forth in the matrix itself.  Indeed, one of the new Process clarifications applicable to Process Maturity Level 2 describes minimum elements that policy statements from a contractor’s senior management should contain to appropriately document security requirements that are applicable to the network.  Along these lines, contractors should be mindful to read the CMMC as a whole to ensure they do not encounter unexpected issues during their third party audits.

Takeaway

Thus far, DoD has adopted a regular cadence for updating and revising the CMMC.  Although we would expect to see more additions to the model in the future (potentially including an expansion of the clarification section to cover the newly added Level 4 and 5 requirements), the model is nearing a ready-to-release format, and it appears likely that DoD will meet its January 2020 release date target for Version 1.0.  For this reason, contractors should continue to take steps to implement all requirements described in this latest draft, as implementation may represent a significant effort, requiring input not just from an organization’s information technology and legal departments, but as prescribed in the current model, from an organization’s senior management.

Further, DoD has expressed a desire to revise the model on a continuous basis to rapidly address new and evolving threats.  Thus, any contractors that are left playing catch up at the time that DoD begins including certification requirements to its RFPs in Fall 2020 will have a difficult time staying ahead of the curve as the model continues to evolve.

Finally, notwithstanding DoD’s efforts to simplify and clarify the requirements of the model, a number of questions that we previously raised in our post discussing the November release of Version 0.6 persist, including (i) how DoD and its auditors will handle the immediate influx of contractors requiring certifications, (ii) the specific criteria for determining the certification level necessary to perform a contract (both prime contracts and subcontracts), (iii) how DoD and its Accreditation Body will ensure that third party audits are conducted in a consistent manner, and (iv) how DoD will address the impact on commercial item and small business contractors, which ordinarily do not obtain significant cost recovery under reimbursable contracts with the Government. DoD has continued to indicate publicly that assistance may be available to small business contractors but has yet to release a plan for funding or assistance programs.

[1] The CMMC does not rely on the term Covered Defense information (“CDI”), which is used in DFARS 252.204-7012, “Safeguarding covered defense information and cyber incident reporting.”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.