On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0. We have discussed draft versions of the CMMC in earlier blog posts.
At the press conference, Under Secretary Lord and her staff emphasized the concerns that the DoD has with regard to sensitive, unclassified government data that resides in the networks of its supply chain, discussed the timeline for rolling out the CMMC, confirmed that DoD will be promulgating a new DFARS regulation to implement aspects of the CMMC, and acknowledged that DoD is continuing to work through the accreditation process.
First, Secretary Lord emphasized the significant national security threat that contractors and their subcontractors face from sophisticated cyber adversaries. She noted that cyber attacks are low cost to conduct, but that in the past year alone, cyber attacks resulted in approximately $600 billion dollars of global GDP lost through cyber theft. She also emphasized that DoD has expended considerable efforts communicating with and receiving input from industry and sees this as a key partnership between DoD and the defense industry to protect sensitive government information.
Second, DoD representatives explained that DoD is taking a “crawl, walk, run” approach with implementation of the CMMC. Although the rollout will begin this year, DoD’s goal is to have the requirement fully implemented by Fiscal Year 2026. This year, DoD intends to select third party accreditation vendors, to be called “C3PAOs.” Although no significant details as to content were shared, DoD also plans to publish a new DFARS regulation in late spring or in early summer. Finally, DoD plans to add CMMC requirements to ten procurements at the end of this year with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award. DoD’s expectation is that each individual procurement will affect a relatively large number of contractors once subcontract awards at various levels of the supply chain are taken into account. These procurements are expected to include a mix of CMMC Levels.
Third, DoD provided some insight into the Accreditation Body, which it stood up in early January 2020. The Accreditation Body is charged with overseeing training, quality, and administration of the C3PAOs and will consist of 13 members from the defense industrial base, cybersecurity community, and academic community who self-nominate to join. The names of the members of the Accreditation Body were not provided at the press conference, but DoD shared that the Body has elected a Chairman and that it has a Board of Directors. DoD is currently drafting a memorandum of understanding (“MOU”) with the Accreditation Body that will outline the roles, rules, and responsibilities of the parties. Given the sensitive information that the Accreditation Body and the auditors will have access to, the MOU is expected to address potential conflicts of interest.
Finally, DoD clarified some operational questions. DoD confirmed that it will not seek to modify current contracts to apply the CMMC retroactively (although it is unclear whether the CMMC could be applied to an existing contract when DoD exercises an option). DoD also stated that subcontractors will only need to be certified to the appropriate level based on the data that they receive or develop and the work they will perform on a contract. Thus, depending on the type of work being flowed down, it is possible that a Level 3 procurement could have Level 1 subcontractors. CMMC accreditation will be effective for three years, but DoD did not provide further guidance on the costs of obtaining the certification or specifics on how the audit process will work.
Shortly following the press conference, DoD published Version 1.0 of the CMMC, found here. Although the press conference clarified some outstanding questions, others still remain. We are analyzing the requirements imposed by Version 1.0 of the CMMC and will publish our analysis in an upcoming post.