On Friday January 31, 2020, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, Kevin Fahey, Assistant Secretary of Defense for Acquisition, and Katie Arrington, the Chief Information Security Officer for the Department of Defense (“DoD”), briefed reporters on the release of the Cybersecurity Maturity Model Certification (“CMMC”) Version 1.0.  We have discussed draft versions of the CMMC in earlier blog posts.

At the press conference, Under Secretary Lord and her staff emphasized the concerns that the DoD has with regard to sensitive, unclassified government data that resides in the networks of its supply chain, discussed the timeline for rolling out the CMMC, confirmed that DoD will be promulgating a new DFARS regulation to implement aspects of the CMMC, and acknowledged that DoD is continuing to work through the accreditation process.

First, Secretary Lord emphasized the significant national security threat that contractors and their subcontractors face from sophisticated cyber adversaries.  She noted that cyber attacks are low cost to conduct, but that in the past year alone, cyber attacks resulted in approximately $600 billion dollars of global GDP lost through cyber theft.  She also emphasized that DoD has expended considerable efforts communicating with and receiving input from industry and sees this as a key partnership between DoD and the defense industry to protect sensitive government information.

Second, DoD representatives explained that DoD is taking a “crawl, walk, run” approach with implementation of the CMMC.  Although the rollout will begin this year, DoD’s goal is to have the requirement fully implemented by Fiscal Year 2026.  This year, DoD intends to select third party accreditation vendors, to be called “C3PAOs.”  Although no significant details as to content were shared, DoD also plans to publish a new DFARS regulation in late spring or in early summer.  Finally, DoD plans to add CMMC requirements to ten procurements at the end of this year with contractors and subcontractors expected to meet all applicable CMMC requirements at the time of award.  DoD’s expectation is that each individual procurement will affect a relatively large number of contractors once subcontract awards at various levels of the supply chain are taken into account.  These procurements are expected to include a mix of CMMC Levels.

Third, DoD provided some insight into the Accreditation Body, which it stood up in early January 2020.  The Accreditation Body is charged with overseeing training, quality, and administration of the C3PAOs and will consist of 13 members from the defense industrial base, cybersecurity community, and academic community who self-nominate to join.  The names of the members of the Accreditation Body were not provided at the press conference, but DoD shared that the Body has elected a Chairman and that it has a Board of Directors.  DoD is currently drafting a memorandum of understanding (“MOU”) with the Accreditation Body that will outline the roles, rules, and responsibilities of the parties.  Given the sensitive information that the Accreditation Body and the auditors will have access to, the MOU is expected to address potential conflicts of interest.

Finally, DoD clarified some operational questions.  DoD confirmed that it will not seek to modify current contracts to apply the CMMC retroactively (although it is unclear whether the CMMC could be applied to an existing contract when DoD exercises an option).  DoD also stated that subcontractors will only need to be certified to the appropriate level based on the data that they receive or develop and the work they will perform on a contract.  Thus, depending on the type of work being flowed down, it is possible that a Level 3 procurement could have Level 1 subcontractors.  CMMC accreditation will be effective for three years, but DoD did not provide further guidance on the costs of obtaining the certification or specifics on how the audit process will work.

Shortly following the press conference, DoD published Version 1.0 of the CMMC, found here.  Although the press conference clarified some outstanding questions, others still remain.  We are analyzing the requirements imposed by Version 1.0 of the CMMC and will publish our analysis in an upcoming post.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises clients on a range of issues related to government contracting. Mr. Burnette has particular experience with helping companies navigate mergers and acquisitions, FAR and DFARS compliance issues, public policy matters, government investigations, and issues involving government cost accounting and the…

Ryan Burnette advises clients on a range of issues related to government contracting. Mr. Burnette has particular experience with helping companies navigate mergers and acquisitions, FAR and DFARS compliance issues, public policy matters, government investigations, and issues involving government cost accounting and the Cost Accounting Standards.  Prior to joining Covington, Mr. Burnette served in the Office of Federal Procurement Policy in the Executive Office of the President, where he worked on government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.