The Department of Defense recently released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), a unified cybersecurity standard for future DoD acquisitions. The CMMC is a cybersecurity assessment model and certification program for DoD contractors. Based on this requirement, contractors may receive certification of 1 to 5, with level 1 being the most basic security practices and 5 being the most advanced. The DoD anticipates requiring a minimum level of certification for prime contractors and all levels of proposed subcontractors as a prerequisite to be awarded future contract solicitations.
CMMC Model Framework
The CMMC is applicable to DoD contracts that involve a contractor’s electronic storage of two types of information within the supply chain: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). FCI is information provided by or generated for the government under a contract that is not intended for public release (i.e., scheduling or sales data). CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations and governmentwide policies, excluding classified information (i.e., personally identifiable information).
CMMC integrates the safeguards and security practices from other cybersecurity frameworks currently applicable to some federal contracts and supplements those requirements with practices developed by DoD, working in conjunction with a group of industry stakeholders. CMMC encompasses basic information safeguarding requirements for FCI specified in FAR 52.204-21 and the security/confidentiality requirements for CUI set forth in NIST SP 800-171r1 and Draft NIST SP 800-171B.
DoD anticipates that it will not impose fines or other monetary penalties for CMMC noncompliance. Instead, CMMC is a pre-award prerequisite. As a result, failure to quality for a required certification level will prevent a contractor from receiving an award. DoD officials have indicated that the CMMC compliance level specified in the procurement solicitation will constitute a minimum standard that must be met for a contractor to be deemed viable to receive an award. Contracting officers will not be allowed to weigh other factors such as cost or implementation schedules as a tradeoff for non-compliance with the required CMMC level designated in the solicitation.
CMMC Audit Plan
It is likely that the newly constituted CMMC Accreditation Body (CMMC AB) made up of experts from industry, academia and the cybersecurity community will oversee the training quality and credentialing of the third-party assessors contemplated by the framework. CMMC Third Party Assessment Organizations (C3PAOs) will be the credentialed third-party assessors deemed fit to conduct CMMC audits and certify the CMMC compliance level for contractors.
CMMC Timeline and Implementation
DoD will not require CMMC compliance for existing contracts. DoD acquisitions under secretary Ellen Lord announced that as defense contracts are re-solicited moving forward they will likely include CMMC provisions with the anticipation that the majority of contracts will require CMMC compliance by 2026.
Based on recent announcements, beginning this fall, DoD anticipates issuing 10 “pathfinder” solicitations with CMMC requirements. The pathfinder solicitations will likely require various CMMC levels, including “one or two” that DoD expects to require CMMC level 4 or 5 certifications. In anticipation of the pathfinder solicitations, DoD plans to launch an online marketplace in March or April where contractors seeking CMMC certification can identify credentialed C3PAO entities to begin the audit process. By May or June of this year, DoD anticipates releasing a draft DFARS regulation codifying the CMMC process. In June, the Defense Acquisition University will begin offering online courses on CMMC compliance. Also in June, DoD anticipates issuing RFIs for all 10 of the pathfinder solicitations.
McGuireWoods’ government contracts team is helping clients prepare for CMMC compliance requirements, ensuring that they have taken the necessary steps to achieve CMMC certification. Defense contractors who (1) contract with defense agencies and (2) store FCI or CUI electronically should monitor CMMC updates closely since the DoD has indicated that a proposed DFARS rule is forthcoming. Please contact the authors if you have any questions about the CMMC and its potential impact on your business, or require assistance tracking the formal rulemaking process.