Last week, the Department of Defense (DOD) released for comment the first public draft of the Cybersecurity Maturity Model Certification (CMMC) model, CMMC v.04. The looming question on every contractor’s mind is “what does this mean for the other cybersecurity requirements?”
The purpose of the CMMC is to provide a unified cybersecurity standard for DOD acquisitions and build upon existing regulation, such as DFARS 252.204-7012. Through the CMMC plan, DOD is looking to create a simple, consistent framework for contractors to implement and become compliant with the best cybersecurity practices. After implementation, contractors will become certified within one of the CMMC “Levels.”
The draft CMMC plan consists of 18 domains comprised of key sets of capabilities derived from cybersecurity “best practices.” These capabilities are made up of five maturity levels, Levels 1-5 – Level 1 being the most basic “cyber hygiene,” such as having anti-virus software, and Level 5 being the most complex and advanced standards.
Beginning in Fall 2020, DOD solicitations will list which CMMC level is required for contractors to be eligible for award. The CMMC standards and best practices are derived from a variety of existing regulations, such as ISO 27001, AIA NAS 9933, and the CERT Resilience Management Model. Contractors will have to be certified through third party organizations who will conduct audits and assess risk.
The CMMC model will be implemented on a purely contractual basis, while NIST standards are implemented through regulation, DFARS 252.204-7012. Further, the inclusion of the required CMMC certification on the solicitation means it will apply to all DOD contractors, whether or not the contractor handles CDI. Therefore, the CMMC plan and NIST standards come into play at different stages of a procurement and ensure contractors are cybersecurity compliant all the way through.
There may also be an issue regarding cost of implementation and the hardship to small businesses or startups. While the idea behind CMMC plan is to bring contractors up to date with best cybersecurity practices, there could be a negative impact on small businesses due to the cost and affordability of implementing these cybersecurity standards, especially at the higher CMMC levels. Even though DOD’s goal is for CMMC to be cost-effective and affordable for small businesses, others in the industry believe implementation of the highest standards could price some small businesses out of competition.
Some of these questions will likely be discussed and answered during the comment period. We will continue to monitor the CMMC plan and keep you informed of any changes.
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring reports on recent contract decisions, recent upcoming contracts, key protest decisions, events, and more. This post was published in the September 2019 newsletter. To sign up for our govcon newsletters, please click here.
Danny Alvarado is a Senior Law Clerk in the Government Contracts practice at Berenzweig Leonard. Danny can be reached dalvarado@berenzweiglaw.com. For more information on these cybersecurity compliance requirements, contractors can reach out to Steve Britt, who leads the firm’s Data Privacy and Cybersecurity practice.