Starting in September, the Department of Defense will demand that bidders on DoD contracts meet higher cyber security requirements. And bidders will no longer be able to self-certify their compliance. Below are high-level questions guiding you on what you need to know.

What are these higher cyber requirements? 

The higher cyber security requirements are in the Department of Defense’s new Cybersecurity Maturity Model Certification framework (“CMMC”). This framework  is intended to be incorporated into the Defense Federal Acquisition Regulation Supplement (DFARS) and will be used as a requirement for all Department of Defense contract awards.  The CMMC framework will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place among the entire DoD supply chain.

DoD contractors must be certified at one of the five levels and must meet the contract requirement at the time of bid submission. The level of the CMMC certification required is dependent upon the type and nature of information flowed down from the prime contractor and/or the government client. The DoD will set the certification level designation for each contract at the time of releasing the solicitation.

The C3PAO will verify whether the government contractor’s internal processes and procedures have met the appropriate level of cybersecurity requirements and procedures for their business.  

Who must comply with the CMMC?

All DoD contractors will eventually be required to obtain CMMC certification. Under the CMMC, government contractors will no longer be permitted to self-certify their cybersecurity compliance but instead must be audited by a certified third-party assessment organization (“C3PAO”).  Government contractors will no longer be eligible to bid on DoD contracts without the requisite CMMC certification. As long as the business does not solely produce commercial-off-the-shelf (“COTS”) products, it will need to obtain a certification. 

How much will CMMC certification cost?

Costs associated with CMMC certification will vary and are dependent on several factors, including the requisite CMMC level, complexity of an entity’s infrastructure and network, and other market forces. In addition to an initial cost, there will likely be other costs associated with ongoing compliance, personnel maintenance, training, and future certification maintenance costs. The DoD has announced that certification costs will be an allowable cost, but details as to the extent and ongoing maintenance costs have yet to be determined.

What are the various CMMC levels?

There are five certification levels that reflect the maturity and reliability of an entity’s cybersecurity infrastructure to be able to protect sensitive government information saved on contractor’s information systems. There are 171 practices across the five levels to measure and evaluate technical capabilities. Additional practices are introduced at each level and are cumulative. All practices from the lower levels must be followed at the next level above.  The CMMC framework was published in January 2020 and the model encompasses the following:

  • Level 1 – Basic Cyber Hygiene: 17 Practices
  • Level 2 – Intermediate Cyber Hygiene: 72 Practices (+ 55 Practices)
  • Level 3 – Good Cyber Hygiene: 130 Practices (+ 58 Practices)
  • Level 4 – Proactive Cyber Hygiene: 156 Practices (+ 26 Practices)
  • Level 5 – Advanced Cyber Hygiene: 171 Practices (+ 15 Practices)

How does a contractor  become certified under the CMMC framework?

The process is in the very early stage of development. Here’s what DoD has told contractors so far. The CMMC Accreditation Body (“CMMC AB”), a non-profit, independent organization, will accredit the C3PAOs and individual assessors. The CMMC AB provides more information and updates on its website.  Currently, the requirements for becoming a C3PAO have not yet been established. As a result, there are no third-party entities at this time that have been credentialed to conduct a CMMC assessment which will be accepted by CMMC AB. Similarly, at this time, only training materials or presentations provided by the Department will reflect the Department’s official position with respect to the CMMC program according to the DoD. The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs in addition to other helpful information. After the CMMC Marketplace is established, government contractors will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

How does a government contractor know what CMMC level is required for a contract?

Beginning in 2020, the DoD will provide the required CMMC level for each contract in  Requests for Information (RFI).  Beginning September 2020, the DoD plans to  include the required level in Requests for Proposals (RFPs).

Who can perform CMMC assessments?

Only C3PAOs and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments. The CMMC AB is currently still working on the CMMC training materials and is expected to release provisional training in July.

Shakir Hussaini is an Associate in Cybersecurity & Data Privacy practice group at Berenzweig Leonard.  Shakir can be reached at [email protected]. Shakir wishes to thank Aleksey House, our law clerk from George Washington University Law School, for her assistance on this article.