DOD has announced a new cybersecurity standard and certification for defense contractors called the "Cybersecurity Maturity Model Certification" (CMMC). This new standard will act as an enforcement mechanism for the current Defense Federal Acquisition Regulation Supplement (DFARS) requirement that contractors handling sensitive unclassified information should protect it in accordance with the 110 security controls laid out by the National Institute for Standards and Technology (NIST) special publication (SP) 800-171. The final CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171. Additionally, on June 19, 2019, NIST released a revised version of 800-171 for public comment. This update, however, does not currently have any changes to the controls outlined in the initial publication.
The CMMC will require DOD contractor information systems to be certified compliant by an outside auditor and will act as a single standard to be used across all DOD contracts starting in 2020 to 2021. A nonprofit organization will be authorized to oversee the program and accredit the outside, private-sector auditors. The standard will also apply to all contractors doing any kind of business with the DOD. Although the draft CMMC has not yet been published, it is reported to identify multiple levels (some reports say five levels) of data security, ranging from basic cyber hygiene to "state of the art," to allow implementation of reasonable security measures based on the appropriate level. DOD contracts will specify the required level, and awards will be made on a go/no-go basis, depending on the contractor's certification status. The DFARS currently only requires contractors to self-attest to their compliance by documenting a current "system security plan" and a "plan of action and milestones" for satisfying any unimplemented NIST controls.
According to Ms. Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, this self-attestation model has resulted in continued cybersecurity deficiencies in the defense industrial base, including phishing and ransomware attacks. In a webinar on June 12, 2019, Ms. Arrington indicated that this certification and "security" updates in general will now be considered an "allowable cost." This distinction will enable contractors to recover these and other costs associated with cybersecurity requirements into their direct, if appropriate, or indirect costs. Ms. Arrington indicated that she is working closely with industry groups to identify the necessary controls for each of the identified levels.
DOD could begin piloting the use of the CMMC and third-party auditors sometime this summer by using other transaction agreements to test varying methods of certification. It is still unclear who the auditors will be and who will train and/or certify those auditors. The Pentagon could also direct the military services to select different programs and contracts to serve as pathfinders for the new certification requirements. Contractors should be mindful and watchful of these new requirements and their planned implementation. To the extent it is successful, it is possible that similar models could be implemented across other parts of government as well.
While the DOD plows ahead with developing a new certification to help protect its supply chain, the Department of Homeland Security (DHS) is leading an Information and Communications Technology (ICT) Supply Chain Risk Management Task Force that is developing proposals for updates to the Federal Acquisition Regulation (FAR) to help the government secure its supply chain. This task force, run by the IT and Communications Sector Coordinating Councils, has brought together industry representatives for the past few years. It produced its first recommendation on June 19, 2019. According to the DHS statement, the task force "unanimously approved a recommendation from one of its working groups for a proposed federal acquisition rule aimed to prevent counterfeit [information and communications technology] from being procured by incentivizing ICT purchase from original equipment manufacturers and authorized resellers only." According to DHS Assistant Secretary Jeanette Manfra, this task force will work closely with the Federal Acquisition Security Council (FAS-C) established by the SECURE Technology Act (Pub. L. 115-390).
Venable will continue to work to understand the developing requirements and will engage with both departments, as well as with the current administration, to advocate for streamlined efforts around the supply chain. Given the fact that federal contractors often work in both the defense and federal civilian spaces, now is the time for DHS and DOD to bring their efforts together to ensure their contractors can 1) include security as an allowable cost in federal civilian contracts and 2) make sure that any new certification requirements apply to contracting across both domains.