The Government continues to take steps to address its Defense Industrial Base supply chain cybersecurity. Below are some of the emerging developments you should be following in this space:
Cybersecurity Maturity Model Certification (CMMC)
Previously we reported on the Department of Defense’s (DoD’s) activities to roll out a CMMC program. DoD has now rolled out a corrected version of the CMMC Model, version 1.02. The Model mandates that DoD contractors, and their supply chains, be certified to have systems in place that meet the certification level cybersecurity requirements for the data that they will be required to handle under DoD contracts and subcontracts.
The DoD Acquisition Council opened a rulemaking case to establish a clause for the inclusion of CMMC certification requirements in its procurements. DAR Case 2019-D041 provides for establishment of a rule that will implement “a standard DoD-wide methodology for assessing DoD contractor compliance with all security requirements in the [NIST SP 800-171] …, and a DoD certification process, known as the Cybersecurity Maturity Model Certification (CMMC), that measures a company’s maturity and institutionalization of cybersecurity practices and processes.” Currently, the draft DFARS rule is being reviewed by the Office of Information and Regulatory Affairs (OIRA) at the Office of Management and Budget. Once it gets through this rulemaking process, and any concerns identified by OIRA are addressed, the rule should be ready for issuance in the Federal Register. It may be issued as an interim rule or as a proposed rule. However, it is a significant rule and must go through the procurement rule-making notice and comment process.
The previously announced schedule for roll out of CMMC was: establish CMMC-Accreditation Body (CMMC-AB) in January 2020, train certifiers, issue ten pilot Requests for Information by June 2020, issue pilot Requests for Proposals (RFPs) in September 2020, and award contracts containing CMMC provisions thereafter. Contractors must be certified at the designated CMMC level to receive these pilot awards. They must also ensure that their supply chains comply with mandated levels of certification where their performance involves Controlled Unclassified Information (CUI). Given the delays being experienced due to the COVID-19 situation, this schedule may be impacted.
CMMC-Accreditation Body (CMMC-AB)
DoD has entered into a Memorandum of Understanding (MOU) with the CMMC-AB, which will establish the standards, training, and processes for conducting the government contractor audits for certification purposes. The certifying persons or entities, once properly vetted through processes established by the CMMC-AB, will be known as CMMC Third Party Assessment Organizations (C3PAOs).
Apparently some entities are already claiming to be C3PAOs capable of providing companies with the CMMC certification needed to contract with the DoD in coming months. However, the CMMC-AB has not yet established its program. Nor has it conducted any training or certification of C3PAOs. Once it does, it will establish a CMMC Marketplace that will list approved C3PAOs.
Beware of entities that say that they can engage in review and certification now. At best, they are entities that would seek to assist you in getting ready for compliance. However, they cannot certify you. At worst, they may be entities seeking to access your systems and information for other than lawful purposes.
On April 22, 2020, the CMMC-AB issued an RFP for a continuous monitoring solution. The RFP called for responses by May 1, 2020, and anticipated selection of a solution by May 8, 2020. A CMMC-AB continuous monitoring system was not something identified in the CMMC. If actually implemented, a CMMC-AB continuous monitoring system is likely to pose a number of issues that will need to be addressed at the government, contractor and supply chain levels — from the basis of authority for such a system, to concerns about contractor privacy, to concerns about security of contractor systems issues arising from the monitoring solution, to the parameters for protecting a contractor’s crown jewels from unauthorized access and use by the Government and others.
Defense Contract Management Agency (DCMA) Cybersecurity Audits Continue
Pending implementation of the CMMC, it is our understanding that the DCMA is continuing to conduct its cybersecurity audits of the Defense Industrial Base (DIB) based on the cybersecurity clause, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, the DCMA Contractor Purchasing System Review Guidebook, Appendix 24, and the applicable standard, National Institute of Standards and Technology (NIST) Special Publications 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. In February 2020, NIST issued a Revision 2 to NIST SP 800-171.
Controlled Unclassified Information (CUI)
The Federal Acquisition Regulatory (FAR) Council opened a rulemaking case in 2017, FAR Case 2017-016, to establish a rule to address agency policies for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. The current FAR Open Cases state that the rule has been drafted and is currently awaiting concurrence by the Civilian Agency Acquisition Council.
Contractors have been waiting for the rule for years now as CUI triggers the application of the cybersecurity standards. Knowing what is considered CUI is needed to establish where and what cybersecurity is required and which contractor systems are affected.
When finalized, these and other elements will need to be woven together to create the fabric of DoD cybersecurity that a DIB contractor and its supply chain must use to appropriately cover their systems and information.
Contact the author of this blog or your Stinson attorney if you have questions about this article, or government contracting matters.