Government Contracts & Investigations Co-Chair Susan Warshaw Ebner recently discussed the impact of the new Department of Defense (DOD) rule that will apply to government contractors in an article by Law360. The interim rule, which was published on September 29 and goes into effect on November 30, 2020, requires that contractors at all tiers be assessed and certified as compliant with the Cybersecurity Maturity Model Certification (CMMC) level identified in the DoD procurement in order to be awarded and perform that contract.
Under the interim rule, the CMMC level required for award of that prime contract may not be the same level required for lower-tier supply chain contractors. The interim rule does not lay out how the required CMMC levels will be determined for these supply chain contractors. The rule also does not lay out how contractor challenges to CMMC assessments and certifications will be handled.
The DOD intends to improve cybersecurity across its supply chain, but may not have fully taken into account the costs to contractors, said Susan. She explained that though the CMMC framework suggests that smaller businesses are likely to have fewer implementation costs, where a small business has contracts involving particularly sensitive data or critical activities, DOD may require that the contractor possess a higher level of CMMC and may incur greater costs.
Susan also went on to note that the DOD, in calculating the impact of this rulemaking, does not appear to be taking into account the cost to contractors to become compliant with the existing requirements. Under current standards, contractors are deemed compliant as long as they have a plan in place to hit the existing standard in the future. Susan is concerned that the costs to contractors at all tiers to fully implement these requirements “are going to be significant.”