On November 7, the U.S. Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Draft Version 0.6 of its Cybersecurity Maturity Model Certification (CMMC) for public comment. According to DoD’s overview briefing, the CMMC was created to provide “a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).” In brief, the CMMC builds upon DFARS 252.204-7012, which generally requires contractors to maintain “adequate security” on all covered contractor information systems and to report any cybersecurity incidents to the DoD Cyber Crime Center (DC3) within 72 hours. The certification process, which will rely on non-government third parties, raises legal and business risks for contracting entities, including the potential for disputes. Whereas DFARS 252.204-7012 relies on contractor self-certification, the CMMC framework will require all government contractors and subcontractors to obtain cybersecurity certification from yet-to-be-created CMMC Third-Party Assessment Organizations (C3PAO) as a prerequisite to performing DoD contracts.1
The requirement for a certification by a non-government third party raises a number of questions and concerns:
- Levels of Certification. The CMMC framework includes five levels of certification, ranging from Level 1 (“basic”) to Level 5 (“highly advanced”). DoD will determine the appropriate level of certification on a case-by-case basis, but a minimum of Level 3 will be mandatory for contractors that access CUI or generate CDI (Controlled Defense Information)/CUI. Consistent with DFARS 252.204-7012, a business must (among other things) meet the security requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations in order to be certified at Level 3.
- Selection of Certification Levels for Different Contracts. Rather than implementing these certification requirements by issuing a regulation (as in the case of DFARS 252.204-7012), DoD states that it will – as a matter of policy – include certification as a Go/No-Go criterion for all DoD contracts. It is unclear how DoD will decide on the appropriate level of certification for a given contract, or whether the default will be to require higher certification levels.
- Applicability to COTS Products and Non-FAR Agreements. According to DoD, “[t]he working estimate for the number of organizations requiring CMMC certifications is 300,000, with a very high percentage of those companies in the micro-, small-, and mid-size range.”2 DoD has not addressed whether or how the requirement will apply to contracts for commercial products and services (as defined in the procurement statutes and regulations). The CMMC Draft Version 0.6 explains that the purpose of the certification requirement is to enforce existing DoD cybersecurity requirements. One such set of requirements, DFARS 252.204-7012, applies to all contracts except for those solely concerning the acquisition of commercially available off-the-shelf (COTS) products.3 For this reason, the proposed CMMC requirement imposes significant compliance costs. Moreover, the requirement is arguably in tension with recent efforts of Congress, and the acquisition streamlining recommendations of the Section 809 Panel,4 to expand the use of commercial products and services by reducing obstacles to participation by commercial entities in DoD contracts.5 The impact of the growing use of commercial products and services in the defense sector and ongoing efforts by DoD to expand access to commercial technology through mechanisms that are not restricted by the Federal Acquisition Regulation (FAR) (such as the GSA NDAA Section 846 e-marketplace initiative and the growing use of Other Transaction Agreements) also are not addressed.
- C3PAO Role. On October 3, DoD issued a Request for Information (RFI) regarding the creation of a CMMC accreditation body, which will be charged with “managing, operating and sustaining the CMMC program, CMMC training, and evaluating and accrediting individual assessors and C3PAOs.”6 According to the RFI, this accreditation body will “complete all activities … using revenue generated through dues, fees, partner relationships, etc. with no additional funding or resources provided by the Government.” The RFI also indicates that the federal government will not have a contractual relationship with the accrediting body but rather will manage its relationship with it through a Memorandum of Understanding. Each certification assessment “will be conducted by a credentialed independent assessor working for an accredited C3PAO under the oversight of the CMMC accreditation body.”
- Timing. DoD expects to publish the final version of the full CMMC framework in January 2020. According to a Q&A published by DoD, industry should begin to see the CMMC requirements in June 2020.
- Supply Chain Implications. The certification requirement likely will have significant supply chain implications. The DoD Q&A states that “all companies doing business with the Department of Defense,” including subcontractors, will be subject to the certification requirement. However, DoD has not yet issued any guidance regarding the level of certification required for subcontractors (including acquisitions from purely commercial entities) or the role of a prime contractor with respect to entities in lower tiers.
- Compliance Costs. DoD states that the costs of compliance with CMMC will be allowable under the applicable FAR principles, although this concession will not benefit businesses that contract with DoD based on fixed prices.
Over the past several years, government contractors and the federal government itself have been targeted by a series of high profile and costly cybersecurity intrusions. For example, the Office of Personnel Management hack announced in 2015 exposed confidential personal information of over 20 million people.7 Foreign adversaries also have exfiltrated sensitive information by targeting defense contractors.8 Such breaches have raised significant security concerns and led to calls for increased scrutiny and requirements for entities that have access to government networks and information.
In 2015, the National Institute of Standards and Technology (NIST) issued Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which outlines 110 security controls to be implemented by government contractors that transmit or store CUI. CUI is an expansive concept that encompasses an extensive array of unclassified government information (see CUI Categories, here).
Shortly afterward, the federal government issued three regulations of significance for government contractors:
- In May 2016, the FAR was amended to include a new subpart and contract clause governing basic safeguarding of contractor information systems that process, store, or transmit Federal Contract Information (FCI). This rule is codified in FAR Subpart 4.19, with a corresponding contract clause in FAR 52.204-21.
- Later in 2016, the National Archives and Records Administration issued a final rule for managing controlled unclassified information.9
- Finally, in October 2016, DoD issued a final DFARS Rule – codified in DFARS 252.204-7008 and -7012 – for contractors that handle CDI. Most notably, the rule requires contractors to “provide adequate security on all covered contractor information systems,” which includes “at a minimum” implementation of NIST SP 800-171 and requires contractors to report any “cyber incident” within 72 hours.
Despite these efforts, cybersecurity continues to pose a significant challenge to the federal government and the private sector, including the DIB. For example, in February 2018, the White House concluded that “malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.”10 The introduction of CMMC Draft Version 0.6 reiterates this concern, noting that “[t]he theft of hundreds of billions of dollars of intellectual property (IP) due to malicious cyber activity threatens the U.S. economy and national security.” Moreover, “[t]he sharing of FCI and CUI with DIB sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary.”
DFARS 252.204-7012 does not impose an oversight or verification requirement but relies for compliance on contractor self-certification – and the threat of False Claims Act (FCA) liability and debarment for “knowing” false certification. As the CMMC Draft Version 0.6 explains, concern about the continued vulnerability of contractor intellectual property and sensitive DoD information to exfiltration prompted DoD to use certification to verify compliance. Additionally, DoD hopes that the creation of a uniform certification framework that applies to all DoD contractors will address the confusion in the contractor community regarding the requirements for compliance with the various DoD cybersecurity regulations.
The CMMC Framework:
The CMMC was created to provide a unified cybersecurity standard for all DoD acquisitions to reduce the risk of exfiltration of CUI from the DIB. Unlike DFARS 252.204-7012, which relies predominantly on NIST SP 800-171, CMMC incorporates cybersecurity standards and best practices from a variety of sources, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS 993, CIS Critical Security Controls 7.1, and the CERT Resilience Management Model®. The CMMC model framework includes the following:
- The CMMC model framework consists of 17 domains, which are “key sets of capabilities for cybersecurity” based on cybersecurity best practices. These domains are roughly based on the NIST SP 800-171 “control families” and include:
- Access Control, Asset Management, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Recovery, Risk Assessment, Security Assessment, Situational Awareness, System and Communications Protection, and System and Information Integrity. (The Asset Management and Situational Awareness domains were not among the 14 NIST SP 800-171 security requirement families.)
- Each domain, in turn, includes various capabilities,11 which DoD describes as “achievements to ensure cybersecurity within each domain.”
- Finally, each capability consists of a series of practices and processes, which are mapped to CMMC Levels 1 through 5. Practices are activities performed at each level for the domain, while Processes detail maturity of institutionalization for the practices.
- Each CMMC level introduces additional practices and incorporates the practices required at previous CMMC levels.
- At Levels 1 and 2, organizations may be provided with FCI, which is information not intended for public release. However, organizations that require or generate CDI/CUI must certify at Level 3 or above.
The following is a summary of the description of each of the CMMC levels provided by Draft Version 0.6:
- Level 1: Focuses on basic cyber hygiene and consists of the safeguarding requirements specified in 48 C.F.R. § 52.204-21.
- Level 2: Focuses on intermediate cyber hygiene, creating a maturity-based progression for organizations to move from Level 1 to 3. This more advanced set of practices gives the organization greater ability to both protect and sustain its assets against more cyber threats as compared to Level 1.
- Level 3: An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. CMMC Level 3 indicates a basic ability to protect and sustain an organization’s assets and CUI. However, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs).
- Levels 4 and 5: An organization assessed at CMMC Levels 4 and 5 has a substantial and proactive cybersecurity program. The organization has the capability to adapt its protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs.
To provide a sense of the magnitude of these requirements, Level 1 includes 17 processes; Level 2 incorporates 58 additional processes (for a total of 75); Level 3 incorporates 56 additional processes (for a total of 131); Level 4 incorporates 62 additional processes (for a total of 193); and Level 5 incorporates 26 additional processes (for a total of 219).
CMMC Draft Version 0.6:
CMMC Draft Version 0.4 elicited over 2,000 comments from industry participants. Draft Version 0.6 includes the following changes from Version 0.4:
- Number of domains reduced from 18 to 17, with the elimination of the “Cybersecurity Governance” domain.
- Consolidation of practices. For instance, Level 3 under Version 0.4 included 241 practices, whereas Level 3 under Version 06 includes 131 practices.
- More detailed descriptions of Levels 1 through 3. DoD is still processing comments with regard to Levels 4 and 5 and will presumably provide more detail when it issues the final version in January 2020.
- A new Appendix B, which provides discussion and clarifications for the CMMC Level 1 practices that map to the safeguarding requirements specified in 48 C.F.R. § 52.204-21 Basic Safeguarding of Covered Contractor Information Systems and the associated security requirements in NIST SP 800-171 Rev 1.
- Introduction of a glossary of key terms. Although these definitions are consistent with the ones set forth in DFARS 252.204-7012, the glossary also defines terms that are not included in this DFARS provision.
Remaining Issues and Concerns for Contractors:
- Supply Chain Management. DoD makes clear, in the Q&A referenced above, that a certain amount of flow down is to be expected: “CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain.”
- However, it is unclear to what extent and at which level the CMMC certification requirements will flow down to subcontractors and whether they also will apply to open-market transactions. One possibility is that for larger contracts, the level of CMMC certification required will vary by function.
- In circumstances where a prime must certify at a higher level than some of its subcontractors, it is not clear what requirements will exist regarding the flow of information needed for performance. For example, if a lower-tier subcontractor is providing a component that will function in a prime contractor’s system, how will the specific requirements be transmitted to the subcontractor such that the component will function appropriately? How will suppliers of commercial technology, products, and services (sold in the open market) be addressed?
- Can the CMMC Level Determination Be Disputed? It is unclear how DoD or contracting officers will determine which level of CMMC certification will be required for a particular procurement. Where a requirement is unreasonable and restricts competition, challenges are likely.
- C3PAO Process/Appeal: It is unclear how the certification process will operate, how certification requirements will be established, and whether an offeror or contractor may appeal in the event the C3PAO declines to certify at a particular level. Is the C3PAO determination subject to challenge if relied upon by DoD for use in its procurements and contracts? Since the DoD will not be in privity of contract with any of the C3PAOs, it is likely that any litigation involving the C3PAOs will be in federal district court and not before the GAO or Court of Federal Claims.
- Timeline for Certification: It is unclear when the certification requirements will become effective and whether they will become effective at the same time. For instance, DoD is taking much longer to develop the standards for Levels 4 and 5, so it is possible DoD might require certification for Levels 1-3 before introducing Levels 4-5. Additionally, DoD has not yet determined the duration of certification or how often re-certification will be required.
- FCA Exposure: Assuming a contractor can be in full compliance, will CMMC certification create a safe harbor against FCA claims, e.g., if an intrusion occurs nevertheless?
1 Although the CMMC framework would require “all contractors and subcontractors to obtain certification, the application of the certification requirement to non-DoD acquisition vehicles and open-market purchases is unclear. For example, DoD buyers acquire products and services through other contract vehicles, such as the GSA Schedules and civilian agency Government-wide Acquisition Vehicles (GWACs). In addition, federal agencies spend approximately $6 billion per year on open-market transactions through micro-purchase methods, including government purchase cards. See Jessie Bur, “How GSA plans to capture $6B in under-the-radar spending,” Federal Times (Oct. 18, 2019), https://www.federaltimes.com/acquisition/2019/10/18/how-gsa-plans-to-capture-6b-in-under-the-radar-spending/.
4 The Section 809 Panel, established in the FY 2016 National Defense Authorization Act, was charged with, among other things, providing recommendations to streamline and improve the efficiency and effectiveness of the defense acquisition process and maintain the U.S. defense technology advantage. The Panel’s three-volume final report contains 98 recommendations, including changing DoD procurement to allow acquisition of “readily available” products and services in the same manner as a private sector buyer. See Report of the Advisory Panel on Streamlining and Codifying Acquisition Regulations, Volume 3 (Jan. 2019), Executive Summary, at EX-2, available at https://section809panel.org/wp-content/uploads/2019/01/Sec809Panel_Vol3-Report_JAN19_part-1.pdf.
5 For instance, the NDAAs for fiscal years 2017, 2018, and 2019 all contained provisions either specifying that certain laws and regulations do not apply to commercial products and services and COTS or requiring DoD to review all contract clauses that apply to commercial products, services, and COTS, with the aim of eliminating unnecessary requirements. See, e.g., NDAA for FY 2019 (Pub. L. 115-232), sections 836-839; NDAA for FY 2018 (Pub. L. 115-91), sections 846-849; and NDAA for FY 2017 (Pub. L. 114-328), sections 871-880.
7 Julie Hirschfeld Davis, “Hacking of Government Computers Exposed 21.5 Million People,” N.Y. Times, (July 9, 2015), https://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-millions.html. According to OPM, every person given a Government background check for the prior 15 years was probably affected. Id.
8 See, e.g., Ellen Nakashima and Paul Sonne, “China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare,” Washington Post, (June 8, 2018), https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html; Jeff Daniels, “Chinese theft of sensitive US military technology is still a ‘huge problem,’ says defense analyst,” CNBC, (Nov. 9, 2017), https://www.cnbc.com/2017/11/08/chinese-theft-of-sensitive-us-military-technology-still-huge-problem.html.
10 White House Council of Economic Advisors, “The Cost of Malicious Cyber Activity to the U.S. Economy," at 1 (Feb. 2018), https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf.
11 For instance, the “Access Control” domain includes the following capabilities: (i) Establish system access requirements, (ii) Control internal system access, (iii) Control remote system access; and (iv) Limit data access to authorized users and processes. The “Awareness and Training” domain includes the following capabilities: (i) Conduct security awareness activities, and (ii) Conduct training. Certain domains and capabilities are required only at higher CMMC Levels. For instance, the “Awareness and Training” domain does not apply at all until Level 2.