United States: CMMC And The Three "Cs": Cost, Conflicts And Competition

A. Introduction and Key Take-Aways

The Department of Defense's (DOD) Cybersecurity Maturity Model Certification (CMMC) program provides a metric for independent third parties to use in assessing and certifying the progress of the approximately 300,000-350,000 contractors and subcontractors in DOD's supply chain towards adequate cyber safeguarding of confidential information, including controlled unclassified information (CUI), located on their information systems. The CMMC program is intended to supplement, and not supersede, the existing cybersecurity requirements of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), including DFARS clause 252.204-7012, which incorporates the information security standards and controls of NIST SP 800-171. Implementation of CMMC will affect DOD contractors and subcontractors in many ways, but its greatest impacts will be on cost, conflicts and competition. This article examines the impact that CMMC will have on each of these areas. In particular:

• Cost. DOD officials have stated publicly that CMMC costs are allowable, but that statement is too broad for contractors to rely on. To begin with, there is a wide range of costs that could be considered "CMMC costs," from the fees the contractor pays a third party to assess the maturity level of its information systems to the labor, software, professional and IT investment costs necessary to raise the maturity level of those systems to the desired CMMC level. The allowability of these costs depends on a number of factors, including the nature and amount of the costs, the manner in which the contractor has accounted for them and similar costs in the past, and the method for allocating such costs to government contracts. Furthermore, even if a particular contractor's CMMC costs are deemed allowable, the contractor may not be able fully to recover those costs due to competitive pressures and other factors
• Conflicts. Implementing CMMC will create potential conflicts of interest for most if not all participants in the program. Such participants include the third parties who will assess contractor's CMMC maturity levels, the members of the board of directors of the non-profit organization charged with training and accrediting those assessors, and the contractors and subcontractors seeking CMMC certification. Some of these potential conflicts of interest could be considered organizational conflicts of interest (OCIs) that, if not properly avoided, mitigated or waived, could form the basis for bid protests.
• Competition. DOD intends to make certification at a specified CMMC maturity level a "go/no go" evaluation factor in future procurements. This will likely limit the ability of some firms, particularly small businesses, to compete for DOD contracts and subcontracts. DOD's authority to condition eligibility for award on certification at a particular CMMC maturity level is likely to be upheld as a reasonable restriction on competition in light of the national security imperative to enhance supply chain cybersecurity. However, the manner in which DOD applies the CMMC certification requirement in a particular procurement, as for example in determining which proposed subcontractors must be certified to which CMMC levels, is likely to be challenged in particular procurements as unduly restrictive of competition or otherwise unreasonable. In addition, it is unclear what role CMMC certifications will play in determinations of the responsibility or non-responsibility of particular offerors

B. Background

1. The DFARS Cyber Rule

   The DFARS has, since 2013, imposed mandatory information security and cyber incident reporting requirements on DOD contractors and subcontractors. These requirements are currently found in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (Dec. 2019) (DFARS–7012),¹ and related DFARS clauses and provisions. DFARS–7012 is mandatory for all DOD prime contracts except contracts for commercial-off-the-shelf (COTS) items.²

   DFARS–7012 requires the contractor to provide "adequate security" for all "covered contractor information systems."³ Adequate security is defined to mean "protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information."⁴ Adequate security requires at a minimum that the contractor implement the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations."⁵ The contractor "shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017."⁶

   DFARS–7012 requires application of the NIST 800-171 standards to a "covered contractor information system," which is defined to mean "an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information."⁷ Covered defense information (CDI) is defined as "unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/CUI/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies, and is —

   (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DOD in support of the performance of the contract; or

   (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract."⁸

Footnotes

1 Title 48 Code of Federal Regulations (CFR) Part 252.204-7012 (2020), https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012.

2 See DOD, Cybersecurity FAQs, Q1: When is DFARS clause 252.204-7012 required in contracts? Is the clause required in contracts for commercial items? Commercially available off-the-shelf (COTS) items?, https://dodprocurementtoolbox.com/faqs/cybersecurity/cybersecurity-faqs (last accessed May 22, 2020).

3 DFARS -7012(a) and (b).

4 Id. -7012(a).

5 https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final.

6 DFARS -7012 (b)(2)(ii)(A).

7 Id. -7012(a).

8 Id. (emphasis added)

To read the full article click here

Originally published 4 June, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.