The Department of Defense has taken another step towards definitizing the cybersecurity requirements applicable to all of its contractors beginning in 2020, in the form of Cybersecurity Maturity Model Certification.

The authors of this article discuss the Model Certification. The Department of Defense ("DoD") has taken another step towards definitizing the cybersecurity requirements applicable to all of its contractors beginning in 2020, in the form of Cybersecurity Maturity Model Certification ("CMMC").The CMMC could be a positive step towards developing a unified standard for defense contractor cybersecurity, but it is critical that industry stakeholders provide substantive feedback on the various practices and processes the current draft proposes to ensure they are practicable, likely to produce the desired effects, and clearly articulate DoD's expectations.

Furthermore, the benefit to contractors of such a unified standard will be necessarily bounded unless and until the civilian agencies undertake a similar effort to streamline cybersecurity requirements.

BACKGROUND

As defense contractors are well aware, cybersecurity requirements applicable to defense procurements have long been an important issue. DFARS 252.2047012, which went into effect on December 31, 2017, generally requires that defense contractors comply with the National Institute of Standards and Technology's Special Publication 800-171 ("NIST SP 800-171") in "safeguarding" enumerated defense information and reporting cybersecurity incidents. But, it has become increasingly clear that not only is compliance with NIST SP 800-171 complex, but reliance on NIST standards alone may not prevent high-profile security incidents, let alone provide DoD with a readout on the cybersecurity maturity of its defense industrial base.

The multiplicity of available standards—applied to varying degrees by different federal agencies—has also long frustrated industry. Challenges with delineating which standards apply and how to comply with each confound even the most experienced contractors, and may serve as a barrier to entry for small businesses and other companies entering the federal marketplace for the first time.

To resolve these concerns, last year DoD announced the development of the CMMC, which aims to "assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB)"1 by "reduc[ing] exfiltration of Controlled Unclassified Information (CUI)."2 The CMMC will combine the existing alphabet soup of security standards—including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933—into a unified standard for defense contractor cybersecurity.3

DoD has stated that "[u]nlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity" and "[i]n addition to assessing the maturity of a company's implementation of cybersecurity controls, the CMMC will also assess the company's maturity/institutionalization of cybersecurity practices and processes."4 Notably, the CMMC will build upon these existing regulations and standards by adding a verification component to identified cybersecurity practices.5

Download >> DoD's Draft Cybersecurity Maturity Model Certification Framework

Originally published In Pratt's Government Contracting Law Report - January 2020, VOL. 6 " NO.1

Footnotes

* Charles A. Blanchard (charles.blanchard@arnoldporter.com), a partner at Arnold & Porter Kaye Scholer LLP, works with clients in the contracting and national security communities, providing unique insights into doing business with the federal government. Ronald D. Lee (ronald.lee@arnoldporter.com) is a partner at the firm advising and representing clients in national security, cybersecurity and privacy, and government contracts matters. Sonia Tabriz (sonia.tabriz@arnoldporter.com) is an associate at the firm advising clients regulated by and performing work for the federal government across a variety of industries. Amanda J. Sherwood (amanda.sherwood@arnoldporter.com) is an associate at the firm focusing on a wide range of government contracts matters. Trevor Schmitt, a graduate of Georgetown University Law Center, employed at the firm, but not admitted to the practice of law in Washington, D.C., contributed to this article.

1 OFFICE OF THE UNDER SEC'Y OF DEF. OF ACQUISITION & SUSTAINMENT, CYBERSEC. MATURITY MODEL CERTIFICATION, CMMC Frequently Asked Questions (FAQ'S), Question 5, https://www. acq.osd.mil/cmmc/faq.html.

2 OFFICE OF THE UNDER SEC'Y OF DEF. OF ACQUISITION & SUSTAINMENT, DRAFT CMMC MODEL REV 0.4 Release & Request for Feedback Overview 4 (Sept. 2019) (hereinafter "CMMC REV 0.4 OVERVIEW"), https://www.acq.osd.mil/cmmc/docs/cmmc-overview-brief-30aug19.pdf.

3 CMMC FREQUENTLY ASKED QUESTIONS (FAQ'S), supra note 1, at Question 8.

4 CMMC FREQUENTLY ASKED QUESTIONS (FAQ'S), supra note 1, at Question 9.

5 CMMC REV 0.4 OVERVIEW, supra note 2, at 5.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.