GOVERNMENT CONTRACTING INSIGHTS DEFENSE CONTRACTING
Pentagon Updating Cybersecurity Guidance
In December, the Defense Department released a new draft of its Cybersecurity Maturity Model Certification, or CMMC, an important guide for contractors.
Given the expected release of Version 1.0 of the CMMC framework in late January 2020, it is likely that the requirements in this draft will closely resemble those that will serve as the basis for the first contractor audits.
The two most significant updates are the addition of “practices” for obtaining Level 4 and 5 certifications, and an expansion of the “clarifications” section, which now covers the requirements of Levels 2 and 3 of the model, in addition to Level 1.
It retains the matrix format that we have seen in prior versions, composed of “domains,” “capabilities,” “practices” and “processes.”
Each domain consists of multiple capabilities, and each capability consists of multiple practices. Capabilities are general achievements to ensure cybersecurity objectives are met within each domain. Practices more specifically outline the technical requirements necessary to achieve compliance with a given capability, while processes measure how well practices have been implemented across a contractor’s business.
Version 0.7 now contains what we expect to be a near-final set of practices necessary for obtaining Level 4 and 5 certifications, and relegates all processes to a much-simplified table that is intended to apply across all domains.
The requirements in Levels 4 and 5 are greatly consolidated. However, they still represent a significant set of compliance obligations that contractors must follow in order to perform work on contracts designated at either of these two certification levels.
Level 4 now incorporates 13 controls set forth in the draft NIST SP 800-171B, and Level 5 certification includes requirements for an additional five controls from draft NIST SP 800-171B.
Levels 4 and 5 continue the practice of including multiple controls for certain practices, thereby increasing the possibility of conflicting guidance. Moreover, standards that are pulled from NIST SP 800-171B in some cases appear to have been incorporated into the CMMC on a modified or a partial basis. For this reason, even those contractors that have implemented sophisticated cybersecurity controls in line with the standards set forth in NIST publications should closely review how these requirements and others have been described in the CMMC to ensure that they will be compliant with all applicable practices at the time that they undergo an audit.
Perhaps the most helpful update for contractors is the inclusion of new clarification sections for Level 2 and 3 practices, in addition to new clarifications of processes. These sections include brief discussions of the requirements, clarifications to further explain Defense Department expectations, and in some cases, examples that describe scenarios where compliance is appropriately demonstrated within an organization.
The inclusion of clarifications for Level 3 in this draft is an unexpected but welcome addition.
We expect that these clarifications will be vital to understanding and interpreting the very brief and limited descriptions of practices and processes that are set forth in the matrix itself. Indeed, one of the new process clarifications applicable to process maturity Level 2 describes minimum elements that policy statements from a contractor’s senior management should contain to appropriately document security requirements that are applicable to the network. Contractors should be mindful to read the CMMC as a whole to ensure they do not encounter unexpected issues during their third-party audits.
Thus far, the Defense Department has adopted a regular cadence for updating and revising the CMMC. Although we would expect to see more additions to the model in the future — potentially including an expansion of the clarification section to cover the newly added Level 4 and 5 requirements — the model is nearing a ready-to-release format.
As of press time, it appears likely that the department will meet its January 2020 release date target for Version 1.0.
Contractors should continue to take steps to implement all requirements, as implementation may represent a significant effort, requiring input not just from an organization’s information technology and legal departments, but from an organization’s senior management.
The Pentagon has expressed a desire to revise the model on a continuous basis to rapidly address new and evolving threats. Thus, any contractors that are left playing catch up at the time that the department begins including certification requirements in its request for proposals in fall 2020 will have a difficult time staying ahead of the curve as the model continues to evolve.
A number of questions persist, including: how the Defense Department and its auditors will handle the immediate influx of contractors requiring certifications; the specific criteria for determining the certification level necessary to perform a contract; how the department and its accreditation body will ensure consistency of third-party audits; and how it will address the impact on commercial item and small business contractors, which ordinarily do not obtain significant cost recovery under reimbursable contracts with the government. Industry should stay well-informed of further developments in this area.
Ryan Burnette is an associate, Susan Cassidy is a partner and Samantha Clark is special counsel at Covington & Burling LLP.