CMMC - Tips for Bidding on Government Contracts

INFOTECH

Commentary: CMMC - Tips for Bidding on Government Contracts

11/23/2020
By Susan Warshaw Ebner and Rolando R. Sanchez

iStock illustration

The Defense Department released on Sept. 29 its highly anticipated interim rule, which amends the Defense Federal Acquisition Regulation Supplement by including three new clauses that implement a mandatory DoD Assessment Methodology and adherence to the Cybersecurity Maturity Model Certification (CMMC) program.

The purpose of the new rule is to give teeth to DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which requires that contractors protect certain controlled unclassified information. The interim rule was to take effect Nov. 30 and is likely to be issued as a final rule with some tweaks based on comments submitted and experience with it in practice.

Immediately after the rule’s publication, the National Defense Industrial Association planned a four-part series of tabletop webinars to illustrate a hypothetical contractor’s efforts to achieve compliance under the existing and interim DFARS cybersecurity clauses. The purpose of the series is to bring key stakeholders together in a practical format where they can troubleshoot common implementation questions faced by contractors.

The series is set to take the contractor through self-assessment, preparation for basic assessment and future CMMC compliance, bid proposal, contract award, performance and performance/compliance challenges.

The first event in the series took place Oct. 22 and featured panelists from the Pentagon’s office of the undersecretary of defense for acquisition and sustainment, the CMMC accreditation board, industry members from large and small contractor communities, and a cybersecurity service provider.

The audience of the initial exercise were asked poll questions to assess their current status with respect to the new cyber standards.

Question one was: “When do you project that your company will conduct a basic assessment per the new DFARS interim rule?”

Twenty-four percent of respondents stated that they had already completed this assessment, 35 percent responded “early 2021,” and 26 percent were not sure. As of Nov. 30, contractors subject to DFARS 252.204-7012 must conduct at least a basic assessment of the state of their compliance with NIST SP 800-171 and enter it in the Supplier Performance Risk System.

Where solicitations include the DFARS clauses, contractors must be in compliance at the time of contract award. No waivers are expected to be given.

The second question was: “Assuming that a third-party certification process is activated, what is your projection for your company to achieve CMMC Level 3?”

Forty-one percent of respondents stated that they projected Level 3 by mid-to-late 2021, 25 percent projected early 2021 and 28 percent were not sure.

Under the CMMC program, solicitations may specify CMMC Level 1 (low) through 4 or 5 (high), with Level 3 (medium) containing the NIST SP 800-171 security requirements, fortified with additional practices and procedures, and mandating current compliance. A slow rollout of the CMMC is expected, with full implementation by 2025.

Contractors who achieve compliance with NIST SP 800-171 security requirements will be well positioned to be CMMC Level 3 certified. Medium and high-level assessments are not self-assessments — unlike the rule’s basic assessment — but assessments will be conducted by the Defense Contract Management Agency.

The panelists provided several comments which shed light on how contractors should approach self-assessment requirements under the interim rule. Contractors need to be familiar with the DFARS interim rule and start basic assessments now. The core of CMMC is the same NIST SP 800-171 requirements included in DFARS clause 252.204-7012, which implement the 110 NIST SP 800-171 requirements. If a contractor does not have a full score of 110 now, it is understood that they can use the system security plan (SSP) and plan of actions and milestones (POA&M) to reach 110.

CMMC will be a phased rollout. Since no POA&Ms or waivers will be allowed to implement CMMC requirements, implementing the current DFARS 7012 now will put contractors in a great position to adopt CMMC.

Companies are encouraged to follow the template SSP that is included in NIST 800-171A.

Contractors may have multiple domains or systems. One best practice for CMMC compliance, if a contractor can do it, is to make sure their whole system is secured as there is going to be a value-add there.

Another best practice takeaway is to remember the government/auditors are going to take a hard look at what is submitted as the self-assessment. To avoid exposure to a potential False Claims Act violation, be diligent in preparing a self-assessment.

The government has not announced the CMMC level that will apply to specific procurements.

There are already companies out there claiming to do CMMC consulting, but they may lack experience or expertise.

Controls above Level 3 may be expensive to implement and are anticipated to be rare. Level 3 is where many contracts are expected to land, and that level will prepare contractors for higher levels if needed.

Implementation of CMMC will be an allowable cost, included in applicable cost pool for proportionate recovery under contracts. However, the government expects contractors to have already implemented all 110 controls in NIST SP 800-171 and does not intend to pay for those costs in CMMC-covered procurements. ND

Susan Warshaw Ebner is a partner at Stinson LLP, and Rolando Sanchez of the Law Offices of Rolando R. Sanchez PLLC are co-chairs of the Cyber Legal Policy Committee, NDIA Cybersecurity Division.

Topics: Infotech

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Commentary: CMMC - Tips for Bidding on Government Contracts

Related Articles

Tech Industry Warns Defense Policies Threaten to Stifle Innovation

Navy Ponders Legal Implications of Deploying Maritime Robots

Cyberspace Executive Order Skirts Mandates on Private Sector

Comments (0)