Commentary: CMMC - Tips for Bidding on Government Contracts
The Defense Department released on Sept. 29 its highly anticipated interim rule, which amends the Defense Federal Acquisition Regulation Supplement by including three new clauses that implement a mandatory DoD Assessment Methodology and adherence to the Cybersecurity Maturity Model Certification (CMMC) program.
The purpose of the new rule is to give teeth to DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which requires that contractors protect certain controlled unclassified information. The interim rule was to take effect Nov. 30 and is likely to be issued as a final rule with some tweaks based on comments submitted and experience with it in practice.
Immediately after the rule’s publication, the National Defense Industrial Association planned a four-part series of tabletop webinars to illustrate a hypothetical contractor’s efforts to achieve compliance under the existing and interim DFARS cybersecurity clauses. The purpose of the series is to bring key stakeholders together in a practical format where they can troubleshoot common implementation questions faced by contractors.
The series is set to take the contractor through self-assessment, preparation for basic assessment and future CMMC compliance, bid proposal, contract award, performance and performance/compliance challenges.
The first event in the series took place Oct. 22 and featured panelists from the Pentagon’s office of the undersecretary of defense for acquisition and sustainment, the CMMC accreditation board, industry members from large and small contractor communities, and a cybersecurity service provider.
The audience of the initial exercise were asked poll questions to assess their current status with respect to the new cyber standards.
Question one was: “When do you project that your company will conduct a basic assessment per the new DFARS interim rule?”
Twenty-four percent of respondents stated that they had already completed this assessment, 35 percent responded “early 2021,” and 26 percent were not sure. As of Nov. 30, contractors subject to DFARS 252.204-7012 must conduct at least a basic assessment of the state of their compliance with NIST SP 800-171 and enter it in the Supplier Performance Risk System.
Where solicitations include the DFARS clauses, contractors must be in compliance at the time of contract award. No waivers are expected to be given.
The second question was: “Assuming that a third-party certification process is activated, what is your projection for your company to achieve CMMC Level 3?”
Forty-one percent of respondents stated that they projected Level 3 by mid-to-late 2021, 25 percent projected early 2021 and 28 percent were not sure.
Under the CMMC program, solicitations may specify CMMC Level 1 (low) through 4 or 5 (high), with Level 3 (medium) containing the NIST SP 800-171 security requirements, fortified with additional practices and procedures, and mandating current compliance. A slow rollout of the CMMC is expected, with full implementation by 2025.
Contractors who achieve compliance with NIST SP 800-171 security requirements will be well positioned to be CMMC Level 3 certified. Medium and high-level assessments are not self-assessments — unlike the rule’s basic assessment — but assessments will be conducted by the Defense Contract Management Agency.
The panelists provided several comments which shed light on how contractors should approach self-assessment requirements under the interim rule. Contractors need to be familiar with the DFARS interim rule and start basic assessments now. The core of CMMC is the same NIST SP 800-171 requirements included in DFARS clause 252.204-7012, which implement the 110 NIST SP 800-171 requirements. If a contractor does not have a full score of 110 now, it is understood that they can use the system security plan (SSP) and plan of actions and milestones (POA&M) to reach 110.
CMMC will be a phased rollout. Since no POA&Ms or waivers will be allowed to implement CMMC requirements, implementing the current DFARS 7012 now will put contractors in a great position to adopt CMMC.
Companies are encouraged to follow the template SSP that is included in NIST 800-171A.
Contractors may have multiple domains or systems. One best practice for CMMC compliance, if a contractor can do it, is to make sure their whole system is secured as there is going to be a value-add there.
Another best practice takeaway is to remember the government/auditors are going to take a hard look at what is submitted as the self-assessment. To avoid exposure to a potential False Claims Act violation, be diligent in preparing a self-assessment.
The government has not announced the CMMC level that will apply to specific procurements.
There are already companies out there claiming to do CMMC consulting, but they may lack experience or expertise.
Controls above Level 3 may be expensive to implement and are anticipated to be rare. Level 3 is where many contracts are expected to land, and that level will prepare contractors for higher levels if needed.
Implementation of CMMC will be an allowable cost, included in applicable cost pool for proportionate recovery under contracts. However, the government expects contractors to have already implemented all 110 controls in NIST SP 800-171 and does not intend to pay for those costs in CMMC-covered procurements. ND
Susan Warshaw Ebner is a partner at Stinson LLP, and Rolando Sanchez of the Law Offices of Rolando R. Sanchez PLLC are co-chairs of the Cyber Legal Policy Committee, NDIA Cybersecurity Division.