Addressing Solicitation, Contract Performance After CMMC
Many of the questions surrounding the Defense Department’s Cybersecurity Maturity Model Certification program have centered around how it will be rolled out and how contractors will be certified.
Similarly, questions surround the implementation of the Defense Federal Acquisition Regulation Supplemental Interim Rule on cybersecurity.
That rule implements three clauses, DFARS 252.204-7019, 7020 and 7021, and centers on achieving compliance with required controlled unclassified information (CUI) security controls and protections for covered contractor systems pursuant to DFARS 252.204-7012 and NIST SP 800-171, as well as the implementation of CMMC and compliance with its additional requirements.
In the near term, contractors are scrambling to gain answers to what they need to do to comply and be certified at the proper level to remain competitive and more secure against adversaries. However, a practical question remains: what happens after compliance is achieved and a contract is awarded?
The above question was the theme of a recent tabletop exercise webinar hosted by the Cyber Legal Policy Committee of the National Defense Industrial Association’s Cybersecurity Division. Key stakeholders from government and industry gathered to freely discuss how contractors should plan for the new normal, where the contractors’ present compliance with cybersecurity security controls must be considered in making awards and continuing performance of defense contracts. The audience was also polled to gauge these government contractors’ level of knowledge and planning under different scenarios.
The tabletop followed a fictional company, which had conducted a basic assessment under the DFARS Interim Rule and gone through CMMC program certification. The company bid on its first contract, and for performance intended to use subcontractors.
The first polling question concerned whether and when subcontractors’ basic assessment scores were to be submitted under the DFARS Interim Rule. Some 41 percent of audience members agreed that basic assessment information is due when the proposal is initially submitted.
The ensuing panel discussion indicated general agreement with this position, but emphasized that the contractor needs to determine whether the subcontractor will receive CUI and the level when flowing down the clause and determining subcontractor requirements. All agreed that the actual answer is dependent on the solicitation and its instructions. If the solicitation is ambiguous as to whether there is CUI or what the requirements are, then potential bidders or offerors should seek timely clarification prior to responding to the solicitation.
There appears to be less certainty among contractors regarding the handling of CMMC certification requirements for subcontractors. Only 31 percent believed that this information is due at proposal submission, and 29 percent believed that it is due at contract award.
The panel discussion again emphasized that the solicitation would dictate, but generally agreed that it is better to know the status and level of compliance of a potential subcontractor. This discussion confirmed that vetting a supply chain — ensuring companies are using subcontractors and suppliers that meet needs and satisfy solicitation requirements — will help avoid problems of bid rejection or potential performance noncompliance in the future.
When the fictional company progressed from bid to award, the panel tackled the question of how frequently contractors need to conduct cybersecurity self-assessments during contract performance. A plurality of the audience — 36 percent — believed that self-assessments should be conducted per the company’s risk assessments and best practices. Other audience members believed that self-assessments should be ongoing (30 percent) or conducted once a year (23 percent).
The expert panel agreed that in order for contractors to maintain their cybersecurity, they need to address new and emerging threats.
Accordingly, the better practice would be for contractors to conduct ongoing self-assessments.
While there are cost and manpower considerations which may make constant surveillance impractical for some contractors, vigilance and remediation of identified risks is important for contractors at all levels.
Best practices in this area are evolving. For example, the concept of “zero trust” — not to trust anything inside or outside your networks and systems — is more accepted today than in the past. In this regard, there is movement to find out more about the who/what/where of the systems, applications and software used by contractors. Vetting the cyber supply chain is part of a sound cyber hygiene plan.
The tabletop amplified the need to discuss what happens next once a basic assessment has been performed and filed in the supplier performance risk system, and CMMC certification is pursued.
The basic assessment and Cybersecurity Maturity Model Certification are not going to be the end of the road for government contractors and their supply chains. Rather, they are a marker on the road ahead for contractors to implement and maintain adequate cybersecurity.
The NDIA Law and Policy Committee’s next planned tabletop webinar will address the issue of cyber incident response. How do you know when you have a cyber incident to report and what do you do?
Susan Warshaw Ebner is a partner at Stinson LLP and chairs its Government Contracts and Investigations practice group. Rolando Sanchez is the owner and principal of the Law Office of Rolando R. Sanchez PLLC. Together, they co-chair the NDIA Cyber Legal Policy Committee.