Addressing Solicitation, Contract Performance After CMMC

VIEWPOINT CYBERSECURITY

Addressing Solicitation, Contract Performance After CMMC

6/2/2021
By Susan Warshaw Ebner and Rolando R. Sanchez

iStock illustration

Many of the questions surrounding the Defense Department’s Cybersecurity Maturity Model Certification program have centered around how it will be rolled out and how contractors will be certified.

Similarly, questions surround the implementation of the Defense Federal Acquisition Regulation Supplemental Interim Rule on cybersecurity.

That rule implements three clauses, DFARS 252.204-7019, 7020 and 7021, and centers on achieving compliance with required controlled unclassified information (CUI) security controls and protections for covered contractor systems pursuant to DFARS 252.204-7012 and NIST SP 800-171, as well as the implementation of CMMC and compliance with its additional requirements.

In the near term, contractors are scrambling to gain answers to what they need to do to comply and be certified at the proper level to remain competitive and more secure against adversaries. However, a practical question remains: what happens after compliance is achieved and a contract is awarded?

The above question was the theme of a recent tabletop exercise webinar hosted by the Cyber Legal Policy Committee of the National Defense Industrial Association’s Cybersecurity Division. Key stakeholders from government and industry gathered to freely discuss how contractors should plan for the new normal, where the contractors’ present compliance with cybersecurity security controls must be considered in making awards and continuing performance of defense contracts. The audience was also polled to gauge these government contractors’ level of knowledge and planning under different scenarios.

The tabletop followed a fictional company, which had conducted a basic assessment under the DFARS Interim Rule and gone through CMMC program certification. The company bid on its first contract, and for performance intended to use subcontractors.

The first polling question concerned whether and when subcontractors’ basic assessment scores were to be submitted under the DFARS Interim Rule. Some 41 percent of audience members agreed that basic assessment information is due when the proposal is initially submitted.

The ensuing panel discussion indicated general agreement with this position, but emphasized that the contractor needs to determine whether the subcontractor will receive CUI and the level when flowing down the clause and determining subcontractor requirements. All agreed that the actual answer is dependent on the solicitation and its instructions. If the solicitation is ambiguous as to whether there is CUI or what the requirements are, then potential bidders or offerors should seek timely clarification prior to responding to the solicitation.

There appears to be less certainty among contractors regarding the handling of CMMC certification requirements for subcontractors. Only 31 percent believed that this information is due at proposal submission, and 29 percent believed that it is due at contract award.

The panel discussion again emphasized that the solicitation would dictate, but generally agreed that it is better to know the status and level of compliance of a potential subcontractor. This discussion confirmed that vetting a supply chain — ensuring companies are using subcontractors and suppliers that meet needs and satisfy solicitation requirements — will help avoid problems of bid rejection or potential performance noncompliance in the future.

When the fictional company progressed from bid to award, the panel tackled the question of how frequently contractors need to conduct cybersecurity self-assessments during contract performance. A plurality of the audience — 36 percent — believed that self-assessments should be conducted per the company’s risk assessments and best practices. Other audience members believed that self-assessments should be ongoing (30 percent) or conducted once a year (23 percent).

The expert panel agreed that in order for contractors to maintain their cybersecurity, they need to address new and emerging threats.

Accordingly, the better practice would be for contractors to conduct ongoing self-assessments.

While there are cost and manpower considerations which may make constant surveillance impractical for some contractors, vigilance and remediation of identified risks is important for contractors at all levels.

Best practices in this area are evolving. For example, the concept of “zero trust” — not to trust anything inside or outside your networks and systems — is more accepted today than in the past. In this regard, there is movement to find out more about the who/what/where of the systems, applications and software used by contractors. Vetting the cyber supply chain is part of a sound cyber hygiene plan.

The tabletop amplified the need to discuss what happens next once a basic assessment has been performed and filed in the supplier performance risk system, and CMMC certification is pursued.

The basic assessment and Cybersecurity Maturity Model Certification are not going to be the end of the road for government contractors and their supply chains. Rather, they are a marker on the road ahead for contractors to implement and maintain adequate cybersecurity.

The NDIA Law and Policy Committee’s next planned tabletop webinar will address the issue of cyber incident response. How do you know when you have a cyber incident to report and what do you do?

Susan Warshaw Ebner is a partner at Stinson LLP and chairs its Government Contracts and Investigations practice group. Rolando Sanchez is the owner and principal of the Law Office of Rolando R. Sanchez PLLC. Together, they co-chair the NDIA Cyber Legal Policy Committee.

Topics: Cyber, Cybersecurity

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

Find an Article VIEW ALL ARTICLES