Contractors Scrambling to Scope New DoD Cyber Framework

March.06.2020

On January 30, 2020, the U.S. Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”) framework (CMMC overview; CMMC Version 1.0 and appendices). By 2026, DoD plans to require CMMC certification for all defense contracts. For companies looking to play a role – any role – in the defense industry supply chain, now is the time to develop, assess, and augment cybersecurity practices.

This alert provides an overview of how the CMMC affects current and prospective DoD contractors; how the DoD plans to implement the CMMC; and what you should be thinking about now to begin ramping up.

Protected Information

The CMMC framework is the DoD’s latest and most sweeping effort to protect the defense supply chain from malicious cyberattacks. DoD has introduced the CMMC as a verification mechanism to seek to ensure that its defense industrial base partners implement what DoD considers to be appropriate practices. The CMMC framework evaluates a company’s ability to safeguard the following types of unclassified information:

Federal Contract Information (“FCI”) – information provided by or generated for the Government under contract not intended for public release.
Controlled Unclassified Information (“CUI”) – information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information (December 29, 2009), or the Atomic Energy Act of 1954.[1]

Maturity Framework

The CMMC framework consists of five, cumulative levels of cybersecurity maturity. Within each maturity level are two types of benchmarks a company must meet to demonstrate achievement at that level:

Practices – the company must be able to implement enumerated cybersecurity measures for the particular level; and
Processes – the company must demonstrate the required Practices are ingrained into its operations to the extent required for the particular level (“institutionalization”).

Practices and Processes measure proficiency across a set of domains, such as access control, incident response, and risk management. DoD has scaled the Practices and Processes to each maturity level based on factors such as the type and sensitivity of information needing protection and the range of threats posed, among others. As the information sensitivity and adversarial threats involved in a contract increase, the DoD is to require a higher maturity level from bidding contractors. Level 1 is the most basic level of maturity, where a company may only perform certain security practices on an ad hoc basis. Level 2 is a transitional level of maturity and requires a company to have documented practices and policies in place as it prepares to protect CUI. Level 3 focuses on the protection of CUI and incorporates all NIST SP 800-171 standards, among other practices. Levels 4 and 5 require greater cybersecurity sophistication, including the ability to proactively measure and assess cybersecurity practices and take corrective action when necessary. To achieve certification at a higher level, a company must meet the requirements of all lower levels. The CMMC framework incorporates several existing standards and frameworks, such as the NIST 800-171r1, the forthcoming NIST 171-Bravo, AIA NAS9933, and ISO 270001.[2]

Maturity Level	Focus	Domain	Process	Practices (#)
1	Safeguard FCI	Access Control Asset Management Audit and Accountability Awareness and Training Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Recovery Risk Management Security Assessment Situational Awareness System and Communications Protection System and Information Integrity	Performed (Not Assessed by DoD) Company may only perform certain security practices in an ad hoc manner and may or may not rely on documentation.	Basic Cyber Hygiene (17) All safeguarding requirements from 48 CFR 52.204-21, Federal Acquisition Regulation (“FAR”), Basic Safeguarding of Contractor Information Systems.
2	Transition Step to Protect CUI		Documented Company has documentation enabling it to perform security practices more than once.	Intermediate Cyber Hygiene (72) Includes some NIST SP 800-171 requirements, plus other practices.
3	Protect CUI		Managed Establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.	Good Cyber Hygiene (130) Includes all NIST SP 800-171 requirements, plus other practices.
4	Protect CUI and Reduce Risk of Advanced Persistent Threats (APTs)		Reviewed Measure practices and take corrective action when necessary.	Proactive (156) Draft NIST SP 800-171B, and other best practices.
5			Optimizing Standardize and optimize process implementation across the organization.	Advanced / Progressive (171) Draft NIST SP 800-171B, and other best practices.

The CMMC Appendices provide a more in-depth look at the cybersecurity practices required at each Maturity Level. For each of the 172 identified Practices, DoD provides a “Discussion from Source” (the NIST, FAR Clause, or CIS, etc. providing the basis for the Practice requirement), a “CMMC Clarification” (additional discussion through practical examples), and “References” (citations to the applicable industry cybersecurity frameworks). Of special note is Appendix E, which provides a Source Mapping, showing how CMMC practices correspond to existing frameworks.[3]

DoD Press Conference

During a January 31, 2020, press conference, DoD emphasized the framework’s scalability and sought to quell concerns that the CMMC will disproportionately burden small and mid-sized businesses. Chief Information Officer for the Assistant Secretary of Defense for Acquisition and Sustainment, Katie Arrington, clarified that the CMMC level required for a prime contractor does not necessitate that same CMMC level for all subcontractors. For example, a prime contractor may require a Level 3 certification, but if the subcontractor does not handle CUI, then that subcontractor would only require a Level 1.[4]

CMMC Accreditation Process (Stay Tuned)

As DoD begins integrating CMMC requirements into defense contracts over the next five years, companies will need to be certified by Certified Third-Party Assessment Organizations (“C-3PAOs”). Earlier in January, an Accreditation Body (“AB”) made up of “unbiased parties” from across the cybersecurity community, including the defense industrial base and academia, was created to oversee the training, quality, and administration of the C-3PAOs. DoD is currently drafting a Memorandum of Understanding (“MOU”) with the AB, which will outline its roles and responsibilities. Conflicts of interest will be of primary concern to ensure that auditors cannot review their own company. DoD is currently working to select third-party certification vendors, though none has been designated as qualified yet. DoD has not released the names of the contending vendors.

Many questions remain as to what the accreditation process will entail and how it will affect companies. The official CMMC website FAQs state that the duration of certification is still under consideration, but during the January 31 press conference, Ms. Arrington indicated a certification would be “good” for three years and would apply to whatever defense contracts the company enters into. In addition, the cost of CMMC certification has not yet been determined. [5][6]

Even companies contracting under DoD’s Other Transaction Authority (“OTA”) and not under the Defense Federal Acquisition Regulation Supplement (“DFARS”) may still need to earn CMMC certification. At the January 31 press conference, Ms. Arrington stated that DoD is working to include CMMC as a technical requirement for OTA and other non-DFARS contracts.[7]

DoD’s “Crawl, Walk, Run” Approach to CMMC Rollout

During the January 31 press conference, Ms. Arrington highlighted DoD’s projected timeline for CMMC rollout. She made clear that CMMC implementation is not retroactive – only new defense contracts will require CMMC certification. Ms. Arrington also emphasized that DoD will be taking a “crawl-walk-run” approach to implementation as set forth in the following timeline.

DoD’s Projected CMMC Implementation Timeline[8]

2020

January – AB created to oversee the training, quality, and administration of the C-3PAOs that will assess and certify defense contractors and subcontractors under the CMMC framework. CMMC Version 1.0 released on January 30.
March / April – Additional information should be posted on the AB’s website. The AB will establish requirements for candidate C-3PAOs and individual assessors.
June – DoD plans to include CMMC requirements in select Requests for Information (“RFIs”) (DoD’s target is 10). In addition, CMMC training should become available through Defense Acquisition University.
Spring / Summer – DoD plans to carry out rulemaking for an updated DFARS that incorporates CMMC.
September/October – DoD plans to include CMMC requirements in corresponding Requests for Proposals (“RFPs”), based on the updated DFARS. DoD estimates that each awarded contract would include approximately 150 subcontractors. CMMC standards will be required at the time of each contract award.

Fiscal Year 2021 - 2025

DoD will roll out CMMC requirements into new RFIs and RFPs. DoD anticipates a five-year rollout, as the standard DoD acquisition cycle is five years (one base year, plus four option years).

Fiscal Year 2026

DoD anticipates CMMC rollout will be complete. All DoD contracts will now include CMMC requirements.

Key Takeaways and How Orrick Can Help Companies Prepare for CMMC Implementation:

CMMC Affects All Companies Doing Business with DoD. CMMC certification will eventually be required for all DoD contractors and subcontractors – no matter their size or how far down they fall in the defense supply chain. The DoD has noted cybersecurity concerns for companies that are even six, seven, or eight levels down the supply chain,[9] so all companies working with DoD need to prepare for CMMC implementation.
Watch Closely as CMMC Rolls Out. DoD is set to start requiring CMMC certification as soon as June 2020 for certain “pathfinder” programs. DoD has stated that it will not be inserting CMMC into existing contracts. However, over the next five years, it is contemplated that all companies doing business with DoD will need CMMC certification. DoD recommends the companies monitor the CMMC and AB websites as new information becomes available.
Pre-CMMC Assessments. Companies potentially subject to the CMMC should engage counsel to evaluate their current cybersecurity posture. Our Orrick Cyber/Privacy and Trade/Compliance Team can help companies plan and assess their cybersecurity programs in preparation for third-party CMMC certification.
Downstream Contracting. DoD not only plans to impose CMMC obligations on prime contractors, but on subcontractors as well. The Orrick Trade/Compliance Team can help at any level of the supply chain to review and evaluate agreements to ensure that they reflect appropriate CMMC flow-down obligations.

Orrick will continue to monitor updates to the DoD’s CMMC framework. If any questions arise regarding the CMMC, please contact a member of our Orrick team.

[1] See Cybersecurity Maturity Model Certification (CMMC) Version 1.0, January 30, 2020, at https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf.

[2] See id.

[3] See Cybersecurity Maturity Model Certification (CMMC) Version 1.0 Appendices, January 30, 2020, at https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Appendices_20200203.pdf.

[4] See Press Briefing by Under Secretary of Defense for Acquisition & Sustainment Ellen M. Lord, Assistant Secretary of Defense for Acquisition Kevin Fahey, and Chief Information Security Officer for Acquisition Katie Arrington, January 31, 2020, at https://www.defense.gov/Newsroom/Transcripts/Transcript/Article/2072073/press-briefing-by-under-secretary-of-defense-for-acquisition-sustainment-ellen/.

[5] See id.

[6] See CMMC FAQ’s, at https://www.acq.osd.mil/cmmc/faq.html.

[7] See Press Briefing, supra.

[8] See id.

[9] See Press Briefing, supra.

Authors

Harry Clark Partner, International Trade and Investment, Mergers & Acquisitions

Washington, D.C.

See my bio

D:+1 202 339 8499
E: [email protected]

Practice:

Technology & Innovation Sector
International Trade and Investment
Mergers & Acquisitions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Harry Clark Partner

Washington, D.C.

Harry is experienced in areas such as CFIUS/Exon-Florio examinations of foreign investment, military and “dual use” export control regulations (ITAR/EAR), economic sanctions administered by the U.S. Treasury Department (OFAC), customs regulations, the Foreign Corrupt Practices Act, anti-money laundering rules, anti-boycott requirements and defense industrial security requirements. He executes internal corporate investigations regarding trade and investment rules and advises on such rules in the context of corporate transactions.

Additionally, Harry has extensive experience with government contracting matters. His government contracting work has included, for example, design and implementation of U.S. Defense Department renewable energy projects. He also represents broad industry coalitions on major trade litigations and international negotiations. His experience in these areas includes a leading role in what is often considered the largest-ever international trade dispute: the controversy regarding unfair softwood lumber imports from Canada. It has involved myriad administrative proceedings before federal agencies, NAFTA panel appeals, WTO dispute proceedings, judicial proceedings and international settlement agreements.

Harry has represented a coalition of major U.S. oil companies in antidumping and countervailing duty litigation. As a related matter, he pursues policy issues with congressional and executive branch officials and advises on international trade rules (e.g., GATT, WTO agreements and NAFTA).

Chambers 2022 recognizes Harry as a leader in the field of export controls and economic sanctions (Chambers Global and Chambers USA), as well as CFIUS (Chambers USA). Previous editions have also recognized Harry’s achievements regarding his work related to the Foreign Corrupt Practices Act. Clients note that Harry provides “accurate, straightforward guidance incredibly efficiently” and “he has an ability to translate complex legal requirements and rules into business-friendly jargon.”

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.