Beginning in June 2020, contractors competing for DoD contracts will be required to obtain third-party certification as part of the RFP process.
On January 30, 2020, the Pentagon issued the final standards under the Cybersecurity Maturity Model Certification (CMMC), which marks the first steps toward implementation of new cybersecurity standards into all Department of Defense (DoD) contracts. This model was created in an effort to strengthen the cybersecurity of hundreds of thousands of DoD contractors and prevent malicious cyber activity that leads to loss of intellectual property and sensitive information, as well as supply chain disruptions.
Certification Requirements
The CMMC lays out five cybersecurity maturity certification levels and certification processes. Each level is designed to provide the DoD with increased assurance that contractors can protect sensitive information, including controlled unclassified information (CUI) and federal contract information (FCI). At each level, the process and practice maturity level identified must be achieved. The five levels are:
Level |
Focus |
Process Maturity |
Practice Maturity |
Level 1 |
Safeguard FCI |
Performed No process assessment |
Basic Cyber Hygiene 17 practices (meeting FAR clause 52.204-21) |
Level 2 |
Transition step to protecting CUI |
Documented Document policies and implement practices |
Intermediate Cyber Hygiene 72 practices |
Level 3 |
Protect CUI |
Managed Establish, maintain and resource a plan |
Good Cyber Hygiene 130 practices (includes all NIST SP 800-171 plus others) |
Level 4 |
Protect CUI and reduce risk of advanced persistent threats |
Reviewed Review and measure activities for effectiveness |
Proactive 156 practices |
Level 5 |
Optimizing Standardize and optimize an organizational approach |
Advanced/Progressive 171 practices |
What to Expect
Beginning in June 2020, contractors competing for DoD contracts will be required to obtain third-party certification as part of the RFP process, a change from previously permitted self-certification. Contractors will be expected to obtain certification with one of the approved CMMC assessors, who will audit a contractor’s cybersecurity capabilities based on the chart above.
Next Steps
While a proposed rule that amends the Defense Federal Acquisition Regulation Supplement (DFARS) to implement CMMC into contracts is not expected until the summer of 2020, contractors should take initial steps now to prepare for CMMC certification. Contractors should begin evaluating the level they will be required to achieve by reviewing their DoD contracts and subcontracts. Contractors should also assess ways to pass along the costs of certification and related cybersecurity upgrades to DoD, an issue that DoD continues to study. DoD has previously indicated that these costs will be allowable as indirect costs.
For Further Information
If you have any questions about this Alert, please contact Michael E. Barnicle, Keith J. Feigenbaum, Jamie E. Brown, any attorney in the Government Contracts Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.