Best Bites: December GovCon Lunch & Learn on CMMC, other security rules

On Dec. 10 and 18, CohnReznick’s Government Contracting practice presented “The New CMMC & Other Security Requirements from 3 Perspectives: DOD, Supply Chain, and Legal” as the December installment of the Lunch & Learn series. If you missed the event, or want a recap, read on for the top insights discussed during the events. 

WHAT GOVERNMENT CONTRACTORS NEED TO KNOW ABOUT CMMC NOW

Beginning in 2020, the DOD will require the approximately 300,000 Defense Industrial Base (DIB) contractors, commonly referred to as DOD contractors, throughout the supply chain to provide in their RFP responses an independent audit of the maturity of their cybersecurity programs. To establish accreditation, the DOD is releasing a new standard and maturity ranking called the Cybersecurity Maturity Model Certification (CMMC). Failure to obtain this accreditation can result in the loss of government contracts, bid protests, and liabilities from termination, suspension, debarment and false claims.

Under the CMMC, contractors will be assessed on their implementation of required cybersecurity domains, capability statements, and relevant practices and processes, and an independent auditor will assign a maturity ranking based on the results of the audit. This ranking will be on a scale of 1 to 5:

All DOD contractors who have to satisfy DFARS clause 252.204-7012 will need to demonstrate a minimum of a maturity level of 3 for both processes and practices. It is also important for the DOD contractors to understand that the overall maturity score of their cybersecurity program is dependent on the maturity ratings of both their processes and practices. If one score is lower than the other, then the overall maturity score will be lower.

Take action now to prepare and demonstrate compliance

Prime contractors

Prime contractors need to ensure that their purchasing policy and procedures address requirements on flowing down the DOD’s cybersecurity requirements in situations where the subcontractor will be utilized for operationally critical support or is performing duties that involve covered defense information. Additionally, primes must ensure that these subcontractors can meet the requirements of NIST SP 800-171, or request a variance approval from their contracting officer and ensure that subcontractors understand incidence reporting and notice requirements.

Subcontractors

Subcontractors can demonstrate compliance with DFARS 252.204-7012 and NIST SP 800-171 requirements by providing a system security plan that documents compliance to the prime contractor for review. Prime contractors then must review the plan and possibly test the subcontractor’s systems to ensure compliance. An alternate acceptable method would be for the subcontractor to present the contractor with a basic self-assessment of compliance with the NIST SP 800-171 security requirements. However, for the prime contractor to be able to rely on a self-assessment, the subcontractor would have to have a robust cybersecurity framework and associated personnel. A qualified third-party assessment of the subcontractor’s compliance could be used if the third party’s credentials were also provided and reviewed by the prime contractor. 

Make sure the entire supply chain is secure and adheres to legal requirements

Once CMMC is made part of RFP requirements, contractors will not qualify for awards that include CMMC unless they obtain the accreditation, and current contractors can be terminated should they fail to maintain their cybersecurity requirements. Bid protesting parties can raise noncompliance with cybersecurity requirements like DFARS and CMMC as a basis to rescind awards to the extent the awardees falsely claimed that their systems are compliant. Similarly, contractors and their personnel can be suspended or debarred from new awards when their cybersecurity systems fail contract requirements. Furthermore, contractors can be subject to false claims liabilities if they knew or should have known about the breaches.