CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
Best Bites: December GovCon Lunch & Learn on CMMC, other security rules
On Dec. 10 and 18, CohnReznick’s Government Contracting practice presented “The New CMMC & Other Security Requirements from 3 Perspectives: DOD, Supply Chain, and Legal” as the December installment of the Lunch & Learn series. If you missed the event, or want a recap, read on for the top insights discussed during the events.
Beginning in 2020, the DOD will require the approximately 300,000 Defense Industrial Base (DIB) contractors, commonly referred to as DOD contractors, throughout the supply chain to provide in their RFP responses an independent audit of the maturity of their cybersecurity programs. To establish accreditation, the DOD is releasing a new standard and maturity ranking called the Cybersecurity Maturity Model Certification (CMMC). Failure to obtain this accreditation can result in the loss of government contracts, bid protests, and liabilities from termination, suspension, debarment and false claims.
Under the CMMC, contractors will be assessed on their implementation of required cybersecurity domains, capability statements, and relevant practices and processes, and an independent auditor will assign a maturity ranking based on the results of the audit. This ranking will be on a scale of 1 to 5:
All DOD contractors who have to satisfy DFARS clause 252.204-7012 will need to demonstrate a minimum of a maturity level of 3 for both processes and practices. It is also important for the DOD contractors to understand that the overall maturity score of their cybersecurity program is dependent on the maturity ratings of both their processes and practices. If one score is lower than the other, then the overall maturity score will be lower.
Prime contractors
Prime contractors need to ensure that their purchasing policy and procedures address requirements on flowing down the DOD’s cybersecurity requirements in situations where the subcontractor will be utilized for operationally critical support or is performing duties that involve covered defense information. Additionally, primes must ensure that these subcontractors can meet the requirements of NIST SP 800-171, or request a variance approval from their contracting officer and ensure that subcontractors understand incidence reporting and notice requirements.
Subcontractors
Subcontractors can demonstrate compliance with DFARS 252.204-7012 and NIST SP 800-171 requirements by providing a system security plan that documents compliance to the prime contractor for review. Prime contractors then must review the plan and possibly test the subcontractor’s systems to ensure compliance. An alternate acceptable method would be for the subcontractor to present the contractor with a basic self-assessment of compliance with the NIST SP 800-171 security requirements. However, for the prime contractor to be able to rely on a self-assessment, the subcontractor would have to have a robust cybersecurity framework and associated personnel. A qualified third-party assessment of the subcontractor’s compliance could be used if the third party’s credentials were also provided and reviewed by the prime contractor.
Make sure the entire supply chain is secure and adheres to legal requirements
Once CMMC is made part of RFP requirements, contractors will not qualify for awards that include CMMC unless they obtain the accreditation, and current contractors can be terminated should they fail to maintain their cybersecurity requirements. Bid protesting parties can raise noncompliance with cybersecurity requirements like DFARS and CMMC as a basis to rescind awards to the extent the awardees falsely claimed that their systems are compliant. Similarly, contractors and their personnel can be suspended or debarred from new awards when their cybersecurity systems fail contract requirements. Furthermore, contractors can be subject to false claims liabilities if they knew or should have known about the breaches.
Bhavesh Vadhani, Principal, Cybersecurity and Privacy, CohnReznick Advisory
703.847.4418
Mark J. Maier, Government Contracts and Technology Transactions, Shulman Rogers
301.231.0945
Related Services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Related Insights
-
InsightCMMC implementation likely shifting to 2024, but contractors should still prepare nowBhavesh Vadhani, Daryouche BehboudiRather than “kick the can,” defense contractors should take advantage of this additional time to further assess and strengthen their cybersecurity posture.
-
InsightWhat do Government Contractors need to know moving into 2023?In this five point checklist we ask, and provide insight into, important questions government contractors should be considering to remain successful in 2023. Learn more.
-
InsightGovernment contracts and compliance for manufacturersWith more and more manufacturing companies being awarded long-term government projects, compliance is top of mind. This year’s GAUGE Report can help. Learn more.