Best Bites: December GovCon Lunch & Learn on CMMC, other security rules
On Dec. 10 and 18, CohnReznick’s Government Contracting practice presented “The New CMMC & Other Security Requirements from 3 Perspectives: DOD, Supply Chain, and Legal” as the December installment of the Lunch & Learn series. If you missed the event, or want a recap, read on for the top insights discussed during the events.
Beginning in 2020, the DOD will require the approximately 300,000 Defense Industrial Base (DIB) contractors, commonly referred to as DOD contractors, throughout the supply chain to provide in their RFP responses an independent audit of the maturity of their cybersecurity programs. To establish accreditation, the DOD is releasing a new standard and maturity ranking called the Cybersecurity Maturity Model Certification (CMMC). Failure to obtain this accreditation can result in the loss of government contracts, bid protests, and liabilities from termination, suspension, debarment and false claims.
Under the CMMC, contractors will be assessed on their implementation of required cybersecurity domains, capability statements, and relevant practices and processes, and an independent auditor will assign a maturity ranking based on the results of the audit. This ranking will be on a scale of 1 to 5:

All DOD contractors who have to satisfy DFARS clause 252.204-7012 will need to demonstrate a minimum of a maturity level of 3 for both processes and practices. It is also important for the DOD contractors to understand that the overall maturity score of their cybersecurity program is dependent on the maturity ratings of both their processes and practices. If one score is lower than the other, then the overall maturity score will be lower.
Prime contractors
Prime contractors need to ensure that their purchasing policy and procedures address requirements on flowing down the DOD’s cybersecurity requirements in situations where the subcontractor will be utilized for operationally critical support or is performing duties that involve covered defense information. Additionally, primes must ensure that these subcontractors can meet the requirements of NIST SP 800-171, or request a variance approval from their contracting officer and ensure that subcontractors understand incidence reporting and notice requirements.
Subcontractors
Subcontractors can demonstrate compliance with DFARS 252.204-7012 and NIST SP 800-171 requirements by providing a system security plan that documents compliance to the prime contractor for review. Prime contractors then must review the plan and possibly test the subcontractor’s systems to ensure compliance. An alternate acceptable method would be for the subcontractor to present the contractor with a basic self-assessment of compliance with the NIST SP 800-171 security requirements. However, for the prime contractor to be able to rely on a self-assessment, the subcontractor would have to have a robust cybersecurity framework and associated personnel. A qualified third-party assessment of the subcontractor’s compliance could be used if the third party’s credentials were also provided and reviewed by the prime contractor.
Make sure the entire supply chain is secure and adheres to legal requirements
Once CMMC is made part of RFP requirements, contractors will not qualify for awards that include CMMC unless they obtain the accreditation, and current contractors can be terminated should they fail to maintain their cybersecurity requirements. Bid protesting parties can raise noncompliance with cybersecurity requirements like DFARS and CMMC as a basis to rescind awards to the extent the awardees falsely claimed that their systems are compliant. Similarly, contractors and their personnel can be suspended or debarred from new awards when their cybersecurity systems fail contract requirements. Furthermore, contractors can be subject to false claims liabilities if they knew or should have known about the breaches.
Bhavesh Vadhani, Principal, Cybersecurity and Privacy, CohnReznick Advisory
703.847.4418
Mark J. Maier, Government Contracts and Technology Transactions, Shulman Rogers
301.231.0945
Related Services
-
InsightGovCons: Proactively assess your compliance programMaurice L. Crescenzi Jr., Rich MeeneGovCons face extensive requirements for protecting against fraud and misconduct. Get a list of key rules and regulations, plus top steps to meeting them.
-
InsightPre-award compensation considerations: The best things in life aren’t freeCaitlin Lewis, Hareem MalikThere are many components to pre-award compensation for government contractors; and the RFP requirements are the best place to start to determine compensation costs and requirements. Learn more.
-
On-demandMastering the GovCon dealBetter understand key considerations for M&A transactions and integrations in the GovCon space. Our panel of experts will cover the risk, opportunity, and deal value across the lifecycle of the typical deal. Register now.