When you’re a government contractor or subcontractor, there are certain regulations and compliance-related guidelines you have to follow. A big area of focus for the government with its contractors is cybersecurity.
Recently, the DoD announced they would be replacing one major regulatory certification, the Cybersecurity Maturity Model Certification (CMMC) version 1.0, with a streamlined program, which is CMMC 2.0.
We’ll talk more below about CMMC compliance and what it means for contractors, but first, we’ll generally and broadly discuss cybersecurity contracting requirements as they relate to cybersecurity.
Contents
Cybersecurity for Government Contracts
Over the past few years, there’s been a growing focus on cybersecurity requirements that apply to federal government contractors. As a result of increased obligations for compliance, there is a higher risk of False Claims Act liability related to cybersecurity.
According to the U.S. Department of Justice, where cybersecurity protections are a necessary part of the payment or participating in a government contract or program, a knowing failure to follow certain protections could lead to liability under the False Claims Act.
There is at least one district court that has come to the conclusion a company’s failure to comply with cybersecurity requirements, including the National Institute of Standards and Technology (NIST) Special Publication 800-171, could be relevant under the False Claims Act.
New cybersecurity requirements are also being implemented as part of the Cybersecurity Maturity Model Certification program. In response to the recently issued Executive Order on Improving the Nation’s Cybersecurity, a substantial number of contractors may have to comply with new requirements that could be viewed as material under the False Claims Act.
The Executive Order on Improving the Nation’s Cybersecurity looks at a number of new obligations related to cybersecurity.
For example, there are new Federal Acquisition Regulation (FAR) provisions and provisions related to the Defense Federal Acquisition Regulation Supplement (DFARS) that relate to the collection and preservation of data and reporting and sharing of data related to cyber incidents. It’s up to contractors to understand what’s required of them and take the needed steps to ensure timely implementation.
Providers of critical software will also be required to make sure that it complies with NIST requirements.
What is the Cybersecurity Maturity Model Certification?
The CMMC is an important term in cybersecurity and also the whole of the IT industry. It affects hundreds of thousands of companies around the world.
The CMMC was developed by the Department of Defense for the certification to ensure contractors have controls to protect sensitive data. Sensitive data includes Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to avoid unauthorized disclosure.
The CMMC model integrates best practices from several cybersecurity standards. These include NIST SP 800-171, NIST SP 800-53, and ISO 27001.
In the past contracting authorities and also prime contractors held the responsibility for the implementation and certification of security of their information systems. They are still responsible for the implementation of security controls, but the CMMC now mandates that third-party assessment takes place to make sure compliance is happening.
CMMC was established in response to an increasing amount of threats targeting contractors of the DoD.
More than 300,000 defense manufacturers, contractors, and small businesses that are involved in the defense industrial base—DIB—need the certification.
The requirements started being implemented into some RFPs and RFIs in November 2020. By the fiscal year 2026, all the contract awards from the DoD will require some level of CMMC certification.
Essentially if you’re operating with DoD information, you likely need CMMC certification. If you’re operating with non-classified information from DoD, you might only need a maximum of Level 3 clearance. If you’re operating with higher-value information, you’ll probably need a clearance of at least Level 4, but the project determines the classifications.
Certification Levels for CMMC 1.0
There are five levels total of CMMC 1.0 certification. The most basic is Level 1, and the highest is Level 5.
Most companies should already be able to meet Level 1. This level includes things like password hygiene, the presence of antivirus software, and basic security systems. It’s a very fundamental, basic level of cybersecurity.
Level 5, on the other hand, includes proactive ways to detect and mitigate a threat before it begins. A Level 5 certification requires systems and processes that can audit infrastructure and identify any gaps so they can be remedied.
CMMC 2.0
CMMC 1.0 was designed to protect Federal Contract information (FCI) and Controlled Unclassified Information (CUI), both shared with and handled by contractors and subcontractors of the DoD on non-federal information systems.
CMMC 1.0 involved the five progressive levels of security standards and required contractors to undergo a certification process.
In March 2021, the Department started an initial assessment of CMMC 1.0 implementation. At that time, there were more than 850 public comments made in response to the interim rule.
This led to efforts to refine the policies and the implementation of the programs. Thus CMMC 2.0 was created.
CMMC 2.0 updates the structure of the program and its requirements with the hope of streamlining and improving the implementation of the CMMC program. CMMC 2.0 is also intended to build on the initial framework, but in doing so, to enhance cybersecurity against threats as they evolve.
What these changes will do includes eliminating levels 2 and 4 but then keeping the remaining three levels.
Level 1 will be known as Foundational, and it stays the same as 1.0 Level 1. Level 2 is Advanced, and it’s similar to Level 3 in CMMC 1.0. Then, there will be Level 3, which is expert, and it’s similar to the 1.0 version of Level 5.
Level 3 will remove CMMC-unique practices and maturity processes from all the levels. The Level 1 requirement will allow for annual self-assessments.
For Level 3, an independent third-party assessment will be required.
Until the CMMC 2.0 changes take effect through the rulemaking processes of title 32 CFR and title 48 CFR, the Department is suspending the Piloting efforts. They won’t include the CMMC requirement in DoD solicitations until the program becomes mandatory after title 32 CFR rulemaking is complete.
