Reed Smith Client Alerts

The Department of Defense (DoD) has confirmed that new Cybersecurity Maturity Model Certification (CMMC) requirements will be included in DoD solicitations to be released in November 2020. This confirmation indicates that, despite the impact of COVID-19, the DoD is intent upon shoring up protection of its critical networks and supply chain by ensuring the protection of certain critical information. This client alert will provide the most recent updates related to CMMC implementation, a topic of critical importance to defense contractors.

Authors: Bart W. Huffman Liza V. Craig Elizabeth Leavy Aryeh M. Younger

Background

Last year, the DoD announced that it was developing a CMMC framework under which all defense contractors would be required to obtain certification. The DoD explained that Certified Third Party Assessment Organizations (C3PAOs) will independently verify whether defense contractors have the appropriate levels of cybersecurity controls and processes to protect controlled unclassified information (CUI) housed on contractor systems. The CMMC framework will assess and enhance the cybersecurity posture of the Defense Industrial Base, because it will require demonstrated contractor capabilities across a number of technical areas. The C3PAO evaluators will assess and measure each company’s cybersecurity practices and processes and assign a corresponding level of CMMC certification using a scale of levels 1–5. We first discussed the CMMC framework in a blog post back in September 2019 and followed up with a podcast in March 2020.

Memorandum of understanding

On June 1, 2020, DoD issued a press release announcing that the Under Secretary of Defense for Acquisition and Sustainment Ellen Lord and CMMC Accreditation Body Chairman Ty Schieber signed a Memorandum of Understanding (MOU) establishing the roles, responsibilities, and authorities of each organization. Importantly, the MOU provides that the DoD will only accept certifications from accredited organizations that the Accreditation Body (AB) has approved to make assessments. The MOU confirmed that the CMMC Accreditation Body will provide approve for private C3PAOs, which will then hire CMMC AB-certified assessors trained by CMMC AB-certified instructors. Companies that receive assessments from non-accredited (i.e., non-certified) organizations will not meet the standards for receiving a contract award once CMMC accreditation is required. While some companies have started to advertise themselves as valid CMMC auditors, contractors should be wary of such organizations if they have not yet been approved by the CMMC AB as C3PAOs.