Background
By now, most defense contractors are familiar with the CMMC, which is the DoD’s new cybersecurity certification requirement. The CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 400,000 companies in the supply chain. The CMMC was developed in response to significant compromises of sensitive information contained in contractor information technology systems. Previously, contractors were responsible for implementing, monitoring, and self-certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Now, contractors remain responsible for implementing critical cybersecurity requirements, but the CMMC shifts the paradigm by mandating third-party assessments of contractors’ compliance with certain practices, procedures, and capabilities to ensure that they can adapt to new and evolving cyber threats from foreign and domestic adversaries. The DoD plans to implement the CMMC requirements through a phased roll-out, with all requirements becoming effective in 2025. We previously discussed the CMMC framework in a September 2019 blog post, a podcast in March 2020, and a client alert in June 2020.
CMMC’s seven pilot programs
In December 2020, the DoD announced that its CMMC third-party certification would be required for up to seven contracts that it expects to award in late 2021:
- Technical Advisory and Assistance (Missile Defense Agency)
- Integrated Common Processor (U.S. Navy)
- F/A-18E/F Full Mod of the SBAR and Shutoff Valve (U.S. Navy)
- DDG-51 lead yard services/follow yard services (U.S. Navy)
- Mobility Air Force Tactical Data Links (U.S. Air Force)
- Consolidated Broadband Global Area Network Follow-On (U.S. Air Force)
- Azure Cloud Solution (U.S. Air Force)
As of February 22, 2021, none of the solicitations for these contracts had been released.1
If the DoD ultimately approves any or all of these procurements as pilots for the CMMC, offerors will need to be certified at the CMMC level required by the solicitation concerned and will have to flow down the appropriate CMMC requirements to subcontractors upon award. We anticipate, based upon the DoD’s public statements, that these solicitations will require contractor certification at a Level 3,2 at a minimum.
The DoD Chief Information Security Officer (CISO) has indicated that the 2021 pilots are just the beginning. We anticipate that a total of 15 solicitations will incorporate CMMC requirements by the end of 2021. Once CMMC is fully implemented by 2025, nearly all members of the DIB will be required to have CMMC certifications in place. Additionally, every DoD solicitation will require that contractors are certified at a specific CMMC level before bidding on the solicitation.
CMMC reciprocity
The DoD has signaled that it is focused on reducing costs for contractors as they work toward compliance with the requirements of the CMMC. In this regard, Ms. Katie Arrington, DoD CISO for Acquisition and Sustainment, has publicly stated that CMMC reciprocity may be available for certain government certification programs already in existence. One program that the DoD has suggested might be a candidate for reciprocity is the Federal Risk and Authorization Management Program (FedRAMP). Similarly, Stacy Bostjanick, CMMC’s director at the DoD Office of the Undersecretary of Defense for Acquisition and Sustainment, has indicated that a team is working with the General Services Administration and the DoD to align the requirements, methodologies, and levels of the CMMC and FedRAMP programs.
Additionally, the DOD has reported that it completed its reciprocity assessment for the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The DIBCAC was established in 2017 and performs provisional audits, as well as spot-assessments of contractors after cybersecurity incidents. Currently, there is a guidance memo pending signature that is expected to solidify the extent to which contractors assessed by the DIBCAC will be granted reciprocity with respect to their CMMC certification.
Reciprocity has been a key discussion point for reducing costs for contractors as they strive to comply with the CMMC requirements. We expect the DoD to provide more information in the coming months about reciprocity between CMMC requirements and other cybersecurity audit programs. This information will be critical to contractors seeking to obtain certification.
- There is at least one solicitation currently active on beta.sam.gov that contains CMMC requirements: the Defense Enclave Services (DES) RFP. Although it is not one of the seven pilot programs announced by the DoD, this Defense Information Systems Agency (DISA), Defense Information Technology Contracting Organization National Capital Region requirement is anticipated to be a Single Award Indefinite Delivery, Indefinite Quantity (IDIQ) contract awarded pursuant to Federal Acquisition Regulation (FAR) part 15 procedures. The resultant IDIQ contract is expected to have a multibillion-dollar ceiling, with a 10-year ordering period consisting of a four-year base period and three two-year option periods. The solicitation makes it clear that CMMC certification will be required at the task order level. See Solicitation page 23 of 104.
- Level 3 focuses on the protection of Controlled Unclassified Information and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats.
Client Alert 2021-049