A lot has happened since the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (CMMC) v. 1.0 back in February (see our prior discussion here). In addition to developments with the CMMC Accreditation Body (“CMMC AB”), DOD has clarified applicability of the program to Commercially available off-the-shelf (“COTS”) providers and the impact of COVID-19 on program implementation.
During a May 15, 2020 meeting of the Coalition for Government Procurement, attended virtually by Sheppard Mullin attorney Townsend Bourne, Ms. Katie Arrington (Chief Information Security Officer for DOD Acquisition and Sustainment (A&S) Office) provided updated information and details about certain aspects of CMMC implementation, and the anticipated timeline and costs. A summary of new developments and helpful information learned at the Coalition meeting are provided below.
DOD believes implementation of CMMC generally is still on track in spite of the COVID-19 pandemic. However, the accompanying DFARS rule change, which DOD plans to have in place prior to fully implementing the CMMC program, may be delayed due to the need for a public hearing. Right now, DOD expects to publish the new DFARS rule in Fall 2020.
Requests for information (“RFIs”) that include the CMMC requirement are expected to come out within the next 45 days. DOD plans to release a total of 10 RFIs in 2020. More broadly, the CMMC requirement will be included in certain new solicitations and contracts beginning in 2021, and in all DOD solicitations and contracts by 2026. However, DOD does not plan to include the CMMC requirement in existing contracts via contract modifications.
DOD’s updated CMMC FAQs state that providers selling only COTS products will not be required to be CMMC-certified at this time. This seems to be a shift from what was previously reported and understood—that CMMC certification would be required for all companies doing business with the DOD. Although not required by DOD, it has been suggested that COTS providers still should consider implementing security controls commensurate with Level 1, simply as a good business practice. Additionally, it remains possible that vendor partners may require COTS providers to be CMMC certified, even though it is not required by DOD.
Third Party Auditors and Associated Costs
In late March 2020, the CMMC AB was officially recognized by the DOD through a Memorandum of Understanding (“MOU)”, signed by Ms. Ellen Lord (the Undersecretary of Defense for Acquisition and Sustainment). The CMMC AB is now officially responsible for qualifying, training, and certifying CMMC third party auditors (“C3PAOs”). The CMMC AB will publish a publicly available list of C3PAOs after the training is developed and C3PAOs are certified to provide CMMC certification.
The CMMC AB plans to roll out its training program in two phases. The first phase, which will begin this summer, will include an initial class of 60 highly experienced assessors. These assessors will provide feedback on the course to help the CMMC AB improve and enhance the training. The first phase should be completed in 3-6 months, which will align with DOD’s timeline for certifying companies. The second phase will make the training available to general applicants.
Once the list of C3PAOs is published, companies seeking CMMC certification can contact C3PAOs and get in line for certification. The relationship between the business seeking certification and the C3PAO is a business-to-business relationship, which is similar to the FedRAMP process. As such, the company seeking certification will pay the associated costs. However, these costs will be allowable under the FAR, and can be built into contractors’ rates.
Additionally, DOD expects there will be reciprocity between CMMC and existing government certification programs, such as FedRAMP and ISO. Accordingly, to the extent a company is already FedRAMP certified, this could help cut down on costs associated with CMMC certification.
Finally, it is worth noting that the current COVID-19 restrictions (business closures and social distancing) may present challenges associated with certification, because C3PAOs will need to be onsite while performing the audits. Companies now should start thinking about how to work through this process if they plan to get certified while COVID-19 restrictions still are in place.
CMMC beyond DOD
Companies should be thinking about the broader implications of CMMC and other cyber initiatives throughout government. Already, we are seeing adoption of CMMC-related principles outside of DOD through, for example, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”), which plans to release “supply chain essentials” guidance incorporating certain aspects of the CMMC. And it is expected that CMMC will expand to civilian agency contractors through a FAR clause in the near future.
Relatedly, the U.S. Cyberspace Solarium Commission, which was established to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences,” released a Report in March 2020 recommending the Sarbanes-Oxley Act be amended to include new Securities and Exchange Commission (“SEC”) cybersecurity reporting requirements. CMMC (or something like it) very well may become the “across the board standard” for contractors and commercial companies alike. With the advent of COVID-19 and associated restrictions, which have fundamentally changed the way we interact and exposed greater cyber vulnerabilities, this change may happen sooner rather than later.
 Mariam Baksh, Pentagon’s Cybersecurity Accreditation Board Seeks First Class of Auditors (May 21, 2020, 05:43 AM), https://www.nextgov.com/cybersecurity/2020/05/pentagons-cybersecurity-accreditation-board-seeks-first-class-auditors/165583/.