As I was about to enter a large breakout room at the Gaylord Hotel in Nashville back in July 2013, I was excited to deliver a presentation on the forthcoming cybersecurity requirements contractors would face. It was a long road coming: I had applied to speak at the National Contract Management Association’s (NCMA) annual World Congress six months earlier and the presentation was not originally selected. When the agenda was released and no cybersecurity presentations were on it, I appealed to them to add mine or any other that covered cybersecurity. And they did.
The room was big. The crowd was not. There were just four people out of thousands of attendees. The leadership at NCMA obviously knew something about what would draw a crowd that year that I didn’t. Nevertheless, I delivered the presentation and walked through what contractors had to be compliant with, which was minimal at the time, and what we would see over the next few years. I called it a forthcoming cybersecurity tsunami.
Now 10 years later, a lot has changed, spurred on by a number of significant cybersecurity compromises and the creation of the Defense Department’s Cybersecurity Maturity Model Certification program. No matter where CMMC lands, it caused many in the contracting community to get serious about cybersecurity, which has benefitted our nation’s security. Faced with the reality of a third-party validating cybersecurity compliance and the growing costs of breaches impacting contractors big and small, contractors have wisely chosen to bolster their cybersecurity. It is a difficult choice because contractors, especially small and primarily commercial companies, do not get an immediate financial benefit from this investment. To date, when considering contractors’ proposals, agencies rarely structure their factors for award in a way that would allow them to give a higher score to companies that have invested in cybersecurity over those who have not. In fact, the more secure contractors are at a disadvantage because, all things being equal, their overhead costs would be higher from that investment.
We have all witnessed the frustrating and unfortunate fits and starts with CMMC. The initial roll out, which has been delayed by years at this point, has breathed life, in some quarters, to the belief that it may never come and the federal government does not care about cybersecurity. Objectively, however, the opposite is true. Agencies across the federal government are releasing new requirements on a regular basis and some are more stringent than CMMC. Further, DoD contractors that have controlled unclassified information (CUI) still have to comply with the 110 controls in the current version of the National Institute of Standards and Technology’s Special Publication 800-171. CMMC is merely a validation of what contractors with CUI already have to do. That is why I continue to advise contractors get compliant now; it is already a requirement for contractors with CUI no matter whether we get a CMMC 3.0 or even if CMMC never happens.
There are also numerous new and forthcoming cybersecurity requirements from agencies across the government:
The Department of Veterans Affairs just rolled out new cybersecurity requirements that include over 150 cybersecurity controls under VA Directive 6500, require a written cybersecurity breach notification within one hour, and liquidated or actual damages in the case of some breaches. These controls are not all harmonious with the controls in NIST 800-171.
The Department of Homeland Security is on the verge of issuing new regulations that will likely require breach notifications within eight hours and compliance with DHS standards for the handling of CUI. These controls may or may not be consistent with NIST 800-171.
There are proposed rules in various stages of development, including one in the final stage with the Office of Management and Budget that would require compliance with NIST standards across civilian agencies.
Other civil agencies contain various requirements including the requirements for a system security plan, one hour breach notifications, and more.
And we should not sleep on existing DoD requirements:
DFARS 252.204-7019/20 requires contractors to enter scores reflecting compliance with NIST SP 800-171 in the supplier performance risk system and agree to audits by DoD. This is a prerequisite to award when the clause is in the solicitation.
DFARS 252.204-7012 requires contractors with CUI (no matter whether it is marked) to comply with NIST SP 800-171, notify DoD of a breach within 72 hours and cooperate with DoD investigations, among other things.
All of this adds up to a compliance regime that is quickly gaining in complexity and elevating contractor False Claims Act risks. There is no doubt any agency will assert that compliance with cybersecurity controls is material and, to that point, the Department of Justice recently introduced a cyber-fraud initiative aimed at identifying contractors with non-compliant cybersecurity controls that make errant implicit self-certifications and protecting whistleblowers.
Because of that, it is arguable that CMMC has already done its intended job and helped spur industry and government to act. Even so, CMMC is still necessary, and soon. Because each agency is releasing its own controls, the regulatory regime is getting more complex, incongruent, and thus making us all less safe. A standard across DoD, like CMMC, that is adopted by other agencies will save money and bring better cybersecurity outcomes. Further, requiring validation by a third-party will allow those contractors that want to enhance their cybersecurity to not be financially punished versus contractors that do not. Nevertheless, CMMC is imperfect and the significant costs to the defense industrial base, which were initially underestimated, could drive some contractors away from government business. DoD has to measure whether that is a risk worth taking versus the continued leakage of valuable information to our adversaries.
We have come a long way in the last 10 years, but we still have a distance to go. While the relevance of CMMC has arguably decreased in recent years, the value it can provide has not. It is the best chance for one standard adopted across the federal government and industry and, if executed correctly, that could just be worth the cost.
Eric Crusius is a partner with Holland & Knight focusing on a broad array of government contracts litigation and compliance matters including with differing cybersecurity requirements across federal agencies.