Contractors will need to prove cybersecurity measures are good enough for DoD

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

After brewing for more than a year, the rules for the Defense Department’s Cybersecurity Maturity Model Certification are out. The industry is coming to grips with this new requirement, that if you’re in the DOD supply chain you’ve got to demonstrate to a third-party judge, of sorts, that you have a modicum of cybersecurity chops. With a...

READ MORE

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

After brewing for more than a year, the rules for the Defense Department’s Cybersecurity Maturity Model Certification are out. The industry is coming to grips with this new requirement, that if you’re in the DOD supply chain you’ve got to demonstrate to a third-party judge, of sorts, that you have a modicum of cybersecurity chops. With a summary, procurement attorney Joseph Petrillo joined Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Joe I guess the industry was caught a little bit by surprise when this came out as an interim rule and not a proposed rule even though everyone knew was coming. So CMMC is definitely here.

Joe Petrillo: Well, that’s right. This rule is going to take care of and lay out a path for the transition from the current system, which relies on the NIST special SP-800-171 standard to CMMC, which is a new standard that builds on the NIST standard but goes well beyond it. And the transition period is going to start from the end of next month, the end of November. And it’s going to be completed by the end of fiscal year 2025. So by September 30 2025, we should be living under the new CMMC requirement. The immediate effect of the new rule. And before I get into that I should add this is going to have an enormous impact because it will apply to all DoD contracts, including those for commercial items. Excluding only a commercial off the shelf items, only COTS are excluded, and they’re going to be flowed down to affected subcontracts. If the subcontractor has information that’s covered by the clause, the subcontractor has to meet the standard as well. So the current change is that for new awards, contractors have to post their assessment under the NIST standard to an online system called the Supplier Performance Risk System, SPRS. NIST standards are basic, medium, or high, medium, or high levels are going to be posted by DoD and DoD will or can perform those medium or high level assessments.

Tom Temin: That is to say DoD itself can perform them or do you have to go to one of the third party — here is a cohort of a thousand assessors?

Joe Petrillo: Right, the outside assessors, third party assessors, are going to be assessing compliance with CMMC. Now you have to comply with various portions of the NIST standard to meet the CMMClevels. But right now, that system is, we’ll find out, it’s still being rolled out. So we’ve got this kind of immediate impact. But people have been dealing with the NIST standards now for a while and should be up to speed on them.

Tom Temin: I mean, in some sense, contractors should have cybersecurity in place. And if they’re doing business with the Defense Department, it would not seem shocking to be able to demonstrate that you can comply with the standards outlined in SP-171. That’s one of the basic NIST documents, it’s not new.

Joe Petrillo: Right. What’s happening here is that, of course, you need cybersecurity, but DoD wants to impose a series of minimum standards and minimum requirements. And those are going to vary in severity and difficulty depending upon the risk involved by the specific contract. So what we’re looking forward to now is the implementation of CMMC in this period, starting from the end of November, through the end of fiscal 2025. What we will need at the end of that period, and at various points during it is that contractors are going to need to current CMMC certificate at the level called out in the solicitation, there are five levels of certification for CMMC. Basically, they build on the NIST requirements with their own sets of requirements. The certificate has to be maintained during the contract life, it has to be current in the words issued in the last three years to have to renew your certification. And the unique thing about CMMC is it’s going to be issued, the certificates going to be issued, by a third party evaluator. And these are assessors who were approved by a private body, the CMMC accreditation body. And one of the things that’s interesting here is that these requirements, the CMMC requirements, can be used until the end of fy 2025. But they have to be authorized by the Office of the Undersecretary of Defense, Acquisition and Sustainment. So the phasing in is going to be a little slower because you’ve got to get approval to impose CMMC.

Tom Temin: So what you’ve outlined is what I think people are realizing is a fairly complex apparatus. But nevertheless, there is this burden on contractors. So to get to that 2025 certification, what do you have to do? What should contractors be doing now?

Joe Petrillo: Well, what contractors should be doing, of course, is initially making sure that their NIST assessments are posted to the SPRS because that’s going to be necessary for them to get new contracts. They’re going to be implementing the CMMC requirements, and they should be working on those as well. And they’re going to have to make sure that their supply chain link your affected subcontractors are also doing the same things. Now, the challenges in rolling out CMMC are the following. I mean, first of all, you need to have these third party assessors certify you, the assessments won’t be available until the first or second quarter of 2021. And that’s at the earliest. That’s if there’s no slippage in the schedule for COVID, or whatever other problems there might be. You then have to get the assessment in order to compete for contracts that during this interim period might require CMMC certifications. So this is going to be a real challenge for contractors and it may limit competition and specific procurements depending on how fast DoD starts requiring CMMC certifications. Yeah, what’s the universe here? DoD estimates that certifications will be required for about 212,000 prime contractors. And 8,309, quote, known unique subcontractors, close quote. Well, a lot of subcontractors are also prime contractors. So you don’t want to count them twice. But I just find it astonishing to believe that it can only be 8,000 subcontractors that are not also prime contractors affected by this.

Tom Temin: Well, the other question is, this cost money to do — you have to get the assessor in and you’ve got to take some measures, possibly the equipment and software and so forth to get to that level where you can be certified — are these table stakes or can you use these costs as part of your bid for cost basis of the bid?

Joe Petrillo: I think the current thinking is that this is a contract requirement. So in the cost of complying with this can be built into your indirect cost records. And the other thing is that the entire system used by the contractor doesn’t necessarily have to be certified just those portions dealing with the contract. So there may be ways to limit cost by isolating certain systems. The DoD estimate for what this is going to cost on an annualized basis total is $6.5 billion. But the assumption there is that very few contractors they actually give the number of 66 will be required to certify at the highest CMMC levels, four and five. Everyone else is going to be certifying at levels one, two and three. And of course the costs of compliance rise quite steeply as you go up the scale. That may be too optimistic, there may be more contractors than 66 in those high levels. And if that’s the case, then the annual cost will climb accordingly.

Tom Temin: But a couple of hundred thousand companies are affected by this in some way or another and better get ready to deal with it.

Joe Petrillo: Yes, at least a couple hundred thousand — they’re going to have to go through the system. It’s all gonna have to take place in the next few years for this thing to work and for competition to continue.

Tom Temin: Well misery loves company. Joe Petrillo is a procurement attorney with Petrillo and Powell. Thank you for that primer.

Joe Petrillo: Thank you, Tom.

Related Stories