What contractors should do now about DoD’s new cyber security rule

Defense contractors are parsing out a nearly 250-page proposed rule. It landed sort like a lump of coal on Christmas Eve. It is all about a program known as C...

Defense contractors are parsing out a nearly 250-page proposed rule. It landed sort like a lump of coal on Christmas Eve. It is all about a program known as Cybersecurity Maturity Model Certification (CMMC). At the very least, if you are even tangentially involved in the topic, you should read the proposal and prepare comments. For more,  the Federal Drive with Tom Temin talked with procurement attorney Eric Crusius, a partner at Holland and Knight.

Interview Transcript: 

Tom Temin Because you have the full version out there and it completely fills a accordion folder. And. Well, let’s begin at the beginning. What should contractors be doing now with this thing?

Eric Crusius We’ve said for a long time that contractors should be paying attention to what they know CMMC, Cybersecurity Maturity Model Certification, as you said, because this is coming and I think this is an important step that the Department of Defense did by issuing the proposed rule. They expect the final rule to be out sometime next year. And what it does is it really makes contractors certify that they’re doing what they’re supposed to be doing. There are already requirements for various [Federal Acquisition Regulation (FAR)] [Defense Federal Acquisition Regulation (DFARs)] clauses that require contractors to protect different kinds of information. What CMMC does is, is give DoD assurance that those contractors are actually doing that through a self certification or a third party certification.

Tom Temin Now, the CMMC was first proposed four years or five years ago, does the new rule pretty much mirror the way it was laid out originally? Or are there some significant changes in what they’re actually proposing for the CMMC to parallel? Let’s put it that way.

Eric Crusius Let me give you a great lawyer answer and say both. So some of it is the same and some of it’s different. So for level one, which is for the protection of federal contract information, that’s no longer going to be a third party certification, that’s now a self-certification. And that’s great because it’s less expensive, it’s more flexible for small businesses, but it also opens up potential False Claims Act liability for those small businesses because they’re self certifying to something instead of getting a third party to blessed, essentially.

Tom Temin But they do have to have those controls in place.

Eric Crusius That’s right. That hasn’t changed. And the controls have been narrowed down across all the levels a little bit to take out some DoD specific controls that were just germane to the CMMC program. Now it’s really all stuff that contractors already have to do. And when you talk about level two, that mostly remains a third party certification. So when they released kind of CMMC 2.0 and announced that they’re going to go through this rulemaking process, they said, well, level two is going to be a split level with some folks getting a self-certification, some folks getting a third party certification. But they largely predict that most contractors will need and want to get a third party certification. They put the numbers as more than 76,000 defense contractors getting a third party certification under level two, and just 4,000 getting a self certification. I think that’s pretty accurate. I would even say it should be weighted even more in heavily a third party certs, because if you’re a contractor with controlled and classified information, you’re going to want to get that third party certification because you don’t know what the next contract is going to require.

Tom Temin Right. So this apparatus of having third party assessors that would report back to some CMMC office in the sky, that’s still in place.

Eric Crusius That’s right. There’s still the accreditation body. It’s a nonprofit that was set up for the purpose of kind of laying out the ground rules, training the assessors, putting coursework out, kind of blessing the third party assessment organizations that are going to do the assessments, all that stuff. And they kind of sit in between the Department of Defense and the contractors because DoD has essentially said in their rulemaking, we don’t have the capacity to ramp up like this. But we hope that at some third party will. And these cyber accreditation body has done a good job of ramping up. They’ve added a lot of third party assessors. They’ve added a lot of folks in other categories. It’s a little bit of a slower go, I think, than some would like. But that’s just reflects the nature of how complicated this is. And nobody has to be assessed yet. That’s going to come some time next year. So the hope is that as more companies become aware and want to get assessed, there will be a similar increase in those who are capable of getting those assessments done.

Tom Temin So in other words, DoD becomes almost like a occupant of a building. The contractors are the builders, and these third party assessors are like the building inspectors.

Eric Crusius That’s right. That’s exactly right, because the DoD still has to be the architect, also. They’re the ones that say these are the rules. This is what you have to do. And that accreditation body is making sure that folks are doing it.

Tom Temin We’re speaking with attorney Eric Crusius. He’s a partner at Holland and Knight. What do you feel is commendable about this? It doesn’t sound like there’s anything that should surprise a contractor, even I’m surprised it took 250 pages to say what we just said in about a thousand words. So is there anything controversial in your view?

Eric Crusius I wouldn’t say this controversial, but there are some things to think about. One is how are international companies going to kind of comply with this? A lot of DoD supply chain is overseas. Whether you think that’s a good thing or a bad thing, that’s still the fact of the matter. And there’s a complicating factor to try to get those assessors to do assessments overseas. There are some countries that wouldn’t allow that. So that kind of is an open question in this proposed role. But there’s a promise of a ramp up. Another is a lot of contractors, especially smaller ones, are using third parties to host their information or manage their services, manage their security. How those are going to be treated. They did lay out for cloud service providers the standards, but for those managed service providers that do more than a cloud service provider, it’s not entirely clear what they need to do. Will they need a CMMC level two assessment? That’s possible based on the reading of this. But I think that has to be clarified a little bit. So that’s certainly something that could be open for comment. And of course, I think a lot of folks are going to want to comment on the cost of this. This is not an inexpensive endeavor, but DoD said over and over again in this rulemaking, hey, these are things you already have to do so that we’re not putting a new requirement on you. We’re just putting a new verification of that requirement on you. But even so, still very expensive. And I think a lot of folks are going to want to comment on that, though I think DoD did a much better job this time around kind of understanding that cost and explaining that cost out in gruesome detail actually through the rulemaking.

Tom Temin And there’s going to be a lot of different situations technically. I mean, if you were dealing with a cloud supplier, a commercial cloud computing supplier, they’re supplying IT in the first place. And whatever controls they have inside their firewalls, in their clouds, sometimes that’s proprietary and it’s going to be hard to get. That’s different if you’re a supplier of castings for landing gear and you might be a subcontractor or even a prime in some cases in your information systems to operate your foundry and to take in the orders, etc., and buy your metal. That’s a whole different setup. That’s a little bit simpler than dealing with, say, a cloud.

Eric Crusius Right. It’s interesting because I think I’ve talked to numerous companies about this and numerous companies who have tried to comply with the DFARS clause that’s out there already, 252 204 7012. And each one presents a different problem, because nobody has set up their system the same way. Each industry is completely different. So what they’re trying to do is come out with something that is neutral to all those different industries, and that’s something that can be implemented across numerous industries. Whether they have succeed or not remains to be seen. But I could tell you that it is, there are complications when implementing even just the controls as they are now, because companies have these bespoke systems and the different industries require different things. So hopefully as time goes on, there’ll be more guidance that’s out there and more information that’s out there from the Department of Defense and others that can help those companies through those problems. Because one of the big problems are these small businesses that do some business with the Department of Defense. But DoD obviously doesn’t want them to run away because of this new requirement. So kind of engaging with those small businesses and ensuring that they have the tools necessary to get compliant and get a certification without breaking the bank, is going to be of paramount importance over the next year or two.

Tom Temin And cybersecurity has always been a matter of balancing between compliance and check off, which this is all about in actual cybersecurity, which is protecting the data and the secrets of the Defense Department. Somewhere in there do you get the sense that their ultimate goal is to make sure that China doesn’t steal the plans from the next F-35?

Eric Crusius Absolutely, because I think DoD’s position for years now has been that was way too easy for them to do that. And I get DoD’s position here. I mean, I understand that they do business with these contractors. They trust this information to them. They don’t want this information to show up overseas in China or another country. It just has to be balanced with kind of narrowly tailoring to what is absolutely required to do that. And on the other hand, contractors have an incentive to have good cybersecurity. They don’t want their proprietary information leaking out, too. So hopefully this will spur on those who are somewhat reluctant to do so, to actually engage in good cybersecurity, protect their own information, because with cybersecurity breaches, they’re increasing exponentially. Now, I deal with those all the time, and it costs a lot more to deal with a breach than to prevent one.

Tom Temin And once this rule is finalized after the comments, people have 60 days, I guess, and it becomes a DFAR situation. Do you feel that this will engender a lot more compliance activity on contractors or will it be one time around you’re good to go?

Eric Crusius I think there’ll be a lot more compliance and these certifications last for three years. So what you’ll have happen is this continuous cycle of contractors needing to get a third party certification, and especially in the beginning, that’s going to be difficult because there’ll be some early leaders who get a certification early on. There’ll be some who wait a little bit longer because they don’t have to and they’ll be competing for that same time with the certified third party assessment organization. So those C-3PO is going to be especially busy, I’d say the first five years or so as companies are ramping up for the first time in some that are going through the process a second time.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories