A big Defense cybersecurity requirement for contractors moves closer to reality

Not yet in effect, the Cybersecurity Maturity Model Certification program rule is now at the White House for review.

The long awaited final rule on a Defense Department cybersecurity program is almost out. Not yet in effect, the Cybersecurity Maturity Model Certification program rule is now at the White House for review. So you might as well get used to the idea. Joining the Federal Drive with an update, attorney Eric Crucius of Holland and Knight.

Interview Transcript: 

Tom Temin  Eric, I guess the accurate thing to say is this rule is sent over per rulemaking protocol to the Office of Information and Regulatory Affairs.

Eric Crusius  That’s right, it’s there. We’re just waiting for them to review it and release it. And then we’ll, we’ll see all the joys of CMMC come to fruition.

Tom Temin  And what do we know about the final rule based on what we saw of the last version of the proposal and comments?

Eric Crusius  So, the programmatic rule came out in December, the day after Christmas, nice Christmas gift for the entire defense industrial base. And it was a big one, too. It was it was quite lengthy. I, I confess, I did steal some time away from my family to I was traveling to print it out and read it. But there are a lot of things that were made clear in the proposal. But there are some things that were left open, I think that we’ll see the final rule kind of address.

Tom Temin  What are the key takeaways then that people need to know, especially small businesses or large businesses that are going to be subjected to this? I mean, it applies across the board.

Eric Crusius  Right. I do think that this demonstrates the Department of Defense’s dedication to this rule, they push through this very quickly, they got a lot of comments on it, hundreds of comments. And they adjudicate those comments really quickly, when you think about it, because the comment period only closed earlier this year, just a few months ago. And they’ve already gone through all those comments and have now addressed those comments, edited the rule, and sent the final rule over to a wire for review.

Tom Temin  Right. And just by way of our own review, CMMC is a way of ensuring that contractors have in place basic cybersecurity hygiene programs of their own, and that they can prove that they have them to the government.

Eric Crusius  That’s right. And depending on the kind of information you hold for the government, it’s either a self-certification, or a third-party certification, or possibly a DoD certification on top of a third-party certification. So, it’s a kind of a step-up process through three levels.

Tom Temin  Right, and the rules apply, or there’s different versions of the rule, whether you’re a large company, small company or a subcontractor, and it goes down to the subs of the subs.

Eric Crusius  It goes all the way down until you get to a commercial off the shelf provider, cots provider, but it has a broad-based applicability throughout the supply chain, small businesses will be subject to and of course, DoD has come under some criticism about the cost for small businesses of the rule. And they’ve tried to address it by having something like Project spectrum, which is … Online, you can you could look at, that has a lot of information for contractors, also some techniques that contractors use small businesses in particular, using a managed service provider managed security provider, kind of managing the system, there’s no need for small, most small, medium sized businesses to set up their own bespoke system to be compliant, they could plug into a system that’s already been built and just customized for them. And that’s, it’s not cheap, but it’s far less expensive than the alternative.

Tom Temin  Well, you would want to have some cybersecurity system in place anyway, if you’re an operating company with clients, and you could have the potential to be in possession of federal information on your systems.

Eric Crusius  Exactly. For most companies, it’s not just a matter of regulatory compliance. It’s also a matter of what’s good business practice. And it’s hard because these business practices are not cheap. But on the other hand, responding to a cybersecurity incident is very expensive. And the potential lawsuits that can follow contract cancellations that can follow are far more expensive than kind of paying up front for good cybersecurity hygiene.

Tom Temin  And just what can we expect to the of the timeline here, as the rule is at an OIRA for just a few days, what is the protocol for an OIRA to review it and release it back to the agency for finalization?

Eric Crusius  they have 90 days usually to review the rules. So, they’ll probably take a lot of that 90 days to review it, then they’ll send it back to the Department of Defense. The Department of Defense will then edit it publish it on the federal or have it published on the Federal Register. And of course, we’re still waiting for the proposed D-FARs rule, which is the rule that would actually go into the contracts. That’s also at OIRA. And I expect that we’ll see that sometime this summer. And that rule was behind the programmatic rule. But I imagine the turnaround for that rule will be quicker. So, they might probably catch up to the programmatic rule eventually.  Right. Because without the default rule, then there’s no teeth in the CMMC rule. Right? It’s just this programmatic rule that lives in D-FAR somewhere, but it’s never in a contract. So, they eventually need to get it into contracts.

Tom Temin  We’re speaking with attorney Eric Crusius. He’s a partner at Holland and Knight. And with respect to the costs of CMMC, is there any rule of thumb such as a percentage of your revenues or a ratio to sales to the government type of thing that you can as a company have some idea what it will cost you?

Eric Crusius  Unfortunately, not. It’s going to be highly dependent on where a contractor is right now having the if they’ve been compliant with NIST 801 71, and they have controlled unclassified information, the step up to get a CMMC certification is not that great. It’s just a matter of paying an assessor to come in and assess. It’s not quite that simple. But that’s, that’s the major cost there. If a company has really been ignoring these obligations, and even though they’ve been in contracts for a while now, as a self-certification, then the cost is going to be much greater, because they have to pay that tech debt essentially get up to speed and then get assessed. So, for each company’s going to be quite different. Obviously, the small businesses are going to bear the brunt of this. They’re an important part of the defense industrial base. I’d also add that there are a lot of international companies do that do a lot of business with the Department of Defense that are also going to have a high cost and not really a path forward understanding about where they’ll come out. Because there aren’t assessors necessarily overseas yet. So, companies fairly large contractors that are that live overseas are going to have to navigate those waters as well.

Tom Temin  Right? The DIB extends to places like Finland and Israel and a lot of other northern European countries, all you have to do is walk through the aisles at the army show, for example, in Washington every year, and wow, I didn’t know they made that stuff in Norway, right? Like it’s all over the place.

Eric Crusius  It’s very true. It’s very true. So, DoD will hopefully have a way to address that moving forward, it sounds like they’re going to, they’re going to work to kind of shore up the international shortfalls that we’ve seen so far. Because they recognize obviously that that’s a very important part of the DIB.

Tom Temin  Yeah, so preparation for this has been a long time coming. I mean, the first CMMC program was envisioned and constituted some degree during the Trump administration. So, it goes back six, seven years or so now, the assessor base of people that are going to be in demand to assess companies is that in place, as far as we know.

Eric Crusius  It’s getting there, there are assessors that are ready to go. There are C3POs as they call them, the companies that are able to hire and maintain those assessors, assessment teams, there’s, depending on when you look, the last time I checked over, I think 53 C3POs and most of them will have multiple assessment teams, that’s still not a lot for the amount of companies in a did that will need a third party assessment, DoD estimates more than 76,000 will need an assessment. So obviously, it’s going to require slower rollout of the program to enable companies in the supply chain to be able to get assessed, there is a voluntary program. Now the joint surveillance program that’s happening where you get assessed, now, your assessment converts to a CMMC level two assessment. And that’s what a lot of companies are choosing to do. So, they don’t get caught up in the crush that can happen when the rule comes out. The downside of that is that the rule never comes out, you’ve wasted your money getting an assessment, or the time starts right now. So, an assessment is good for three years. If you get a joint surveillance, say September 1, that clock starts running on September 1, not when the rule is in effect to some most companies, that’s a small price to pay. So, there are a lot of folks are out there inquiring about getting join surveillance, and they’ve done they’ve done dozens of them now. So, it’s a fairly successful program.

Tom Temin  Right so every third year means you’re not unduly burdened by an assessment process year after year after year. But it also runs the risk that you might forget, you know, if staff turns out for what’s this thing we did this three years ago.

Eric Crusius  Right? Yeah, and you certainly don’t want to forget, because it is a go no go. If you don’t have that assessment, you and clauses in your contract is required, you can’t perform the work. So, it’s that’s a great point, it’s really great to have policies and procedures in place that will kind of go be there whether no matter who’s in that chair responsible for that assessment.

Tom Temin  Which means there is some burden incumbent on the government, because once that the D-FAR rule is in place. And if it’s for a certain number of contracts, it’s going to have to get into the contract writing systems.

Eric Crusius  That’s right. Yeah, the government is going to really have to department defense specifically going to really have to ramp up and understand like when this goes into contracts, when it does and what level, of course, contractors are going to be required to have to perform the work and that’s going to be dependent on the kind of information they have. So, there’ll be on a contract-by-contract basis, some kind of determination, as far as is this applicable? What level is going to be required? I imagine that will be the subject of some protests as well pre award protest where contractors are going to say no, there’s no CY in here. It’s only level one required. Maybe that contractor is arguing that because they don’t have a level two assessment just yet.

Tom Temin  And does this apply ultimately to every vendor or just certain ones? That is to say, does it apply the CMMC certification for Sam delivering 10,000 eggs from the free-range farms to an aircraft carrier or only to people making ordinance command and control systems, electronics, that kind of thing.

Eric Crusius  It’s going to apply to everyone If you’re selling, like, if the eggs aren’t bespoke eggs for DoD, maybe they have some special legs for the aircraft carriers, then it’s probably not going to keeping its right. Six months at sea. Yes. So those folks who, who are just providing things that you could go in the store and buy, they won’t be subject to CMMC. But if you’re providing something that’s commercial nature, or providing something that you’re making for DoD, specifically, then it’ll be applicable to you. And I’d be interested to see if other agencies pick this up as well. I imagine there are other civilian agencies kind of waiting around seeing how this goes. And if CMMC too.

Tom Temin  Sure, and maybe won’t take 90 days for OIRA to come out with this. I mean, if they knew back in Christmas that it was coming, right. Maybe they’ve done a little pre reading, we can’t tell for sure, but let’s hope.

Eric Crusius  Right and I suspect that there won’t be a lot of changes to the final rule versus the proposed rule, maybe just cleaning up a few things. And if that’s really the case, then I don’t, I could see OIRA going quicker with the rule.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkCybersecurity Maturity Model Certification

    CMMC is coming, but concerns for small businesses persist under revamped rule

    Read more
    Amelia Brust/Federal News NetworkCybersecurity Maturity Model Certification

    The original CMMC program was missing one key component — Here’s how the newly proposed rule should fix that

    Read more
    Amelia Brust/Federal News NetworkCybersecurity Maturity Model Certification

    Proposed CMMC rule contains no surprises, but raises some initial questions

    Read more