A contractor cybersecurity regime is coming faster than you think

Like the Sword of Damocles, the Cybersecurity Maturity Model Certification program known as CMMC has been hanging over the heads of defense contractors for several years now. Well, it’s about to fall and companies doing business with the Defense Department should be ready. Haynes Boone procurement attorney Dan Ramish joined the Federal Drive with Tom Temin to provide an analysis.

Interview transcript: 

Tom Temin And we know this program requires certain controls in place and to have them certified by a third party certifier that the company pays for. So there’s expense and there’s liability. How close is this to becoming reality?

Dan Ramish Well, Tom, I think most projections now anticipate this will be in effect sometime in 2025, so next year. That is to say, it’ll start to roll out over a phased rollout process that will then last four phases over three years to full implementation.

Tom Temin All right. So that means you really have to have it in place now. And what is going to be the top challenge for contractors for, let’s say, CMMC level two, which I think is the bulk of them? Fair to say?

Dan Ramish Yes, that’s right, Tom. So there really are two core changes that are coming with the CMMC program. As you mentioned, contractors have had to be in compliance with certain cybersecurity controls already. What the CMMC program is doing is adding new verification mechanisms, particularly for level two, requiring independent third party assessments rather than self assessments, and then it’s also requiring full compliance with all security controls. Whereas for years contractors that have had CUI would have a system security plan and if they couldn’t fully meet all 110 controls required by NIST special publication 800-171, they could prepare what was called a plan of action milestones, which would then explain how they were going to come into compliance and on what timeframe. But DoD discovered that contractors kind of kicked the can down the road on outstanding POAMs and failed to close them out. So CMMC is going to make contractors come into full compliance, close out all POAMs within 180 days. So that’s a big change requiring full compliance with all the controls. And even from the start of CMMC there are going to be new restrictions on what controls can be quote unquote POAMed.

Tom Temin POAMed again means?

Dan Ramish Plan of action and milestones.

Tom Temin Okay. It means I haven’t done it yet, but I’m planning on it and you’ll hope I do.

Dan Ramish I’m working on it. Well, now there’s going to be a cutoff to “I’m working on it” and then there’s going to be a final exam or CMMC level two in the form of a third party assessment, making sure that you actually comply with all the controls.

Tom Temin And this is a big time investment and effort investment by contractors and therefore it’s a big cost.

Dan Ramish Absolutely. And really the costs have been understated by DoD or at least downplayed in the assessments descriptions. In the Title 32 rule back in December, DoD estimated that the cost of level two assessment would be about $100,000, which is pretty significant, particularly because the assessments will have to take place every three years. But that’s only the cost of assessing compliance with the cybersecurity controls. The cost of actually implementing those controls is significantly more substantial.

Tom Temin Right. And this is not a one time thing, as you say. You’ve got to have the assessment done by that third party every three years, but also because of the changing nature of software and the cyber threats, you can’t put in controls now, and that’s what you’ve got for the next ten years.

Dan Ramish That’s right. You have to be in a state of ongoing compliance and you have to continually affirm that you remain in compliance and stay in compliance throughout the performance of the contract with the level of CMMC that you’re required to have in place. And actually one of the new requirements in the DFARS rule that came out in August was that contractors will have to notify contracting officers within 72 hours if there are any lapses in information security or changes in the status of CMMC certificate or their self-assessment levels during the performance of the contract.

Tom Temin That is, you have to report something that may not be a cyber security incident breach itself.

Dan Ramish That’s exactly right. This has been interpreted as being broader than the current rapid reporting requirements for defense contracts would see. So it’s a new mechanism to ensure that contractors stay in compliance during the performance of the contract.

Tom Temin We’re speaking with Dan Ramish. He’s a procurement attorney with Haynes Boone. And what are the liabilities here if you don’t do these things? Or, I mean, there’s really two possibilities. One, you don’t have the controls in place. You said you did. And the assessor says, oops, you know, you’re a POAM or something or you better get a POAM going. And then there is if you were actually breached. And then when you are breached, they’re branching off from that two possibilities. One, you were breached even though you were in total compliance or you were breached, data was lost and you were not in compliance. So kind of three possibilities there. What does all that mean? What could that cost? Contractors if something happens.

Dan Ramish So contractors are going to have to be in compliance with CMMC, at least conditionally. And as we say, after 180 days, they have to close out all remaining plans and if they can’t meet the CMMC level in order to receive an award, they’ll be cut out of the defense market. If they if they can’t achieve and maintain the CMMC level that’s required. That’s obviously a huge consequence and DoD is no longer going to accept partial measures with the phasing out of poems. Contractors are going to need to comply with all the security requirements. But there are also significant liabilities if they incorrectly certify it. Now, for most CMMC level two contractors, there will be a third party assessment. So they’ll at least be have a different entity that is attesting to their certification status. So in some ways that will reduce the risk, even though it’ll increase the costs by having to retain that company to do that assessment.

Tom Temin By the way, can contractors, say, establish a assessment practice and sell that to other contractors as long as their own assessors don’t look at their own company?

Dan Ramish There is a whole ecosystem that’s evolved around this. There are specific CMMC third party assessment organizations or C3PAOs that will obtain the ability to do these assessments. And that’s kind of a distinct role from companies that are playing in the system as defense contractors.

Tom Temin Got it. Yeah. So they’re defense subcontractors in effect right there.

Dan Ramish They’re a separate outsourced function performing that assessments for the government. Now the government for certain select contractors that are required to obtain CMMC level three, DoD is actually going to do those assessments itself. But the goalpost is being moved for all contractors across the spectrum to have to have greater verification mechanisms. And actually that’s going to affect even companies that don’t have any see why they only have federal contract information or FCI. Those companies have not been subject to assessment requirements and now they’re going to have to perform self assessments and report those which will create new liabilities for those companies.

Tom Temin And is there any cost recovery mechanism through a contract for obtaining and then maintaining your compliance under CMMC.

Dan Ramish Companies that have cost type contracts, these costs should be reimbursable, but companies that are performing fixed price contracts, there isn’t a specific mechanism to recover the costs. And part of the issue is that the Department of Defense has assumed that contractors have been in compliance with the safeguarding requirements. You know, starting back in 2017. Because the security controls themselves are not new. DoD has said, well, you’re already supposed to be meeting those, so we shouldn’t have to compensate you for them separately.

Tom Temin And we’ve been talking about CUI, which is controlled, unclassified information. How well has DoD been able to define what CUI precisely is, so contractors will know what has to be protected?

Dan Ramish Now, this has been a constant struggle for contractors. The Department of Defense has had problems in both directions. There have been issues with CUI that was not marked and just masses of documents that that should have been marked that weren’t. And then more recently, DoD has perhaps been overcorrecting and over marking documents that did not need to be marked. And this is problematic for contractors because. So it’s the crux of the whole system. Which systems actually have CUI on them or have CUI transmitted over them? And so if contractors don’t know which specific information under the contract is CUI, they can’t appropriately scope their cybersecurity controls. And this is one of the major omissions from the two DoD rulemakings, the Title 32 rulemaking in December and the August Title 48 rulemaking. There’s no specific either regulatory or contractual requirement for DoD to identify what information that will be provided or generated under the contract is CUI. And that’s a really fundamental point that should be addressed. It’s addressed in DoD policy and then frequently asked questions, but it should be in the regulations in the contract as well.

Tom Temin Dan Ramish is a procurement attorney at Haynes Boone. Thanks so much for that elucidation.

Dan Ramish Thanks, Tom.

Tom Temin And we’ll post this interview with federalnewsnetwork.com/federaldrive. Subscribe to the Federal Drive wherever you get your podcasts.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.