The contractor cybersecurity locomotive picks up steam

"I think we'll see a lot of new developments in the next month or two with CMMC, and implementation sometime early next year," said Eric Crusius.

The Cybersecurity Maturity Model Certification program has been long in gestation. But this baby is going to be a big one. That’s what happens when the Defense Department wants all of its contractors to do something. Attorney Eric Crusius, a partner at Holland and Knight, joined the Federal Drive with Tom Temin to discuss more.

Interview transcript:

Tom Temin Eric, is CMMC the top of the things, with respect to cybersecurity regulation that vendors need to worry about? Or there’s other things that are at the top of the list right now.

Eric Crusius It’s a long top of the list right now, but CMMC is probably the thing on most everyone’s mind, because it is really a go no go scenario where you have a requirement that if you don’t do it, you won’t be able to perform the contracts that you’re bidding on or work on existing contracts. So I think that is certainly on the top of people’s list. I think we’ll see a lot of new developments in the next month or two with CMMC, and implementation sometime early next year. So obviously that’s top of mind for a lot of folks. But there are other cybersecurity regulations that are also going to have a huge impact that are coming down the pike.

Tom Temin But we are past the comment period right now on the CMMC rules.

Eric Crusius That’s right. So what will be said has been said. And that is what DoD took in. In fact, it’s not even in DoD’s hands anymore. It’s with the Office of Management and Budget. And they are reviewing the rule, the final rule that DoD drafted for the programmatic rule, which will be how CMMC works.

Tom Temin And that’s a big rule. So is it simply with OIRA, the Office of Information and Regulatory Affairs, or do you think there’s even politicals higher up in OMB in the White House that are looking at this one?

Eric Crusius I think it’s just with OIRA right now. At this point, I think all those kind of discussions have happened, and all those reviews have happened where if it’s gotten this far, you would hope at least anyway, that the folks who would have influence over it that are higher up have already given their $0.02 on it, because the DoD has gone so far down this road, at this point five years later.

Tom Temin And let’s face it, administrations have different proclivities. This one doesn’t probably care so much about what it might cost industry.

Eric Crusius And the interesting thing about CMMC, and we talk a lot about like what will change administration due to the government contracting industry, and how will regulations be impacted. And there will be some areas where there’s a profound impact like Labor. But with cybersecurity, this is a program that started under the Trump administration. It was continued mostly the same under the Biden administration. So I don’t think a change in administration will impact CMMC. You never know, of course. But I think these things that are happening at the Biden administration is doing will largely be carried out by a future Harris or Trump administration.

Tom Temin And did the comments that came in on CMMC rules, do they run the gamut from don’t do this, to Wow, this is great.

Eric Crusius Pretty much. CMMC is interesting because it’s really just a verification of what contractors should already be doing. And you have a bunch of folks who are saying this is very expensive. And what they’re actually saying is getting up to speed so we could be assessed is very expensive. And there is something to that, of course, for small businesses and in companies that don’t do business with the federal government, very often, it’s a cost that may not be worth it for them. But the the certification itself is really not that expensive in the scheme of things. It’s not like going to the store and buying a sandwich, but it’s also not an overarching expense that most companies can handle pretty easily.

Tom Temin But it is something of an ongoing cost, both in maintaining the controls themselves on your systems, which you would think you’d want to do anyway, but also you have to have periodic recertification. What is it, three years?

Eric Crusius That’s right. For the third party cert, it’s a periodic three year certification, and that’s an expense too. And like you said, maintaining the system in a way that allows it to function and be able to be recertified because even though it’s a three year certification program, there is an affirmation that’s filed on an annual basis that says your system still up to snuff, and we haven’t changed it. So if you’re in M&A activity where you acquire a company and you work with their system, and you combine the two systems, somehow that’s going to require a recertification. So while for the most part it’s every three years could be more frequent in some circumstances.

Tom Temin And beyond CMMC, which is coming now that the rule is in the finalization stage, you might say, and it’ll come out, it won’t be an interim final, it’ll be a final.

Eric Crusius That’s right.

Tom Temin OK. There’s also, is it fair to say that the biggest next worry or the next one in line, is all of the various reporting incident reporting regimes that are being contemplated. I think there’s a DoD one and a civilian side one.

Eric Crusius I think it’s very fair, because it’s really interesting to see all these different ones come out. We have, like you said,  DoD, the VA, DHS has its own. There is a new statutory requirement, potentially. There’s a new FAR requirement, potentially. And the interesting thing about all these different reporting requirements is they all have different triggers. What triggers a report? Could be information spillage. It could be a cyber attack where the bad guys get off with something. The information that has to be provided is different for each one. And the timeline to report is different for each one, and whether there has to be an update to the report and how often that occurs. So you may have a cyber incident where one report is triggered and one’s not, or the timelines are different or the information you provide is different. And when you’re dealing with a cyber incident, that’s the last thing you kind of want to think about. So I really do hope that the agencies do get together and kind of harmonize these requirements, even if they keep their own separate requirements that they’re the same, the triggers are the same and the reporting obligations are the same.

Tom Temin We’re speaking with Eric Crusius. He is a partner at Holland and Knight. I guess cybersecurity is the biggest concern. Federal contracting clients have these days.

Eric Crusius It seems like it. It seems like I get a lot of calls about that these days. That in protest, because we’re in protest season now, of course. But I think cyber is really the biggest thing. And it’s funny, like I gave a presentation at NCMA World Congress about 10 or 12 years ago saying the cybersecurity tsunami is coming. I thought it might be sooner than now, but it finally is happening now because we’re seeing all these different regulations where agencies are just trying to catch up, and they don’t want to be accused of kind of waiting while a major cyber attack happens and impacts one of their contractors or impacts their system. So I think they’re all trying to rush to get these regulations finished.

Tom Temin And protests, even though they’re a small number, seem to be an outsized influence on the way people think about federal procurement. And it comes up from time to time. And now it’s being bandied about in Congress as part of the NDAA, the National Defense Authorization Act, and that is the so-called British system, where if you protest and lose, you pay costs.

Eric Crusius That’s right. This is not the first time that this has been considered for the NDAA, and we’ll see if it makes it in the final version that’s voted on. Great observation that this is out there, though. It’s very interesting because, what is going to trigger a payment of costs is at a loss. When you take it all the way to decision at the Government Accountability Office. I think what the effect this will have is that a lot of protesters will push themselves to go to the court, because I don’t want to risk paying costs and we don’t know what those costs would look like and what’s required of those costs. And there may be a cut off on size of companies. There’s a lot of different factors at play apart, but I don’t know that this will have the effect that Congress intended to have. Famously John McCain pushed for this back in the day, and it was put in the NDAA and there was a pilot program that was supposed to happen that never happened. So we’ll see if this one has a similar fate or not.

Tom Temin Yeah, GAO is the more efficient medium, it tends to side with the agencies about two-thirds, I think are 70. Maybe it’s higher 90% of the time. But if you go to court, you might get a different type of hearing, but you also have a lot longer process and you might get a judge that’s just simply not that experienced in federal contracting arcana.

Eric Crusius That’s right. A lot of the judges that are picked are not necessarily ones who come from the federal government space or the procurement space. So they’re sometimes, as you know, a learning curve for a judge like there would be on any judge, on any court when they’re trying something that’s unfamiliar. Like if I became a judge, and I had a criminal case, I’d have a huge learning curve on that because I’ve never engaged in criminal law before. But I do like the court, because they’re more willing to kind of tackle those tricky issues, whereas GAO, that’s not what they do. They’re looking for mistakes that the agency made, and they do so, like you said, very efficiently. About half the time either corrective action or a positive decision for the contractor. But like you said, when it goes to decision, it’s largely a decision in favor of the agency.

Tom Temin  All right. So fair to say then also that the biggest concern now is just what the heck the budget situation will turn out to be. Because if it’s a long CR post potential shutdown, then the harder it is just to do the basic marketing of new programs and new initiatives to the government, which is the engine that drives all of this good and bad.

Eric Crusius That’s right. And that’s always the problem with kind of getting these extensions, is that you can’t innovate as much because you’re just largely continuing old programs. So the hope is that they can come to some kind of agreement, but I wouldn’t expect nothing before the election with that.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories