CMMC – what is a prime contractor to do to prepare?
January 2021 | EXPERT BRIEFING | RISK MANAGEMENT
financierworldwide.com
The theft of intellectual property and sensitive information from all US industrial sectors due to malicious cyber activity threatens economic security and national security. Last year, in response to that threat, the Department of Defense (DoD) announced that it was working with government and industry stakeholders to develop the Cybersecurity Maturity Model Certification (CMMC) framework.
By now, defense contractors are very aware of the fact that the CMMC requirements are a reality that they will need to comply with in the coming years. However, defence prime contractors are likely going to need to provide support and assistance to their subcontractors and suppliers who will also need to comply with the CMMC requirements as members of the Defense Industrial Base (DIB).
The CMMC requirements, which are being rolled out in a phased approach, are already showing up in some DoD solicitations. Now, the CMMC clause will only be included in a solicitation if it is approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. However, starting on 1 October 2025, CMMC requirements will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively commercial off-the-shelf (COTS) items) valued at greater than the micro-purchase threshold. So, by that date, defence contractors must have a CMMC certification in place at the appropriate level for a particular contract effort.
Defense contractors must act swiftly and decisively to prepare for these compliance requirements associated with the CMMC, and there are a number of actions that contractors should be taking now. Foundationally, they will need to be aware of the CMMC’s 1-5 scale that measures levels of cyber security maturity and capability. The DoD has published the CMMC framework, which details what is required at each level. Once familiar with these requirements, defence contractors should conduct a self-assessment of their company’s ability to become certified in accordance with the CMMC.
This self-assessment should include forecasting about which CMMC level will be required, depending on the types of contracts that will be competed for. Additionally, considering the phased roll out, defence contractors should identify a target date for obtaining CMMC certification at the identified level and work backwards from that date to develop a plan of actions and milestones to ensure success.
It will be important for defence contractors to identify any specific CMMC requirements that their company may not be able to meet that could ultimately impact certification at a given level. Once these ‘gaps’ are identified, defence contractors can make informed business decisions regarding these ‘gaps’ and the impacts that they will have on the ability to obtain future contracts. As well, defence contractors must ensure that they are staying up to date regarding the status of the CMMC implementation. The DoD will no doubt continue to refine the framework and make changes to its implementation. We have seen many changes to date, and with the DoD’s request for feedback from the DIB regarding the CMMC and its impact on business operations, additional changes are likely.
Because the DoD has made clear that prime contractors will be required to flow down the appropriate CMMC requirements to subcontractors, it will be critical for prime defence contractors to assist their subcontractors and suppliers with understanding the need for and mechanisms required to ensure compliance. While it is unlikely that all subcontractors and suppliers will need to be certified at the same level as the prime in every case, the DoD has made clear that all subcontractors will need to be certified at some level.
Defence contractors who serve as prime contractors may find it in their interest to ensure that the subcontractors and suppliers that they do business with have a clear understanding of what is considered Controlled Unclassified Information (CUI) and can trace where they store, process or transmit CUI. They also may want to assist their supply chain in understanding what is required to assess whether an individual company is ready and able to achieve the necessary CMMC certification.
Finally, prime contractors as well as subcontractors and suppliers that will seek CMMC certification should also remain vigilant regarding entities that promise to ensure certification but may not truly have the ability to do so. There are many entities currently offering to assist companies engage in the certification preparation process, but these entities cannot themselves grant certification. While they may be very helpful in navigating compliance and preparing for the certification process, only CMMC third-party assessment organisations and individual assessors accredited by the CMMC Accreditation Body will be able to perform CMMC assessments. Members of the DIB that are looking to be certified must become familiar with actual third-party assessment organisations and look only to those organisations for the actual certifications that the DoD requires.
Liza Craig is counsel at Reed Smith LLP. She can be contacted on +1 (202) 414 9235 or by email: lcraig@reedsmith.com.
© Financier Worldwide
BY
Liza Craig
Reed Smith LLP