July 23, 2019

Department of Defense Unifies Compliance Standards, May Reimburse Contractors for Costs

Harris Beach PLLC

+ Follow Contact

Send

Embed

The Department of Defense (DoD) will establish uniform cybersecurity compliance standards for its defense contractors; and may permit contractors to treat as allowable, and therefore reimbursable, the costs of bringing their programs into compliance.

The costs of achieving compliance with the DoD cybersecurity requirements may be allowable in certain cases, as announced by Katie Arrington, Special Assistant to the Assistant Secretary of Defense. This is a welcome change, especially in view of expected changes in the DoD’s cybersecurity compliance requirements.

Under the Cybersecurity Maturity Model Certification (CMMC) Program, the DoD will establish uniform standards against which DoD contractors' compliance will be measured. The standards are expected to include five "Maturity Levels" of required cybersecurity protections, from a level one of “basic cybersecurity hygiene,” which will be inexpensive and straightforward, to level five for “state-of-the-art” protections. Each DoD request for proposal (RFP) will specify which Maturity Level is required for the contract. Suppliers that do not meet the specified Maturity Level in the RFP will not be considered for the contract.

DoD believes that a very small percentage of its contractors now comply with the National Institute of Standards and Technology Publication (NIST) SP 800-171, which contains the standards on which DoD's current cybersecurity requirements are based. Compliance with the standard will require certification by a third-party cybersecurity assessor; companies will no longer be allowed to self-certify that their cybersecurity practices are sufficient. CMMC will require defense contractors to get third-party audits of their compliance with the NIST SP 800-171 controls, down through their supply chains. CMMC may also incorporate additional cybersecurity frameworks in addition to NIST SP 800-171. The DoD expects third-party certifiers to begin their certification efforts in January of 2020.

Contractors whose cybersecurity protections do not meet the NIST requirements should consider implementing the NIST SP 800-171 standards now.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Harris Beach PLLC

Contact + Follow

Neal Slifkin

+ Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Compliance

+ Follow

Cybersecurity

+ Follow

Cybersecurity Maturity Model Certification (CMMC)

+ Follow

Department of Defense (DOD)

+ Follow

Federal Contractors

+ Follow

NIST

+ Follow

Reimbursements

+ Follow

Request for Proposals

+ Follow

Technical Standards

+ Follow

Third-Party Service Provider

+ Follow

General Business

+ Follow

Government Contracting

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Harris Beach PLLC on:

Department of Defense Unifies Compliance Standards, May Reimburse Contractors for Costs

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Harris Beach PLLC on:

"My best business intelligence, in one easy email…"