For a while now, we have been writing about the increasing impact of cybersecurity on the government contracting world, which, as Jon wrote, has become the “fourth pillar” of Department of Defense (DoD or the Agency) acquisitions. The latest evidence of this was discussed by our colleague, Dave Shafer, in his recent blog discussing a new DoD cybersecurity certification. This certification, called Cybersecurity Maturity Model Certification or “CMMC,” will significantly alter the DoD-acquisition landscape next year. Indeed, when this certification requirement comes online, all DoD contractors will be required to have CMMC to bid on, win, and retain new DoD contracts.
DoD is still rolling out the certification process for CMMC and it is expected to pick up steam in early 2020. DoD’s current objective is to fully implement the CMMC certification program by September 2020. If that timeline comes to pass, it would mean that 100% of DoD contractors will be required to obtain the CMMC certification to bid on new DoD contracts by the end of the next government fiscal year.
When the certification program comes online next year, DoD prime contractors and subcontractors will be able to apply to a third-party certifier to obtain CMMC. The third-party certifiers are not yet known. However, it is not too early to start preparing for the certification. To the contrary, many contractors have already begun doing so. CMMC will be the next key competitive discriminator for contractors of all sizes, so contractors should begin now to assess their compliance and gaps that will need to be filled before applying for CMMC next year.
A few weeks ago, DoD issued draft technical guidance on the CMMC, which can be found here. Contractors should review the draft technical guidance as soon as possible to understand what it will require for your organization to obtain CMMC next year, and start the process of getting your internal compliance program and IT system “certification ready.” This is where PilieroMazza’s Cybersecurity & Data Privacy team—together with our partners on the technical side—can help you:
- review your current cybersecurity practices;
- evaluate compliance with DoD, DFARS[1], and FAR[2] requirements;
- review, draft, and revise your System Security Plan and other internal policies and procedures; and
- establish a plan to fill in any gaps to ensure you are ready to obtain CMMC next year.
The CMMC builds upon the requirements in DFARS 252.204-7012 and establishes different levels of certification based on best practices across several cybersecurity maturity levels, ranging from basic cyber hygiene to advanced cybersecurity practices. The CMMC contains five levels, Level 1 being the most basic and Level 5 being the most advanced. Level 1 is designed to be achievable for most small businesses and encompasses basic cybersecurity requirements, such as antivirus protections, ad hoc incident response, ad hoc cybersecurity governance, and compliance with FAR requirements.
However, for many firms, you will not want to be content with achieving the minimum certification level. Some of your competitors are likely aiming for higher levels of certification and this could then become a key competitive discriminator. Some key DoD prime contracts and subcontracts may require CMMC Level 2 or above, for example, leaving the Level 1 firms out in the cold. While it remains to be seen how this will play out, we think the best practice at this stage is to aim for the highest level CMMC your company can feasibly achieve. As we discussed at our Cybersecurity Conference back in June, this is a worthwhile and necessary investment to ensure you maintain a competitive advantage with DoD contracts, and surely civilian agency contracts will not be far behind.
If you have questions about CMMC or if you would like assistance understanding what you should to do begin preparing, please do not hesitate to contact us.
[1] Defense Federal Acquisition Regulation Supplement (DFARS)
[2] Federal Acquisition Regulation (FAR)