Defense Contractors To See New Cybersecurity Standards, Independent Certification Requirements

Details concerning the U.S. Department of Defense's (DoD) new cybersecurity standards are emerging. Called the Cybersecurity Maturity Model Certification (CMMC), compliance with this new set of security standards will be required in order for DoD contractors to compete for contracts. This Holland & Knight client alert will cover what is known about the standards, the certification process and the schedule for implementation of the CMMC program.

Contractors should be aware that DoD is holding briefing sessions for contractors throughout the remainder of the summer. The CMMC website lists the locations of these sessions, and DoD has solicited requests for additional cities. If you are interested in suggesting an additional location, you can submit the request through the CMMC website.

What Will the CMMC Standards Look Like?

The CMMC criteria will be very important to DoD contractors, impacting whether or not a contractor can submit a proposal for a contract for which it would otherwise be eligible. While not yet complete, the CMMC standards will certainly be based at least in part on National Institute of Science and Technology (NIST) Publications 800-171 and 800-171B. NIST Publication 800-171 is the standard on which the current DoD cybersecurity rules are based. NIST 800-171B are the standards to be applied when a contractor is defending against Advanced Persistent Threats. DoD has also stated that it intends to review international cybersecurity laws and regulations, including the United Kingdom, Australia and Japan, and incorporate some of these standards if appropriate.

As developed so far, the CMMC program will contain five "levels" of requirements, with Level 1 being the least stringent. The levels are:

How Will DoD Use the CMMC Standards?

The importance of the new CMMC standards cannot be overstressed. Beginning in June 2020 for requests for information (RFI) and in September 2020 for requests for proposal (RFP), DoD solicitations involving confidential unclassified information will be assigned a level. In order to submit a proposal, a contractor must have a third-party certification that its cybersecurity program complies with the applicable level. In other words, in the absence of the appropriate certification, a contractor will not be able to submit a proposal.

How Does a Contractor Get Certified?

The CMMC program will not accept self-certifications, but will require contractors to obtain third-party certifications as to their compliance with the applicable standards. DoD plans to use nonprofit organizations to train the third-party certifiers, who must go through this training to qualify for the CMMC program. The nonprofit trainers have not been announced to date.

What Is the Schedule for Obtaining Certifications?

DoD plans to release the CMMC standards this September or October. The nonprofit training sessions are scheduled to begin in January 2020. As soon as companies qualify to act as third-party certifiers, they can begin their evaluations and issuance of certifications to contractors. Under the current implementation schedule, DoD RFIs will begin to include the CMMC requirement in June 2020. The requirement will start appearing in RFPs in September 2020.

The development and implementation of the CMMC program is a work in progress. Holland & Knight will continue to monitor and report on new developments.  

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.