CMMC 2.0 Simplifies Requirements But Raises Risks for Government Contractors
- For the third time in five years, the U.S. Department of Defense (DOD) announced new, comprehensive cybersecurity standards for government contractors and subcontractors to ensure the protection of sensitive unclassified information.
- The Cybersecurity Maturity Model Certification (CMMC) 2.0 improves upon its earlier version by reducing the model to three cybersecurity levels, removing bespoke CMMC requirements and permitting self-assessments affirmations for Level 1 and part of a bifurcated Level 2.
- Self-assessments affirmations create substantial risks of future False Claims Act (FCA) U.S. Department of Justice (DOJ) investigations and qui tam suits, and this alert explains steps that can be taken to reduce such risks.
With the announcement of a revamped Cybersecurity Maturity Model Certification (known as CMMC 2.0),1 for the third time in five years, the U.S. Department of Defense (DOD) announced new, comprehensive cybersecurity standards for government contractors and subcontractors to ensure the protection of sensitive unclassified information, that is, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). By referring to the new cybersecurity standard as CMMC 2.0, the DOD implicitly recognizes the likelihood of future versions at an unknown cost to the Defense Industrial Base (DIB).
Nevertheless, version 2.0, which was released after a seven-month review by the Biden Administration, reflects the DOD's assessment of the DIB's concerns and reflects the DOD's efforts to streamline and improve upon its earlier version after criticisms aimed at its cost and complexity. Specifically, CMMC 2.0 collapses CMMC 1.0's five tiers to three simplified tiers that are based on the cybersecurity framework implemented and that are devoid of additional CMMC-unique practices and processes. CMMC 2.0 also will allow "annual self-assessment with an annual affirmation by DIB company leadership" for Level 1 and part of the new bifurcated Level 2 (formerly Level 3). Otherwise, an independent third-party assessment or government-led assessment will be required.2
Besides CMMC 2.0, contractors with CUI are also required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 252.204-7020. Collectively, these clauses require contractors to enter their compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 into DOD's Supplier Performance Risk System (SPRS). DOD will identify medium- and high-risk contracts and perform independent assessments of contractor compliance with NIST SP 800-171 and whether a contractor's compliance matches what it inputted into SPRS. Contractors should also be mindful as to whether these disclosures match their prior acceptance of contracts with DFARS 252.204-7012, which required full compliance with NIST SP 800-171.
The return of self-assessment, which was the bedrock of the first DOD cybersecurity standards set out in DFARS 252.204-7012 and whose failure led to the development of CMMC 1.0., creates substantial risks to DIB companies and their leadership. The U.S. Department of Justice (DOJ) recently announced a new Civil Cyber-Fraud Initiative that emphasized the use of the False Claims Act (FCA), 31 U.S.C. § 3729 et. seq., to bring civil action against government contractors who knowingly misrepresented their cybersecurity practices and protocols.3 The FCA allows the government to recover treble damages and permits qui tam suits,4 which allow whistleblowers to receive a portion of the monies recovered by the government. In addition, other regulatory agencies have brought enforcement actions for alleged false certifications concerning compliance with agency-required cybersecurity standards.5 Thus, the risk of a DOJ investigation or a qui tam suit connected with a DIB company's self-assessment affirmation is very real, and this announcement – coupled with self-certification options in CMMC 2.0 – should not been seen as a coincidence. Nevertheless, companies can reduce such risks with appropriate cybersecurity policies and a culture of compliance.
Evolution of DOD's Cybersecurity Regulations
In October 2016, the DOD issued comprehensive cybersecurity regulations through DFARS. See 48 CFR §§ 204.7302, 204.7304, and 252.204-7012. The 2016 cybersecurity regulations required contractors and subcontractors to provide "adequate security" over their information systems and implement cybersecurity protocols and procedures that, at a minimum, complied with NIST SP 800-171 for "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations."6 These regulations, however, only required contractors to self-assess that they were in compliance with NIST SP 800-171.
The initial cybersecurity framework did not succeed, in part, due to the self-assessment requirement. In July 2019, the DOD Inspector General (IG) issued a report finding that government contractors did not consistently implement NIST SP 800-171 as required and DOD agencies and contracting officers did not develop and implement processes to verify contractors' compliance.7 The IG report "recommended that DOD take steps to assess a contractor's ability to protect this [CUI] information."8
In response, in September 2020, the DOD issued interim rules of its second comprehensive cybersecurity regulations, which developed CMMC 1.0.9 CMMC 1.0 classified contractors into five tiers. Level one required compliance with basic safeguarding requirements of the Federal Acquisition Regulations (FAR) clause 52.204-21. Level 2 required compliance with 65 security requirements within NIST 800-171, along with additional CMMC practices and processes. Level 3 through Level 5 required complete compliance with NIST 800-171 and varying additional CMMC practices and processes. CMMC level assessments would be conducted by CMMC Third Party Assessment Organizations (C3PAOs), which would be accredited by an independent CMMC Accreditation Body (AB). All DOD solicitation and contracts would identify the required CMMC level necessary for said solicitation or contract, though it was unclear how it would be enforced down the supply chain.
DIB companies expressed concerns with this lack of clarity and the additional bespoke CMMC requirements. Besides these issues, concerns were raised about the cost to small businesses, just as DOD has been contending, with an ever-shrinking pool of contractors willing to do business with it. That was, in part, because a third-party assessment was required at all levels. CMMC 2.0 attempts to address these various concerns with the following changes to version 1.0:
- Level 1 remains the same and still requires basic safeguarding requirements consistent with FAR 52.204-21. Instead of a third-party assessment, Level 1 will require a company leader to certify compliance with requirements on an annual basis.
- Level 2 has been eliminated.
- Level 3 (now known as Level 2) maintains full NIST 800-171 compliance but eliminates the bespoke CMMC requirements. Further, some contractors will be able to self-certify instead of utilizing a third-party assessment, although it is unclear what that dividing line will be.
- Level 4 has been eliminated.
- Level 5 (now known as Level 3) will require full compliance with 800-171 and at least partial compliance with NIST SP 800-172 for "Enhanced Security Requirements for Protecting Unclassified Information." DOD is still determining what NIST SP 800-172 standards will be required. Contractors seeking a certification within this level will first need to be certified by a third-party assessor under Level 2 and then seek a government assessment under this level (presumably for the additional NIST SP 800-172 requirements).
Even though the implementation of CMMC 2.0 is anywhere from nine months to two years away, DOD is seeking ways to incentivize adoption. For instance, DOD may utilize cybersecurity compliance as an evaluation factor in procurements.10
Risk of Costly and Time-Consuming Investigations and Litigations
Viewing cybersecurity risks as both a national security risk and an investment risk, government regulators have increased enforcement actions against U.S. companies for deficient cybersecurity standards. This past year, the U.S. Securities and Exchange Commission (SEC) announced its first-ever enforcement actions against a public company for deficient disclosure controls concerning cybersecurity risks.11 The New York Department of Financial Services (NYDFS) has brought enforcement actions against regulated institutions for alleged failure to comply with its recently enacted NYDFS Cybersecurity Regulations, including action against insurance companies, in part, for the alleged false certification of its compliance with the NYDFS Cybersecurity Regulations.12
These actions preceded the DOJ's announcement on Oct. 6, 2021, of the new Civil Cyber-Fraud Initiative.13 (See Holland & Knight's previous blog post, "False Claims Act Meets Cybersecurity: DOJ New Civil Cyber-Fraud Unit," Oct. 8, 2021.) Therein, Deputy Attorney General Lisa Monaco stated that the DOJ "will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards."14 Particularly relevant to CMMC 2.0's self-assessment affirmations, the Civil Cyber-Fraud Initiative will use the FCA to prosecute entities and individuals who knowingly provide deficient cybersecurity products or services and/or knowingly misrepresent their cybersecurity practices or protocols.15
The FCA "was originally aimed principally at stopping the massive frauds perpetrated by large contractors during the Civil War."16 The act was enacted in 1863 "following a series of sensational congressional investigations" where "[t]estimony before…Congress painted a sordid picture of how the United States had been billed for nonexistent or worthless goods, charged exorbitant prices for goods delivered, and generally robbed in purchasing the necessities of war."17
Today, the FCA lists seven types of conduct that create civil liability. Predominantly, the FCA provides that any person (i.e., entity or individual) who knowingly submits, or causes another to submit, a false or fraudulent claim to the government or knowingly makes a false record or statement to get a false claim paid by the government is liable for three times the government's damages plus a civil penalty, which accounting for inflation, is not less than $11,181 and not more than $22,363 per claim.18 The FCA also permits whistleblowers to file qui tam suits against any person who allegedly violates the FCA. If the qui tam suit is successful, the whistleblower may receive a portion of the government's recovery. As such, FCA and qui tam suits have become quite lucrative for the government and the whistleblower. For instance, in fiscal year (FY) 2020, the DOJ recovered over $2.2 billion from FCA cases and paid out $309 million to whistleblowers.
Under the FCA, a person acts knowingly when the person 1) has actual knowledge of the information,19 2) acts in deliberate ignorance of the truth or falsity of the information or 3) acts in reckless disregard of the truth or falsity of the information.20 Moreover, the person need not have any specific intent to defraud the government.21 Thus, as it relates to the CMMC 2.0's self-assessment affirmations, if the affirmation is incorrect, the DIB company could be liable under the FCA even though its leadership did not intend to defraud the government and did not have actual knowledge that its affirmation was incorrect. Instead, a DIB company could be found to be "in reckless disregard of the truth" by failing to conduct a sufficient investigation of its cybersecurity practices and procedures prior to its affirmation,22 which would subject the company to treble damages and civil monetary penalties.
Additionally, although 2016 cybersecurity regulations have required DIB companies to report cyber incidents to the DOD within 72 hours, Congress has been debating the inclusion of a cyber-reporting bill as part of the National Defense Authorization Act (NDAA) FY 2022, which would require critical infrastructure owners and operator as well as federal contractors, not just DOD contractors and subcontractors, to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and, potentially, to provide that information to the FBI.23 If cyber incidents are to be provided to the DOJ, it may potentially fuel this Civil Cyber-Fraud Initiative. Even if such reporting is not required, each cyber incident presents the possibility of an employee or former employee filing a qui tam suit alleging that the self-assessment assertions were false and violated the FCA. Thus, although self-certifications programs create significant flexibility and cost savings within the CMMC 2.0 framework, it creates substantial litigation and investigation risks.
The threat of cybersecurity-based FCA action against DIB companies is not simply theoretical. As illustrated by Briggs v. Quantitech, and similar cases,24 "[t]here has been an uptick in cybersecurity-based FCA actions in recent years, predominantly qui tam actions filed by former employees that 'blew the whistle' on their company's deficient cybersecurity standards and practices."25
For DIB companies that will provide annual self-assessment affirmations within the CMMC 2.0 framework, steps can be taken to reduce the risk of future DOJ investigations and qui tam suits.
- First, DIB companies should implement and maintain written cybersecurity policies that are consistent with the basic safeguarding requirements of the FAR clause 52.204-21 and, if applicable, DFARS 252.204-7012. Because these policies will provide significant defenses against allegations of falsity and knowledge in any FCA litigation, they should be written in coordination with counsel and reviewed by multifunctional teams.
- Second, Deputy Attorney General Lisa Monaco recently emphasized that the DOJ will evaluate a company's history of compliance issues in future enforcement actions.26 Thus, DIB companies should develop and foster a culture of compliance throughout its organization, including employee training, internal disclosure controls and/or board oversight on leadership's management.
- Finally, contractors should consider a CMMC certification to give themselves a competitive advantage and minimize the risk of other DIB companies not wanting to do business with them because of the cybersecurity risks they pose. This will help address concerns about the constantly evolving nature of cyberattacks and cybersecurity risks.
2 Prior to obtaining a government-led Level 3 assessment, contractors will need to first obtain a Level 2 certification led by a third-party assessor approved by the Accreditation Body.
4 Qui tam lawsuits are civil lawsuits filed by a private party on behalf of the government. The private party, called a relator, essentially steps into the role of the government for such action. The False Claims Act (FCA) permits such qui tam lawsuits. 31 U.S.C. § 3730(b).
5 See, e.g., NYDFS, "DFS Superintendent Lacewell Announces Cybersecurity Settlement with First Unum and Paul Revere Life Insurance Companies" (May 13, 2021).
6 These regulations also require contractors to, among other things, disclose security breaches within 72 hours and cooperate with U.S. Department of Defense (DOD) regulations.
7 DOD Inspector General, No. DODIG-2019-105, "Audit of Protection of DOD Controlled Unclassified Information on Contractor-Owned Networks and Systems" (July 25, 2019).
8 Fed. Reg. vol. 85, no. 189, at 61508 (Sept. 29, 2020).
10 See "Pentagon considers incentives to get companies to CMMC 2.0 early," Nov. 26, 2021
11 Law360, "Managing Risk After SEC's Cyber Enforcement Action," (June 28, 2021).
16 United States v. Bornstein, 423 U.S. 303, 309 (1976).
17 United States v. McNinch, 356 U.S. 595, 599 (1958).
18 31 U.S.C. § 3729(a)(1); 28 CFR § 85.5.
19 Where actual knowledge exists, the DOJ may bring criminal prosecution for the submission of false claims pursuant to 18 U.S.C. §§ 286 and 287. See, e.g., United States v. Slocum, 708 F.2d 587, 596 (11th Cir. 1983) (listing the elements for the criminal false claims provision).
20 31 U.S.C. § 3729(b)(1)(A).
21 31 U.S.C. § 3729(b)(1)(B).
22 See U.S. ex rel. Ervin & Assoc., Inc. v. Hamilton Sec. Group, 370 F. Supp. 2d 18, 40-43 (D.D.C 2005); United States v. Krizek, 111 F.3d 934, 942 (D.C. Cir. 1997); S. Rep. 99-345, at 20 ("the constructive knowledge definition attempts to reach what has become known as the ostrich type situation where an individual has 'buried his head in the sand' and failed to make simple inquiries which would alert him that false claims are being submitted. While the Committee intends that at least some inquiry be made, the inquiry need only be 'reasonable and prudent under the circumstances' . . . .").
23 H.R.4350 - National Defense Authorization Act for Fiscal Year 2022; but see The Hill, "Language Requiring Companies to Report Cyberattacks Left Out of Defense Bill" (Dec. 7, 2021).
24 Briggs v. Quantitech, No. 2:19-cv-1690, 2021 WL 461694 (N.D. Ala. Feb. 9, 2021). A former employee brought a False Claims Act suit claiming that defendants concealed cybersecurity vulnerabilities to misrepresent contractual performance. The court dismissed the lawsuit for failure to state a claim.
25 Holland & Knight Government Contracts Blog, "False Claims Act Meets Cybersecurity: DOJ New Civil Cyber-Fraud Unit" (Oct. 8, 2021).
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.