Podcast: Cybersecurity Provisions in the FY24 NDAA

Dan Sennott: Hello, I'm Dan Sennott, co-lead for the defense and national security team here at Holland & Knight. This is one in a series of podcasts in which we break down the fiscal year 2024 National Defense Authorization Act. Over the next several podcasts, I'll be joined by partners from throughout the firm that specialize in many different areas of law and policy that the NDAA covers. This week, we will focus on cybersecurity provisions in the FY24 NDAA and what those provisions may signal regarding future DoD regulations and policies. I'm joined today by Eric Crusius, a partner in Holland & Knight's cybersecurity and government contracts groups. Welcome.

Eric Crusius: Thanks. Great to be here.

Dan Sennott: Eric, could you give the listeners a little bit of a thumbnail sketch of your background and experience?

Eric Crusius: Sure. Like you said, I sit in our government contracts and cybersecurity groups. Besides helping contractors with all the usual government contract stuff — protests, compliance claims and disputes, all those fun things — I also help them through cybersecurity compliance and responding to cybersecurity breaches when they occur, because government contractors have their own separate requirements in a lot of instances on what they have to do when there's a breach.

Dan Sennott: And so this year's NDAA, like many past years' NDAAs, covers a lot in the cybersecurity realm. Several provisions. I think one that it is an area of focus for many, in light of the CHIPS Act and other legislation we've seen, which is onshoring of semiconductor production. And so there's a provision actually regarding the semiconductor supply chain related to cybersecurity in this year's NDAA.

Eric Crusius: Yes. And kind of how you talked about semiconductors and domestic sourcing of semiconductors has been a big focus of Congress and this administration over the last few years, as you mentioned, the CHIPS Act, so much funding in the semiconductor industry, and last year's NDAA had a requirement to eliminate the use of certain Chinese companies over a period of years in the government supply chain. And this year, it's kind of more of a focus on, all right, if we're going to do that, how are we going to protect those semiconductors and that technology? So one section, 1513 for those keeping score at home, has some new requirements — or a new pilot program, I should say — that, that they're looking for DoD to set up, which would require the protection of the semiconductor supply chain by reducing cybersecurity threats and also reducing cyber threats that jeopardize the IP. Now, one big complaint that DoD has had over many years is that the IP that contractors develop in conjunction with the Department of Defense has been kind of flying out the door, especially to the Chinese and the Russians. And, you know, there's really a push to kind of stop that from happening. That's the genesis of the Cybersecurity Maturity Model Certification program that DoD is rolling out. So, I think this kind of this pilot program is a way for Congress to say, all right, we're developing this kind of nascent industry. We're getting this off the ground. We're really prioritizing this. Now we have to think of a way to kind of protect it.

Now, one big complaint that DoD has had over many years is that the IP that contractors develop in conjunction with the Department of Defense has been kind of flying out the door, especially to the Chinese and the Russians. And, you know, there's really a push to kind of stop that from happening. That's the genesis of the Cybersecurity Maturity Model Certification program that DoD is rolling out.

Dan Sennott: And there are other provisions that go even broader beyond the semiconductor supply chain to the supply chain writ large. Is that right?

Eric Crusius: That's true. There's a number of provisions. We won't go into each one in detail here, or else we will be here for a couple of hours. And I don't think anybody listening wants to do that. But there are a lot of provisions as they're happening in the last previous years on onshoring domestic supply of things. And that will help bring more stability to the supply chain. It will help American industry. It will help with cybersecurity because we can know where things are coming from and how they're being made. So there's a lot of benefits to doing that. And, you know, the Democrats and Republicans don't agree on very much these days. But domestic onshoring is something they're both in agreement with. So we see a lot of momentum towards these kinds of provisions.

And, you know, the Democrats and Republicans don't agree on very much these days. But domestic onshoring is something they're both in agreement with. So we see a lot of momentum towards these kinds of provisions.

Dan Sennott: And over the past few years, obviously, there's been a recognition that within the, we want to shore up the security of our defense industrial base.

Eric Crusius: That's right.

Dan Sennott: And that's in several different ways, right, making sure that we have reliable supply chains, domestic sourcing, etc. And then there is CMMC. Am I right?

Eric Crusius: You're right.

Dan Sennott: And now that is not, I don't think there's a specific provision in this year's NDAA related to that, but obviously there are volumes and volumes regarding CMMC and their big move afoot this year to sort of finally put in place the final rules on that. Is that right?

Eric Crusius: That's right. So the proposed rule naturally came out on December 26, the day after Christmas, when nobody was paying attention, except everyone was paying attention because it was so anticipated. And the thought is — and there's nothing to substantiate this — that the final rule will come out sometime this year, probably in the late fall, early winter time. And that will then require contractors in the DoD space to get a CMMC certification, whether it's a self-certification or a third party certification, will be dependent on what kind of information they have, but everyone will have to certify. And this is a way for DoD to kind of check up on contractors. Are you really protecting things that you say you're protecting them and you're doing it in a manner that we're prescribing because CMMC is really just a verification program. All these requirements have been in place for years now, and it's really just a way for DoD to check to make sure those requirements are being fulfilled.

And this is a way for DoD to kind of check up on contractors. Are you really protecting things that you say you're protecting them and you're doing it in a manner that we're prescribing because CMMC is really just a verification program. All these requirements have been in place for years now, and it's really just a way for DoD to check to make sure those requirements are being fulfilled.

Dan Sennott: And obviously we're assuming that CMMC is a household name, but could you just break down for the listener exactly what it requires and what it means for businesses?

Eric Crusius: Yes. Cybersecurity Maturity Model Certification has three levels depending on the kinds of information that you have. If you're under Level 1— and DoD estimates, about 120,000 companies will be in this level — means you have federal contract information, which is nonpublic but not really sensitive information. And for those folks, you self-certify on an annual basis that you're compliant with about 15, depending on how you break them down, 15 or 17 different controls. The company leader responsible for this has to file an affirmation with the Department of Defense on an annual basis. So there creates a False Claims Act risk. And if you look at the controls, you know they're not too complicated. But they also require verification because DoD has a right to audit this, you have to see that these are actually being implemented. You can't just check a box and say, oh yeah, I'm sure we got it covered. Is there training in place? Is there a policy in place? Is there something that evidences that one of those 15 or 17 controls is being followed through? So I always tell people it's not a weekend project, it's a multi-month project to ensure that you're compliant. And that's the most basic level. Level 2, which DoD advertises a split level between self-certification and third party certification, when they released the figures of how many companies they expect to be in each bucket, it's 4,000 companies that would be in a self-certification and more than 76,000 that would get it, need to get a third party certification. So the vast, vast majority will need to get a third party certification. Level 2 covers when contractors have something that's called controlled unclassified information, and that's information that's more than federal contract information, but not classified. So, for example, export controlled information would be controlled.

Dan Sennott: So it's information that you want to protect.

Eric Crusius: Right. Exactly. Yeah. And there is, there's a database online. It kind of runs through the different categories and everything like that. And that's a whole other podcast to talk about those categories. But contractors that have that information have to comply with NIST Special Publication 800-171, and there are 110 controls in that, and get a third party certification. And then Level 3, which is going to cover about 1,500 companies, is you have something even more than that, super sensitive information, not quite classified, but getting close to that. And they have to comply with everything Level 2, but also there are controls under NIST 800-172 that they also have to comply with. For Level 2, you get a third party certification by somebody who's been authorized to give a third party certification by the cyber accreditation body. The Level 3, DoD's the one that's going to do the certification, and they're only going to certify to those additional 24, 25 controls that are in NIST 800-172.

Dan Sennott: How many companies is that?

Eric Crusius: About 1,500 or so. I mean, these are just best guesses that DoD is throwing out. I imagine that we'll see a lot of floating up. There'll be fewer Level 1, more Level 2 than they expect and more Level 3 than they expect, because I think companies will proactively want to get a certification. Because if you don't have a certification, you can't do business with the government and handle that kind of information that they're saying that you have to be able to handle to perform those contracts. If you're a contractor, you don't want to put yourself in a position where you can't just bid on certain contracts because you don't have the right level. You need the certification on performance or on award.

Dan Sennott: When the CMMC certifications were first, the implementing regulations were first coming out, one of the concerns was this is just another example of the cost of doing business and kind of the barriers to entry for companies wanting to work with the federal government. How has the government sort of addressed those concerns among the industrial base?

Eric Crusius: I mean, they haven't really addressed the concerns. They have some programs out there that are like free resources, helps contractors go through the process. But in the end, if you want to do business with the government, you do have to do certain things, and that's their view of it. One thing that small-, medium-sized businesses can do is hire a third party service provider to house their data to provide security. It's an additional cost, no doubt, but it's much cheaper than trying to come up with a bespoke solution for your own company. And, you know, the companies I talked to who do this stuff is, it's fairly reasonable. Again, DoD's position is that you plow that cost into your G&A and overhead. Government eventually pays for it, and that's all true. But you have to win those contracts. And you know, it's tougher for folks who are just playing in the DoD space versus the people who are playing in the DoD civilian versus the people playing in civilian space. If you're a contractor who does business with the Department of Defense and civilian agencies and you're bidding on a contract, you know, say for DHS, which is a civilian agency, and you're bidding against contractors that only do business in a civilian space, your G&A and overhead is going to be higher because you have these other obligations that these civilian contractors don't have. Now, that's probably going to change. There are some regulations in the works that will require compliance with NIST 800-171 on the civilian side too. They've been stalled out a bit, but I imagine we'll see them sometime in next year or so. And that will even the playing field. You know, for now, DoD contractors will be at a competitive disadvantage if they're bidding on civilian contracts.

You know, for now, DoD contractors will be at a competitive disadvantage if they're bidding on civilian contracts.

Dan Sennott: So getting back to the NDAA — that was a great detour — but getting back to the provisions in the NDAA, there's another provision regarding strategic cybersecurity program. Can you describe that one?

Eric Crusius: Sure. And this is Section 1502. And, you know, I think with a lot of these kinds of things that we see in the NDAA, it's Congress kind of giving direction to DoD about, these are the directions we think you should go. These are the high-arching things we think you should be concerned with. And this is one of them. They want to establish a strategic cybersecurity program, which would, as a whole, provide policy direction, oversight regarding different cybersecurity programs and critical infrastructure. And I'm just imputing my own thoughts onto what Congress is thinking. But perhaps the thought is like, there's a lot of things going on in DoD now that they're trying to get, from a cybersecurity perspective, get things under control. We have CMMC, as we just talked about. There are other initiatives out there, too. Maybe some organization of those things, and coordination so the left hand knows what the right hand is doing. That's the impression I got from reading this provision.

They want to establish a strategic cybersecurity program, which would, as a whole, provide policy direction, oversight regarding different cybersecurity programs and critical infrastructure.

Dan Sennott: And hopefully that would instill some efficiency in the processes, right, lack of duplication of apparatus, etc.

Eric Crusius: Yes. And I think they actually say lack of duplication, something to that effect in the provision. So good job.

Dan Sennott: And there's another provision on cyber cooperation with Mexico and Taiwan, two of our strategic partners. Can you describe that one and how that may impact listeners?

Eric Crusius: Yeah. So it's really interesting. You know, obviously two very important partners to us for different reasons. But, you know, certainly with Mexico, they are looking at human trafficking and the drug trade and looking towards greater cybersecurity cooperation. And then with Taiwan specifically about looking towards greater cooperation with them to help protect them against a perceived threat from China itself. So, these are just kind of initiatives that Congress thought were really important to really focus on those two countries, and have greater cybersecurity cooperation among those two. Obviously, if you’re a contractor, for instance, you know, and you have expertise in these areas, you could probably look to see contracts coming out that cover these areas.

Dan Sennott: And there are a couple of provisions too that are directed towards securing strategic assets against cyber threats. Right. So NC3, nuclear command, control and communications, there's one and then also laboratories. Can you talk about kind of generally what is the concept they're trying to go for there?

Eric Crusius: The general concept with those two are just kind of to harden those assets. I think, again, kind of the idea of the CMMC program was to harden assets, keep things from flying out the door. We don't want another thing where the F-35 is replicated by another country. So make sure our nuclear capabilities and our laboratories are protected adequately. And these provisions really kind of are aimed to do that.

Dan Sennott: And then the final one, which obviously the Department of Defense, the federal government writ large, has the same hiring challenges that the commercial sector has. And there has been in previous years as well, efforts to bolster the workforce, particularly in the cyber realm.

Eric Crusius: That's right. Yeah. There's a number of provisions aimed at kind of pushing resources and cooperation and within DoD to kind of get higher level cybersecurity professionals into the federal government space in order to kind of carry out these programs and act as a defense for us, because it really is another defense venue, when you think about it. I think the Pentagon hasn't been too shy about saying that. So I think they need those kind of warriors to step in and really help push the agenda through.

There's a number of provisions aimed at kind of pushing resources and cooperation and within DoD to kind of get higher level cybersecurity professionals into the federal government space in order to kind of carry out these programs and act as a defense for us, because it really is another defense venue, when you think about it. I think the Pentagon hasn't been too shy about saying that.

Dan Sennott: Great. So overall, of all these provisions, this is a dangerous game. But what do you portend in, in the coming year? What do you see Congress and the Department of Defense building towards in the context of cybersecurity?

Eric Crusius: I think there is going to be continued focus on the semiconductor industry. It's so vital to our future. The protection of it is, you know, we can't not protect it. We have to. So I think, these provisions aimed at the semiconductor industry and specifically the protection of it, I think we'll see a lot of attention from Congress. I think DoD will act as quick as they can to kind of implement things to protect it, because if they don't, they'll hear from Congress again. They probably don't want that. So, I think we'll continue to see that, just on the regulatory standpoint, I think we'll continue to see focus on CMMC. I think the DoD has shown that it's very dedicated to seeing that program through. It's taken longer than they had wanted to, but it's been very consistent the last three or four years as far as what the program's going to look like. The proposal looks exactly like what they announced in 2021. So, I think we'll, you know, they've made up their mind on that and they're just going to see the program through.

I think there is going to be continued focus on the semiconductor industry. It's so vital to our future.

Dan Sennott: Great. Eric Crusius, thank you very much for joining us today.

Eric Crusius: Thank you. Thanks for having me.

Dan Sennott: And thank you for listening.