July 11, 2020

Volume X, Number 193

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

DOD CMMC Update – Third Party Auditors Gear Up and COTS Providers Get a Pass

A lot has happened since the Department of Defense (“DOD”) released its Cybersecurity Maturity Model Certification (CMMC) v. 1.0 back in February (see our prior discussion here).  In addition to developments with the CMMC Accreditation Body (“CMMC AB”), DOD has clarified applicability of the program to Commercially available off-the-shelf (“COTS”) providers and the impact of COVID-19 on program implementation.     

 A summary of new developments and helpful information learned at the Coalition meeting are provided below.


DOD believes implementation of CMMC generally is still on track in spite of the COVID-19 pandemic. However, the accompanying DFARS rule change, which DOD plans to have in place prior to fully implementing the CMMC program, may be delayed due to the need for a public hearing. Right now, DOD expects to publish the new DFARS rule in Fall 2020.

Requests for information (“RFIs”) that include the CMMC requirement are expected to come out within the next 45 days. DOD plans to release a total of 10 RFIs in 2020. More broadly, the CMMC requirement will be included in certain new solicitations and contracts beginning in 2021, and in all DOD solicitations and contracts by 2026. However, DOD does not plan to include the CMMC requirement in existing contracts via contract modifications.

COTS providers

DOD’s updated CMMC FAQs state that providers selling only COTS products will not be required to be CMMC-certified at this time.[1] This seems to be a shift from what was previously reported and understood—that CMMC certification would be required for all companies doing business with the DOD. Although not required by DOD, it has been suggested that COTS providers still should consider implementing security controls commensurate with Level 1, simply as a good business practice. Additionally, it remains possible that vendor partners may require COTS providers to be CMMC certified, even though it is not required by DOD.

Third Party Auditors and Associated Costs

In late March 2020, the CMMC AB was officially recognized by the DOD through a Memorandum of Understanding (“MOU)”, signed by Ms. Ellen Lord (the Undersecretary of Defense for Acquisition and Sustainment). The CMMC AB is now officially responsible for qualifying, training, and certifying CMMC third party auditors (“C3PAOs”). The CMMC AB  will publish a publicly available list of C3PAOs after the training is developed and C3PAOs are certified to provide CMMC certification.

The CMMC AB plans to roll out its training program in two phases. The first phase, which will begin this summer, will include an initial class of 60 highly experienced assessors.[2] These assessors will provide feedback on the course to help the CMMC AB improve and enhance the training. The first phase should be completed in 3-6 months, which will align with DOD’s timeline for certifying companies. The second phase will make the training available to general applicants.

Once the list of C3PAOs is published, companies seeking CMMC certification can contact C3PAOs and get in line for certification. The relationship between the business seeking certification and the C3PAO is a business-to-business relationship, which is similar to the FedRAMP process. As such, the company seeking certification will pay the associated costs. However, these costs will be allowable under the FAR,[3] and can be built into contractors’ rates.

Additionally, DOD expects there will be reciprocity between CMMC and existing government certification programs, such as FedRAMP and ISO. Accordingly, to the extent a company is already FedRAMP certified, this could help cut down on costs associated with CMMC certification.

Finally, it is worth noting that the current COVID-19 restrictions (business closures and social distancing) may present challenges associated with certification, because C3PAOs will need to be onsite while performing the audits. Companies now should start thinking about how to work through this process if they plan to get certified while COVID-19 restrictions still are in place.

CMMC beyond DOD

Companies should be thinking about the broader implications of CMMC and other cyber initiatives throughout government. Already, we are seeing adoption of CMMC-related principles outside of DOD through, for example, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”), which plans to release “supply chain essentials” guidance incorporating certain aspects of the CMMC. And it is expected that CMMC will expand to civilian agency contractors through a FAR clause in the near future.

Relatedly, the U.S. Cyberspace Solarium Commission, which was established to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences,” released a Report in March 2020 recommending the Sarbanes-Oxley Act be amended to include new Securities and Exchange Commission (“SEC”) cybersecurity reporting requirements. CMMC (or something like it) very well may become the “across the board standard” for contractors and commercial companies alike. With the advent of COVID-19 and associated restrictions, which have fundamentally changed the way we interact and exposed greater cyber vulnerabilities, this change may happen sooner rather than later.


[1] See CMMC FAQs Nos. 19 and 20, available at https://www.acq.osd.mil/cmmc/faq.html.

[2] Mariam Baksh, Pentagon’s Cybersecurity Accreditation Board Seeks First Class of Auditors (May 21, 2020, 05:43 AM), https://www.nextgov.com/cybersecurity/2020/05/pentagons-cybersecurity-accreditation-board-seeks-first-class-auditors/165583/.

[3] See CMMC FAQs No. 18, available at https://www.acq.osd.mil/cmmc/faq.html.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 149


About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Nikole Snyder Associate DC Government Contracts, Investigations and International Trade

Nikole Snyder is an associate in the Government Contracts, Investigations and International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice

Nikole represents government contractors in various government contracts litigation and counseling matters, including in the following areas:

  • Civil False Claims Act litigation defense;

  • Cybersecurity counseling;

  • Internal investigations;

  • Small business issues under the Small Business Administration regulations, including issues of size status and affiliation;

  • Transactional due diligence; 

  • Bid protests before the U.S. Government Accountability Office; and

  • Bribery, gratuities, and kickbacks.