August 12, 2022

Volume XII, Number 224

Advertisement
Advertisement

August 11, 2022

Subscribe to Latest Legal News and Analysis

August 10, 2022

Subscribe to Latest Legal News and Analysis

August 09, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

DOD Marches Full Steam Ahead With Release of New Draft CMMC 0.7

On Dec. 13, 2019, the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Draft 0.7 of the Cybersecurity Maturity Model Certification (CMMC) framework. The CMMC framework will be used by third party auditors to certify that members of the Defense Industrial Base (DIB) sector are complying with the Department of Defense’s (DOD’s) baseline cybersecurity requirements. In Fall 2020, DOD will begin including CMMC certification requirements as go/no go evaluation factors in some of its procurements and, eventually, DOD CMMC certification will be required for all DOD contractors, subcontractors, and suppliers working on defense contracts.

Background

As discussed previously in GT client alerts (see New Cybersecurity Certification Requirements for Government Contractors) and articles (see FEATURE COMMENT: Cybersecurity For Government Contractors: DOD’s New Cybersecurity Maturity Model Certification Rapidly Taking Shape), the CMMC framework represents a departure from the DOD’s current approach to baseline cybersecurity for the DIB sector. Defense contractors will no longer be permitted to simply self-certify their compliance with cybersecurity standards or rely upon Plans of Action and Milestones (POA&M) to fill gaps in their System Security Plans. Rather, third-party auditors, regulated by a yet-to-be-determined non-governmental organization, will be responsible for certifying contractor compliance with the CMMC framework.

The CMMC framework will establish five tiers of cybersecurity maturity, with Level 1 certification representing “Basic Cyber Hygiene,” and Level 5 certification representing “advanced or progressive cybersecurity.” The CMMC framework consists of 17 domains, such as “Access Control” and “Personnel Security.” For each cybersecurity level, the CMMC framework requires contractors to demonstrate compliance or adoption of increasingly stringent “capabilities” and “practices,” in each of these domains.

What is New?

What is Next?

In January 2020, DOD plans to issue CMMC 1.0, which is expected to be the initial comprehensive version of the CMMC framework. While many questions remain regarding the content of the final CMMC framework and how DOD will implement CMMC requirements, DOD has repeatedly expressed its intent to require CMMC certifications for procurements starting in fall 2020.

For many organizations, achieving CMMC compliance will require significant effort. Accordingly, contractors should continue to carefully review draft CMMC documents and to take steps to begin implementing required CMMC “capabilities” and “practices.” Absent such advance planning, contractors risk falling “behind the curve,” or compromising their competitive position in future DOD procurements. Additionally, contractors should begin discussing CMMC implementation with their subcontractors and lower-tiered suppliers to ensure they are aware of DOD’s new requirements and are prepared to achieve CMMC certification as needed.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume IX, Number 355
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Daniel D. Straus Government Contract Attorney Greenberg Traurig Law Firm
Associate

Daniel D. Straus is an associate in the firm’s Washington, D.C. office. He is a member of the Government Contracts & Projects Group. Prior to joining the firm, he served as an Attorney for the United States Nuclear Regulatory Commission (NRC). At the NRC, he represented the Agency in bid protests and advised the Staff on a variety of contracting and procurement issues.

202.530.8508
Advertisement
Advertisement
Advertisement