July 12, 2020

Volume X, Number 194

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

DoD’s Cybersecurity Maturity Model Certification Is Here: What Your Business Needs to Do to Prepare

On September 1, 2020, Department of Defense (DoD) contractors will be required to comply with the recently released Cybersecurity Maturity Model Certification (CMMC) requirements. The CMMC requirements are designed to ensure that suppliers, contractors and subcontractors working with the DoD’s Office of Acquisition and Sustainment have cybersecurity frameworks in place “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).” Through the creation of the CMMC, DoD appears to be enhancing the requirements of NIST 800-171, ISO 27001 and other cybersecurity-related frameworks.

The CMMC model delineates five “maturity” levels, with level 1 being the least secure and level 5 being the most secure. Once the CMMC takes effect, DoD will assign all solicitations an appropriate maturity level that bidders must be able to meet if they wish to bid on the solicitation.

Potential bidders also will have to meet 17 “security domains” within each of the five maturity levels of the CMMC. These maturity levels are cumulative, meaning that if a company wants to certify at level 3 under the CMMC requirements, it would also have to comply with all of the requirements of levels 1 and 2. Thus, a winning level 5 bidder could be required to comply with up to 171 different cybersecurity requirements in order to meet CMMC certification guidelines. The level of maturity that a company will need to obtain will be based on the amount of sensitive data, Controlled Unclassified Information (CUI), and unclassified data that requires specific safeguarding that the company works with or plans to work with as a DoD contractor or subcontractor.

One of the most notable aspects of the CMMC requirements is that it they prohibit contractors and subcontractors from “self-certifying” their cybersecurity readiness. Under the CMMC, contractors will need to have an official, independent third-party assessment organization (“C3PAO”) conduct a formal certification inspection to ensure that the DoD contractor is in strict compliance with the CMMC requirements. Failure to comply with the requirements of a particular maturity level renders the contractor unable to bid on new DoD solicitations that require the maturity level in question. Although the CMMC guidelines currently do not appear to be retroactive, DoD solicitations will begin referring to CMMC requirements as early as June 1, 2020, and the requirements will become mandatory on September 1, 2020.

Given the impending deadlines, the time for DoD contractors and subcontractors to start preparing to comply with the CMMC requirements is now. Faegre Drinker’s team can assist in the preparation process, including, among other things, the C3PAO compliance process. The firm also has prepared an assessment and compliance tool to assist businesses in achieving maturity levels 1 through 5 and in developing the necessary policies, procedures and gap analyses to comply with the CMMC requirements.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 106


About this Author

Peter Baldwin, Securities lawyer, Drinker Biddle

Peter W. Baldwin, a former federal prosecutor, defends clients facing white-collar criminal and internal investigations, securities enforcement actions, cybersecurity issues, and other complex civil and criminal litigation matters. Prior to joining Drinker Biddle, Pete spent over eight years as an Assistant United States Attorney in the U.S. Attorney’s Offices for the Eastern District of New York and Central District of California. In this role, he supervised all aspects of criminal investigation and prosecution, first as a member of the Major Frauds Section in the Central...

(212) 248-3147

Jason G. Weiss is an attorney and award-winning law enforcement and cybersecurity professional who served with distinction for over two decades at the Federal Bureau of Investigation. He is Counsel in Drinker, Biddle and Reath’s Information Governance and E-Discovery group, where his practice focuses on cybersecurity incident preparedness and response, compliance with CCPA and other information governance laws and requirements, as well as data analytics, investigations, and e-discovery.

Prior to joining Drinker Biddle, he was most recently a Supervisory Special Agent in the FBI Los Angeles Cyber and Forensics branch, where he founded, designed, and lead a nationally-recognized and accredited computer forensics laboratory. With deep expertise in the management of data breaches, computer intrusion, cybercrime, forensic investigation, white collar crime, counterintelligence, and counterterrorism, Jason also provided FBI-wide legal, technical, and management expertise in connection with hundreds of nationally recognized investigations.

In addition to a broad array of cybersecurity and forensics experience, Jason is a noted instructor and speaker, teaching dozens of cybersecurity and forensics courses domestically and internationally to FBI staff, law enforcement agencies, and private sector partners. He has been an instructor at California State University Fullerton since 2008 and is a sought-after speaker at multiple industry events.

As an attorney, Jason has experience in complex business, real estate, and insurance law as well as commercial transactions. He served as legal clerk and intern for the Honorable D. Howell Jensen, U.S. District Court, and at the Santa Clara County District Attorney’s Office.

Jason is the founding Laboratory Director of the Orange County Regional Computer Forensics, working to make that facility the largest of its kind in the nation, with 17 partner agencies and 30+ full-time laboratory personnel. He also expanded the mobile forensics program into one of the largest and most successful in the country.

Jason holds numerous certifications and memberships in the areas of global information security, computer forensics, laboratory management, and more. He has additional professional training, including 2,500 hours of Specialized Computer Forensics, Cyber, Management, and Laboratory Accreditation classes and instruction.