March 8, 2021

Volume XI, Number 67

Advertisement

March 08, 2021

Subscribe to Latest Legal News and Analysis

March 05, 2021

Subscribe to Latest Legal News and Analysis

DoD’s Cybersecurity Maturity Model Certification Is Here: What Your Business Needs to Do to Prepare

On September 1, 2020, Department of Defense (DoD) contractors will be required to comply with the recently released Cybersecurity Maturity Model Certification (CMMC) requirements. The CMMC requirements are designed to ensure that suppliers, contractors and subcontractors working with the DoD’s Office of Acquisition and Sustainment have cybersecurity frameworks in place “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).” Through the creation of the CMMC, DoD appears to be enhancing the requirements of NIST 800-171, ISO 27001 and other cybersecurity-related frameworks.

The CMMC model delineates five “maturity” levels, with level 1 being the least secure and level 5 being the most secure. Once the CMMC takes effect, DoD will assign all solicitations an appropriate maturity level that bidders must be able to meet if they wish to bid on the solicitation.

Potential bidders also will have to meet 17 “security domains” within each of the five maturity levels of the CMMC. These maturity levels are cumulative, meaning that if a company wants to certify at level 3 under the CMMC requirements, it would also have to comply with all of the requirements of levels 1 and 2. Thus, a winning level 5 bidder could be required to comply with up to 171 different cybersecurity requirements in order to meet CMMC certification guidelines. The level of maturity that a company will need to obtain will be based on the amount of sensitive data, Controlled Unclassified Information (CUI), and unclassified data that requires specific safeguarding that the company works with or plans to work with as a DoD contractor or subcontractor.

One of the most notable aspects of the CMMC requirements is that it they prohibit contractors and subcontractors from “self-certifying” their cybersecurity readiness. Under the CMMC, contractors will need to have an official, independent third-party assessment organization (“C3PAO”) conduct a formal certification inspection to ensure that the DoD contractor is in strict compliance with the CMMC requirements. Failure to comply with the requirements of a particular maturity level renders the contractor unable to bid on new DoD solicitations that require the maturity level in question. Although the CMMC guidelines currently do not appear to be retroactive, DoD solicitations will begin referring to CMMC requirements as early as June 1, 2020, and the requirements will become mandatory on September 1, 2020.

Given the impending deadlines, the time for DoD contractors and subcontractors to start preparing to comply with the CMMC requirements is now. Faegre Drinker’s team can assist in the preparation process, including, among other things, the C3PAO compliance process. The firm also has prepared an assessment and compliance tool to assist businesses in achieving maturity levels 1 through 5 and in developing the necessary policies, procedures and gap analyses to comply with the CMMC requirements.

Advertisement
© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 106
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Peter Baldwin, Securities lawyer, Drinker Biddle
Partner

Peter W. Baldwin, a former federal prosecutor, defends clients facing white-collar criminal and internal investigations, securities enforcement actions, cybersecurity issues, and other complex civil and criminal litigation matters. Prior to joining Drinker Biddle, Pete spent over eight years as an Assistant United States Attorney in the U.S. Attorney’s Offices for the Eastern District of New York and Central District of California. In this role, he supervised all aspects of criminal investigation and prosecution, first as a member of the Major Frauds Section in the Central...

(212) 248-3147
Counsel

Jason G. Weiss is an attorney and award-winning law enforcement and cybersecurity professional who served with distinction for over two decades at the Federal Bureau of Investigation. He is Counsel in Drinker, Biddle and Reath’s Information Governance and E-Discovery group, where his practice focuses on cybersecurity incident preparedness and response, compliance with CCPA and other information governance laws and requirements, as well as data analytics, investigations, and e-discovery.

Prior to joining Drinker Biddle, he was most recently a Supervisory Special...

310-203-4062
Advertisement
Advertisement