July 9, 2020

Volume X, Number 191

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

Tackling Increased Cybersecurity Requirements In The Defense Industrial Base

On January 30, the US Department of Defense (DoD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, which will require DoD contractors and subcontractors to obtain third-party certification of their cybersecurity maturity. This article discusses why the DoD created the CMMC, what will be required to achieve certification, and how legal counsel will play an important role in managing risks arising from the certification process.


On January 30, 2020, the US Department of Defense (DoD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, which is available here, with appendices available here. This highly anticipated 390-page release supersedes the prior draft versions, the last of which was released in December 2019. The DoD will begin requiring contractors to obtain certification under the CMMC later this year, giving companies in the supply chain little time to assess their obligations, identify and remediate cybersecurity weaknesses that might preclude their desired certification, retain an appropriate certification vendor and obtain the certification.

This certification process raises a host of legal considerations. For instance, the identification of cyber weaknesses requires a candid and thorough assessment that will result in a list of the areas where the contractor’s cybersecurity is lacking. This list may be critical in mitigating cyber risks, helping to plan for certification and in reducing the business risks that would result from a failed certification effort, but it also can be highly damaging from a legal risk perspective, especially in the hands of plaintiffs’ lawyers or regulators that may want to use it to support allegations of inadequate security. The same information required to support certification could be used to establish that a DoD contractor knew of risks and failed to take action.

These considerations underscore the importance of involving legal counsel in the process and taking steps to support a claim that key self-critical deliverables are protected under attorney-client and/or work-product privileges, while also ensuring that the contractor fully prepares for CMMC certification.

Why Did the DoD Create the CMMC?

The DoD created the CMMC to combat malicious cyber actors targeting intellectual property in the DoD’s supply chain, as such attacks threaten economic security and national security. The CMMC encompasses the security requirements for controlled unclassified information (CUI) specified in NIST SP 800-171 for DFARS Clause 252.204-7012 as well as the basic safeguarding requirements for federal contract information (FCI) specified in FAR Clause 52.204-22.

  • CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations and government-wide policies, excluding information classified under Executive Order 13526 or under the Atomic Energy Act of 1954.

  • FCI is information provided by or generated for the government under contract and not intended for public release.

Although DoD contractors have already been subject to requirements for data security and cyber incident reporting, they soon will be required to verify their level of compliance under the CMMC framework in order to continue serving the DoD.

What Are the CMMC Certification Requirements?

The CMMC sets forth five cybersecurity maturity certification levels and associated certification processes. Each CMMC level is cumulative and designed to provide the DoD with increased assurance that a contractor can adequately protect certain types of sensitive information, including CUI and FCI. For example, achieving level 3 requires satisfying all the requirements of levels 1 and 2. Each level provides a cybersecurity focus, process maturity level and practice maturity level:



Process Maturity

Practice Maturity

Level 1

Safeguard FCI



No process assessment

Basic Cyber Hygiene


17 practices (meeting FAR Clause 52.204-21)

Level 2

Transition step to protecting CUI



Document policies and implement practices

Intermediate Cyber Hygiene


72 practices

Level 3

Protect CUI



Establish, maintain and resource a plan

Good Cyber Hygiene


130 practices (includes all NIST SP 800-171 plus others)

Level 4

Protect CUI and reduce risk of advanced persistent threats



Review and measure activities for effectiveness



156 Practices

Level 5



Standardize and optimize an organizational approach



171 Practices

The framework further divides the practices into 17 domains, with most practices contained in six domains: Access Control, Audit and Accountability, Incident Response, Risk Management, Systems and Communications Protection, and System and Information Integrity. The remaining 11 domains have most of their practices required for higher levels of certification.

What to Expect Next

The DoD will implement CMMC certification as part of its procurement processes in 2020. Select DoD requests for information are expected to have CMMC certification requirements this summer. By fall 2020, CMMC requirements are also expected for requests for proposals. Because the CMMC requires attestation by an accredited assessor, DoD contractors will need to obtain a certification from yet-to-be named assessors. The assessors are expected to be announced by the CMMC Accreditation Body. More information is available in the CMMC’s FAQs.

The Role of Counsel in CMMC Preparation

Any DoD contractor or subcontractor will need to become CMMC certified by an accredited assessor in the coming years. It is imperative that companies seeking DoD contracts or doing business with DoD contractors on projects involving CUI and FCI carefully consider the CMMC level that they will be required to achieve and prepare to undergo the CMMC certification process.

Companies also should consider whether and to what extent to conduct their pre-audit, preparatory activities under a claim of attorney-client privilege. The preparation process necessarily will require consideration of many areas on which legal advice may be necessary, including:

  • Analysis of legal obligations under DFARS

  • Cyber improvement priorities based on legal/regulatory considerations

  • Advice on the scope of the company’s network that is subject to the CMMC certification requirement

  • Advice with respect to controls that are impracticable, including whether compensating controls are sufficient with respect to particular CMMC requirements

  • Advice on legal/regulatory risk mitigation in contracts up and down the DoD supply chain.

There are a number of steps companies should consider taking to support a claim of attorney-client and work-product privilege, keeping in mind that success on a claim of privilege is not guaranteed and may turn on jurisdiction-specific issues. These steps largely involve counsel:

  • Taking an active role in the assessment process

  • Implementing a strict confidential communications protocol

  • Running meetings and conducting interviews to gather information pertinent to the legal issues

  • Reviewing and revising draft reports

  • Communicating work product to the company’s leadership

  • Providing analysis of legal and compliance risks relevant to improving the DoD contractor’s chances of obtaining the desired CMMC certification.

Taking these precautionary steps can support arguments that may keep the pre-certification assessment and resulting list of compliance gaps out of the hands of regulators and interested plaintiff’s attorneys down the road, and provide confidence that legal issues have been considered in the CMMC certification process.

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 34


About this Author

Laura E. Jehl Partner Global Privacy & Cybersecurity  Autonomous Vehicles  Compliance  Consumer Data & Digital Marketing  Cross-Border Data Protection  Data Breach Management  Data Licensing & Strategies  Employer Data Privacy  Health Information Privacy  Information Security & Risk Mitigation  Privacy Litigation & Governmental Investigations  FinTech and Blockchain  Technology & Commercial Transactions  Telecommunications Transactions  Energy  Food, Beverage & Agribusiness  Healthcare  Technology  Alcohol

Laura Jehl serves as global head of the Firm’s Privacy and Cybersecurity Practice. Focusing on the intersection of data, law and emerging technologies, Laura advises clients on a broad range of privacy and cybersecurity issues. She has extensive experience identifying and mitigating privacy and data protection issues arising out of the collection, use and storage of data as well as the design of new business models, products and technologies. With unique experience as a former senior in-house counsel and C-suite executive, she understands the business, legal and technological challenges...


James W. Kim is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Washington, D.C., office.  James focuses his practice on representing clients in a wide variety of matters related to government contracting, with additional expertise related to the healthcare industry.

202 756 8386
Michael G. Morgan Prvacy Attorney McDermott Will & Emery Law Firm

Michael G. Morgan represents clients in class actions, litigation and other matters involving cybersecurity, privacy, and protection of consumer and business data. He is co-leader of the Firm’s Privacy and Data Protection practice.

With more than 20 years’ experience in data security and privacy matters, Michael advises clients on cyber incident preparation, prevention and response; compliance with US and EU laws and regulations; completion of enterprise-wide cybersecurity assessments; and data security policies and best practices. He has...

310 551 9366

Lynette Arce focuses her practice in privacy and data security matters. She assists clients with drafting domestic privacy policies in accordance with state and federal laws, as well as custom incident response plans in the event of a breach. She also assesses companies cybersecurity preparedness and cyber risk exposure in the context of corporate mergers and acquisitions. Lynette is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP).

While in law school, Lynette was a member...

312 984 2759
Brian Long Associate | Dallas Corporate & Transactional  Global Privacy & Cybersecurity

Brian Long focuses his practice on transactional and corporate matters, with an emphasis on cybersecurity.

While in law school, Brian was lead articles editor for the SMU Law Review. Prior to attending law school, Brian worked for more than 20 years in the cybersecurity, information security and IT risk management sector.