On January 30, 2020, the U.S. Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”) framework (CMMC overview here; CMMC Version 1.0 and appendices here). By 2026, DoD plans to require CMMC certification for all defense contracts. For companies looking to play a role – any role – in the defense industry supply chain, now is the time to develop, assess, and augment cybersecurity practices.
This alert provides an overview of how the CMMC affects current and prospective DoD contractors; how the DoD plans to implement the CMMC; and what you should be thinking about now to begin ramping up.
The CMMC framework is the DoD’s latest and most sweeping effort to protect the defense supply chain from malicious cyberattacks. DoD has introduced the CMMC as a verification mechanism to seek to ensure that its defense industrial base partners implement what DoD considers to be appropriate practices. The CMMC framework evaluates a company’s ability to safeguard the following types of unclassified information:
- Federal Contract Information (“FCI”) – information provided by or generated for the Government under contract not intended for public release.
- Controlled Unclassified Information (“CUI”) – information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information (December 29, 2009), or the Atomic Energy Act of 1954.
The CMMC framework consists of five, cumulative levels of cybersecurity maturity. Within each maturity level are two types of benchmarks a company must meet to demonstrate achievement at that level:
- Practices – the company must be able to implement enumerated cybersecurity measures for the particular level; and
- Processes – the company must demonstrate the required Practices are ingrained into its operations to the extent required for the particular level (“institutionalization”).
Practices and Processes measure proficiency across a set of domains, such as access control, incident response, and risk management. DoD has scaled the Practices and Processes to each maturity level based on factors such as the type and sensitivity of information needing protection and the range of threats posed, among others. As the information sensitivity and adversarial threats involved in a contract increase, the DoD is to require a higher maturity level from bidding contractors. Level 1 is the most basic level of maturity, where a company may only perform certain security practices on an ad hoc basis. Level 2 is a transitional level of maturity and requires a company to have documented practices and policies in place as it prepares to protect CUI. Level 3 focuses on the protection of CUI and incorporates all NIST SP 800-171 standards, among other practices. Levels 4 and 5 require greater cybersecurity sophistication, including the ability to proactively measure and assess cybersecurity practices and take corrective action when necessary. To achieve certification at a higher level, a company must meet the requirements of all lower levels. The CMMC framework incorporates several existing standards and frameworks, such as the NIST 800-171r1, the forthcoming NIST 171-Bravo, AIA NAS9933, and ISO 270001.
|Safeguard FCI||Access Control
Audit and Accountability
Awareness and Training
Identification and Authentication
System and Communications Protection
System and Information Integrity
(Not Assessed by DoD)
Company may only perform certain security practices in an ad hoc manner and may or may not rely on documentation.
|Basic Cyber Hygiene (17)
All safeguarding requirements from 48 CFR 52.204-21, Federal Acquisition Regulation (“FAR”), Basic Safeguarding of Contractor Information Systems.
Transition Step to Protect CUI
Intermediate Cyber Hygiene (72)
Good Cyber Hygiene (130)
Protect CUI and Reduce Risk of Advanced Persistent Threats (APTs)
Standardize and optimize process implementation across the organization.
Advanced / Progressive (171)
The CMMC Appendices provide a more in-depth look at the cybersecurity practices required at each Maturity Level. For each of the 172 identified Practices, DoD provides a “Discussion from Source” (the NIST, FAR Clause, or CIS, etc. providing the basis for the Practice requirement), a “CMMC Clarification” (additional discussion through practical examples), and “References” (citations to the applicable industry cybersecurity frameworks). Of special note is Appendix E, which provides a Source Mapping, showing how CMMC practices correspond to existing frameworks.
DoD Press Conference
During a January 31, 2020, press conference, DoD emphasized the framework’s scalability and sought to quell concerns that the CMMC will disproportionately burden small and mid-sized businesses. Chief Information Officer for the Assistant Secretary of Defense for Acquisition and Sustainment, Katie Arrington, clarified that the CMMC level required for a prime contractor does not necessitate that same CMMC level for all subcontractors. For example, a prime contractor may require a Level 3 certification, but if the subcontractor does not handle CUI, then that subcontractor would only require a Level 1.
CMMC Accreditation Process (Stay Tuned)
As DoD begins integrating CMMC requirements into defense contracts over the next five years, companies will need to be certified by Certified Third-Party Assessment Organizations (“C-3PAOs”). Earlier in January, an Accreditation Body (“AB”) made up of “unbiased parties” from across the cybersecurity community, including the defense industrial base and academia, was created to oversee the training, quality, and administration of the C-3PAOs. DoD is currently drafting a Memorandum of Understanding (“MOU”) with the AB, which will outline its roles and responsibilities. Conflicts of interest will be of primary concern to ensure that auditors cannot review their own company. DoD is currently working to select third-party certification vendors, though none has been designated as qualified yet. DoD has not released the names of the contending vendors.
Many questions remain as to what the accreditation process will entail and how it will affect companies. The official CMMC website FAQs state that the duration of certification is still under consideration, but during the January 31 press conference, Ms. Arrington indicated a certification would be “good” for three years and would apply to whatever defense contracts the company enters into. In addition, the cost of CMMC certification has not yet been determined. 
Even companies contracting under DoD’s Other Transaction Authority (“OTA”) and not under the Defense Federal Acquisition Regulation Supplement (“DFARS”) may still need to earn CMMC certification. At the January 31 press conference, Ms. Arrington stated that DoD is working to include CMMC as a technical requirement for OTA and other non-DFARS contracts.
DoD’s “Crawl, Walk, Run” Approach to CMMC Rollout
During the January 31 press conference, Ms. Arrington highlighted DoD’s projected timeline for CMMC rollout. She made clear that CMMC implementation is not retroactive – only new defense contracts will require CMMC certification. Ms. Arrington also emphasized that DoD will be taking a “crawl-walk-run” approach to implementation as set forth in the following timeline.
DoD’s Projected CMMC Implementation Timeline
- January – AB created to oversee the training, quality, and administration of the C-3PAOs that will assess and certify defense contractors and subcontractors under the CMMC framework. CMMC Version 1.0 released on January 30.
- March / April – Additional information should be posted on the AB’s website. The AB will establish requirements for candidate C-3PAOs and individual assessors.
- June – DoD plans to include CMMC requirements in select Requests for Information (“RFIs”) (DoD’s target is 10). In addition, CMMC training should become available through Defense Acquisition University.
- Spring / Summer – DoD plans to carry out rulemaking for an updated DFARS that incorporates CMMC.
- September/October – DoD plans to include CMMC requirements in corresponding Requests for Proposals (“RFPs”), based on the updated DFARS. DoD estimates that each awarded contract would include approximately 150 subcontractors. CMMC standards will be required at the time of each contract award.
Fiscal Year 2021 – 2025
- DoD will roll out CMMC requirements into new RFIs and RFPs. DoD anticipates a five-year rollout, as the standard DoD acquisition cycle is five years (one base year, plus four option years).
Fiscal Year 2026
- DoD anticipates CMMC rollout will be complete. All DoD contracts will now include CMMC requirements.
Key Takeaways and How Orrick Can Help Companies Prepare for CMMC Implementation:
- CMMC Affects All Companies Doing Business with DoD. CMMC certification will eventually be required for all DoD contractors and subcontractors – no matter their size or how far down they fall in the defense supply chain. The DoD has noted cybersecurity concerns for companies that are even six, seven, or eight levels down the supply chain, so all companies working with DoD need to prepare for CMMC implementation.
- Watch Closely as CMMC Rolls Out. DoD is set to start requiring CMMC certification as soon as June 2020 for certain “pathfinder” programs. DoD has stated that it will not be inserting CMMC into existing contracts. However, over the next five years, it is contemplated that all companies doing business with DoD will need CMMC certification. DoD recommends the companies monitor the CMMC and AB websites as new information becomes available.
- Pre-CMMC Assessments. Companies potentially subject to the CMMC should engage counsel to evaluate their current cybersecurity posture. Our Orrick Cyber/Privacy and Trade/Compliance Team can help companies plan and assess their cybersecurity programs in preparation for third-party CMMC certification.
- Downstream Contracting. DoD not only plans to impose CMMC obligations on prime contractors, but on subcontractors as well. The Orrick Trade/Compliance Team can help at any level of the supply chain to review and evaluate agreements to ensure that they reflect appropriate CMMC flow-down obligations.
Orrick will continue to monitor updates to the DoD’s CMMC framework. If any questions arise regarding the CMMC, please contact a member of our Orrick team.
 See Cybersecurity Maturity Model Certification (CMMC) Version 1.0, January 30, 2020, at https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf.
 See id.
 See Cybersecurity Maturity Model Certification (CMMC) Version 1.0 Appendices, January 30, 2020, at https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Appendices_20200203.pdf.
 See Press Briefing by Under Secretary of Defense for Acquisition & Sustainment Ellen M. Lord, Assistant Secretary of Defense for Acquisition Kevin Fahey, and Chief Information Security Officer for Acquisition Katie Arrington, January 31, 2020, at https://www.defense.gov/Newsroom/Transcripts/Transcript/Article/2072073/press-briefing-by-under-secretary-of-defense-for-acquisition-sustainment-ellen/.
 See id.
 See Press Briefing, supra.
 See id.
 See Press Briefing, supra.