Mary Beth Bosco is a Partner in Holland &
Knight's
Washington D.C. office
Eric Crusius is a Partner in Holland & Knight's
Tysons office
Details concerning the U.S. Department of Defense's (DoD) new cybersecurity standards are emerging. Called the Cybersecurity Maturity Model Certification (CMMC), compliance with this new set of security standards will be required in order for DoD contractors to compete for contracts. This Holland & Knight client alert will cover what is known about the standards, the certification process and the schedule for implementation of the CMMC program.
Contractors should be aware that DoD is holding briefing sessions for contractors throughout the remainder of the summer. The CMMC website lists the locations of these sessions, and DoD has solicited requests for additional cities. If you are interested in suggesting an additional location, you can submit the request through the CMMC website.
What Will the CMMC Standards Look Like?
The CMMC criteria will be very important to DoD contractors, impacting whether or not a contractor can submit a proposal for a contract for which it would otherwise be eligible. While not yet complete, the CMMC standards will certainly be based at least in part on National Institute of Science and Technology (NIST) Publications 800-171 and 800-171B. NIST Publication 800-171 is the standard on which the current DoD cybersecurity rules are based. NIST 800-171B are the standards to be applied when a contractor is defending against Advanced Persistent Threats. DoD has also stated that it intends to review international cybersecurity laws and regulations, including the United Kingdom, Australia and Japan, and incorporate some of these standards if appropriate.
As developed so far, the CMMC program will contain five "levels" of requirements, with Level 1 being the least stringent. The levels are:
| CMMC Level 5 |
Advance/Progressive; 4 security controls |
Map to NIST 800-171B |
| CMMC Level 4 | Proactive; 26 security controls |
Map to NIST
800-171B; 26 security controls |
| CMMC Level 3 | Good Cyber
Hygiene; 47 security controls |
Map to NIST 800-171 |
| CMMC Level 2 | Intermediate Cyber Hygiene; 46 security controls | Map to NIST 800-171 |
| CMMC Level 1 | Basic Cyber
Hygiene; 17 security controls |
Map to NIST 800-171 |
How Will DoD Use the CMMC Standards?
The importance of the new CMMC standards cannot be overstressed. Beginning in June 2020 for requests for information (RFI) and in September 2020 for requests for proposal (RFP), DoD solicitations involving confidential unclassified information will be assigned a level. In order to submit a proposal, a contractor must have a third-party certification that its cybersecurity program complies with the applicable level. In other words, in the absence of the appropriate certification, a contractor will not be able to submit a proposal.
How Does a Contractor Get Certified?
The CMMC program will not accept self-certifications, but will require contractors to obtain third-party certifications as to their compliance with the applicable standards. DoD plans to use nonprofit organizations to train the third-party certifiers, who must go through this training to qualify for the CMMC program. The nonprofit trainers have not been announced to date.
What Is the Schedule for Obtaining Certifications?
DoD plans to release the CMMC standards this September or October. The nonprofit training sessions are scheduled to begin in January 2020. As soon as companies qualify to act as third-party certifiers, they can begin their evaluations and issuance of certifications to contractors. Under the current implementation schedule, DoD RFIs will begin to include the CMMC requirement in June 2020. The requirement will start appearing in RFPs in September 2020.
The development and implementation of the CMMC program is a work in progress. Holland & Knight will continue to monitor and report on new developments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
