W.C. Fields once said that there comes a time in everyone’s life when they “must take the bull by the tail and face the situation.” For contractors in the Defense Industrial Base (DIB), that time has apparently come when, at long last, the Cybersecurity Maturity Model Certification (CMMC) Program began its phased rollout Nov. 10.

As previously discussed, Phase 1 sees the incorporation of the new DFARS CMMC clause into all solicitations involving the handling of Federally Controlled Information (FCI) or Controlled Unclassified Information (CUI) at a level for which a self-assessment is required. Phase 2 will begin a year from now, when the clause will be incorporated in all solicitations involving the handling of CUI at a level for which an assessment by a CMMC third-party assessment organization (C3PAO) is required. This will be followed by Phase 3, when the clause will be incorporated in all solicitations involving the handling of CUI at a level for which an assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is required. Full implementation is scheduled to occur in November 2028 – less than three years away!

Now that CMMC compliance has arrived and is here to stay, what should DIB contractors expect? For one thing, increased enforcement by the Department of Justice’s (DOJ) Civil-Cyber Fraud Initiative. But the DOJ cannot investigate and prosecute every alleged False Claims Act (FCA) violation stemming from contractors’ CMMC assessment scores and annual affirmations of compliance. And while the risk of an FCA lawsuit brought by a private relator will certainly remain, there exists a much likelier candidate for how industry may self-police compliance with the new CMMC rules: the bid protest process.

The new DFARS clause does not just require CMMC compliance but rather makes it a condition for award. This means an offeror’s unpreparedness with CMMC has the potential to render it ineligible for government contracts with the Department of Defense. This makes the stakes for a pre-award protest challenging the CMMC level assigned to a procurement even higher. It also means contractors should expect to see their awards challenged by rivals questioning their CMMC compliance and their teammates’ compliance at every stage of the supply chain.

Pre-Award Issues

DFARS 252.204-7025 now requires the Contracting Officer to insert the CMMC level required by a solicitation by selecting from CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC). Because it will be “required prior to award for each contractor information system that will process, store, or transmit [FCI] or [CUI] during performance of the contract,” the level selected by the Contracting Officer will significantly impact the number of eligible competitors. Accordingly, offerors not yet compliant with the CMMC level selected should consider whether they have a basis for protesting the solicitation as unduly restrictive of competition. Conversely, Level 2 (C3PAO) and Level 3 (DIBCAC) certified offerors may want to protest a Contracting Officer’s selection of a lower CMMC level as violative of 13 C.F.R. Part 170 if they believe categories of CUI not suitable for self-assessment will be handled. Doing so could potentially increase their chances of receiving the award against a smaller pool of eligible offerors.

Of course, there are other means by which contractors can influence the Contracting Officer’s selection of the CMMC level. Offerors should respond to requests for information issued in relation to requirements involving the handling of FCI and CUI to weigh in on which CMMC level should be selected. In addition, many procurements include a question-and-answer period. If an offeror believes the CMMC level initially selected is incorrect, they can raise that in a carefully tailored question. The Contracting Office may agree to change the CMMC level. But if they don’t, the offeror will have to file a pre-award protest if it wants any chance of having the CMMC level altered.    

Post-Award Issues

DFARS 252.204-7025 also makes clear that an offeror “will not be eligible for award of a contract” if it does not have, “for each of the contractor information systems” handling FCI or CUI during performance, (1) a current CMMC certificate or status entered in the Supplier Performance Risk System (SPRS) at the required CMMC level, and (2) a current “affirmation of continuous compliance” with the required CMMC level entered in SPRS as well. In other words, CMMC is a material solicitation requirement that cannot be waived by the Contracting Officer. So, if a competitor suspected of not being CMMC compliant at the time of award wins the contract, a sustained protest of that award on the basis that the awardee is ineligible to compete would mandate the cancellation of the contract to the competitor.

Keep in mind, however, that what is good for the goose is good for the gander. If your company does not have a passing CMMC score or current affirmation of compliance posted on SPRS, then regardless of your competitor’s CMMC status, your company would be unable to protest the award because it would lack “interested party” standing to do so. Both the Government Accountability Office (GAO) and the Court of Federal Claims (COFC) require unsuccessful offerors to demonstrate some type of competitive harm resulting from the award. Suffice it to say, an offeror that was never CMMC compliant in the first place cannot be said to have been harmed by an award containing the new DFARS CMMC clause. If your company is not CMMC compliant, expect any protest you may mount to get dismissed for lack of “interested party” standing.

All of this depends, of course, on whether the awardee’s noncompliance can be adequately alleged and proven by the protester, or in the case of the awardee seeking a dismissal in intervention, whether the protester’s noncompliance can be demonstrated. SPRS does not allow contractors to view the CMMC assessment scores and affirmations of compliance of their peers, and recent cases from both GAO and COFC have reaffirmed that more than just conclusory allegations are needed to survive summary dismissal. Thus, contractors will need to attach declarations and other documents with their pleadings to prove their competitors’ noncompliance, especially if the administrative record has not yet been produced.

Subcontracting Issues

Not only is CMMC compliance required prior to award of a prime contract, but DFARS 252.204-7021 requires prime contractors to ensure their subcontractors and suppliers have a current CMMC certificate or status and a current affirmation of compliance “[p]rior to awarding a subcontract or other contractual instrument.” And this applies to all levels of the supply chain, except for commercially available off-the-shelf items. Consequently, any noncompliance by a subcontractor or supplier, no matter how far down the supply chain they are, renders them ineligible for subcontract award.

What does this mean for companies seeking a subcontract award? Can they protest the award of a subcontract to one of their competitors that they suspect are not CMMC compliant? Unfortunately for these prospective subcontractors, the Federal Circuit sitting en banc recently foreclosed this avenue of relief by holding that protester standing applies to unsuccessful actual or prospective prime contract offerors only.

However, prime contract offerors may have a basis to challenge their competitors’ proposals if they have factual grounds to believe that any of their competitors’ suppliers at any level of the supply chain is not compliant with CMMC. Recall that the DFARS clause requires CMMC compliance “for all information systems” handling FCI or CUI during performance. And prime contractors must ensure their suppliers’ compliance with the appropriate CMMC level applicable to “the information that is being flowed down to the subcontractor based on the requirements at 32 C.F.R. § 170.23.”

Any offeror proposing as part of a contractor team arrangement should ensure that each teammate expected to process, store or transmit FCI or CUI has a current CMMC certificate or status appropriate to the kinds of information they will handle prior to award. Otherwise, the entire team’s proposal efforts could be thrown out with the bathwater.

Conclusion

CMMC has arrived and is here to stay. Any DIB contractor wishing to do business with the government or as a subcontractor needs to become and remain CMMC compliant now. The consequences for unpreparedness are severe and include lost revenues from procurements for which CMMC is a mandatory requirement. Pre-award protests could help even the playing field by putting pressure on procuring agencies to lower the CMMC level selected for a particular solicitation, which would allow for greater competition.

Conversely, post-award protests will help ensure noncompliant offerors do not reap the rewards of ill-begotten contracts at the expense of CMMC compliant offerors and, ultimately, our national cybersecurity defense. Either way, contractors in the DIB should consider their protest options whenever they compete for a contract involving the handling of FCI or CUI.

Miles & Stockbridge’s government contracts lawyers will continue to monitor the impact of the rollout of CMMC on bid protests and other components of government contracting, and are available to assist and answer any questions about the bid protest process.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.