Government Contracts

On December 13, 2019, DOD issued “Draft Version 0.7” of its Cybersecurity Maturity Model Certification (CMMC) to the public. Version 0.7 is a 190-page document, compared to the 90-page Version 0.6 issued in November of this year. Most of the increased length of Version 0.7 is attributable to two new appendices providing “Discussion and Clarification” for CMMC Levels 2 and 3. The new information in Version 0.7 does not, however, address many fundamental questions associated with the CMMC initiative.

Background

As discussed in a prior blog, DOD has relied on contractor self-attestation of compliance with the cybersecurity clause at DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” However, DOD has concluded that steps taken to date are not enough and that the level of contractor compliance is unsatisfactory. As such, DOD launched the CMMC initiative this year, which includes the goal of using CMMC third-party assessment organizations (C3PAOs) to audit the entire DOD supply chain based on five maturity levels ranging from basic to advanced cyber hygiene. The level required for each procurement will (at some point) be specified in RFIs and RFPs. Unless a higher level is specified, all contractors must meet CMMC Level 1.  DOD also is working to establish a non-profit “Accreditation Body” that will grant accreditations to the C3PAOs.

Draft Version 0.6

DOD issued Draft CMMC Version 0.6 in November 2019.  As with Version 0.4 (issued on September 5, 2019), Version 0.6 used a CMMC Model framework that categorized cybersecurity best practices within “Domains,” which were segmented by a set of “Capabilities,” which in turn were further broken down into “Practices” and “Processes.” Practices measure the technical activities required to achieve compliance with a given capability requirement, while processes measure the maturity of a company’s processes. Version 0.6 significantly reduced the Model size, modified the Practices and Processes, and provided clarifications and examples for CMMC Level 1. Version 0.6 noted that updates to Levels 4 and 5 would be provided later because DOD was still addressing public comments it received in response to Version 0.4.

Version 0.7

Version 0.7 includes 17 Domains and 43 Capabilities.  Appendix A of both Versions 0.6 and 0.7 consists of a chart showing, for each Domain and Capability, the Practices associated with Levels 1 through 3. However, the chart for Version 0.7 – unlike the chart for Version 0.6 – lists Practices for Levels 4 and 5 as well. Version 0.7 includes a total of 173 Practices for all five levels.  As noted in CMMC slides recently produced by DOD, Version 0.7 reduced the number of Practices for Levels 4 and 5 by 52% by removing 46 Practices. Version 0.7 lists 9 Processes for Levels 2 through 5 (0 Processes for Level 1). Versions 0.6 and 0.7 both include an Appendix B covering “CMMC Level 1 Discussion and Clarification.” However, Version 0.7 adds new Appendices C and D covering Discussion and Clarification for Levels 2 and 3, respectively.  Version 0.7 also includes a new Appendix E, “CMMC Maturity Process Discussion and Clarification,” discussing the 9 Processes. The new Appendices C through E account for the increase in length from Version 0.6 (90 pages) to Version 0.7 (190 pages), with Appendix C (73 pages) accounting for most of the added length. DOD’s recent slides include a summary of changes from Versions 0.4 through Version 0.7.

The CMMC Schedule

Version 0.7 states that DOD is planning to release CMMC Version 1.0 at the end of January 2020. DOD’s recent CMMC slides include a chart entitled “Draft CMMC Development Schedule” setting forth other key dates, including the establishment of the Accreditation Body, and a Memorandum of Understanding between that Body and DOD, in January 2020; the start of accreditations of C3PAOs in March 2020; and the start of assessments by C3PAOs in June 2020.  Previously, the schedule in Version 0.4 stated that “CMMC Rev.1” would be included in RFPs in the Fall of 2020. It is difficult to see how DOD can meet that deadline. Even assuming that C3PAOs are able to begin conducting assessments of contractors in June 2020 – which is questionable – they will not be able to complete assessments of all 300,000 organizations in the Defense supply chain by the Fall of 2020.

Open Questions

Version 0.7 leaves open the following questions raised in the prior Blog:

• How will DOD determine specific Levels for each procurement?
• How long will it take to become certified at each Level, and what will those processes entail?
• How long will a certification Level assigned to a contractor remain valid?
• What rights will contractors have to disagree with/appeal from assessments by certifiers?
• Will CMMC apply to grants and cooperative agreements?

Conclusion

As with Version 0.6, DOD is not going through the formal rulemaking notice and comment process in the Federal Register for Version 0.7. However, DOD has opened a new DFARS Case, No. 2019-D041, entitled “Strategic Assessment and Certification Cyber Security Requirements.”  The synopsis states:  “Implements a standard DoD-wide methodology for assessing DoD contractor compliance with all security requirements in the [NIST SP] 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  Although this information does not specifically mention CMMC, DOD has indicated that CMMC will be addressed as part of the DFARS Case.  While we wait for DOD to issue a proposed rule for public comment, the Department is plowing ahead with the CMMC initiative and all its moving parts.  Stay tuned for further developments.

Any opinions expressed and any legal positions asserted in the article are those of the author(s) and do not necessarily reflect the opinions or positions of Miles & Stockbridge P.C. or its other lawyers. This article is for general information purposes and is not intended to be and should not be taken as legal advice on any particular matter. It is not intended to and does not create any attorney-client relationship. Because legal advice must vary with individual circumstances, do not act or refrain from acting on the basis of this article without consulting professional legal counsel. If you would like additional information on the subject matter of this article, please feel free to contact any of the lawyers listed above. If you communicate with us, whether through email or other means, your communication does not establish an attorney-client relationship with either Miles & Stockbridge P.C. or any of the firm's lawyers. At Miles & Stockbridge P.C., an attorney-client relationship can be formed only by personal contact with an individual lawyer, not by email, and requires our agreement to act as your legal counsel together with your execution of a written engagement agreement with Miles & Stockbridge P.C.