Feb 242020

DoD Issues Cybersecurity Maturity Model Certification Version 1.0

Colleen Theresa Brown, Robin Wright Cleary and Christopher Fonzone
, , ,

On January 31, 2020, the Department of Defense released its latest version of the Cybersecurity Maturity Model Certification (“CMMC”) for defense contractors.  Under the CMMC plan, DOD contractors will be required to obtain a cybersecurity rating from Level 1 through Level 5.  Self-certification will not be permitted.  Given the significant investment of industry resources the CMMC may require, the DOD eased some concerns by announcing that it would roll out the CMMC program out in stages.  A new Defense federal Acquisition Regulation Supplement (“DFARS”) clause is expected in the spring of 2020, and CMMC requirements are anticipated to be included in certain limited Requests for Information released starting June 2020.  Ultimately, all DOD contracts will include a minimum cybersecurity requirement by 2026.

Some questions about the CMMC audit process for contractors remain unanswered.  The DOD plans to have a nonprofit oversight body handle the certification process and approve third-party auditors, but the DOD has not specified how the audits will be conducted, whether contractors will be able to choose their auditor, and the appeal options available to contractors if they disagree with the audit findings.  If a contractor does not meet the minimum CMMC level, then the contractor will be unqualified to bid on the contract, so an appeal process is of critical interest.

The latest version of the CMMC also clarifies that the cybersecurity requirements for subcontractors will depend on what information has been shared by prime contractors.  Therefore, a subcontractor may not have the same cybersecurity requirements as a prime contractor.

Although the CMMC program will increase the cost of compliance for contractors, it may provide some False Claims Act protection.  In the past, contractors have had to self-certify their compliance under the applicable DFARS clauses that rely heavily on the NIST framework.  A neutral, third-party certifying a contractor’s level of cybersecurity could reduce the contractor’s exposure for False Claims Act liability by providing additional support for the information provided and representations made as part of the bid process.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Robin Wright Cleary

rwright@sidley.com

Christopher Fonzone

cfonzone@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).