On January 31, 2020, the Department of Defense released its latest version of the Cybersecurity Maturity Model Certification (“CMMC”) for defense contractors. Under the CMMC plan, DOD contractors will be required to obtain a cybersecurity rating from Level 1 through Level 5. Self-certification will not be permitted. Given the significant investment of industry resources the CMMC may require, the DOD eased some concerns by announcing that it would roll out the CMMC program out in stages. A new Defense federal Acquisition Regulation Supplement (“DFARS”) clause is expected in the spring of 2020, and CMMC requirements are anticipated to be included in certain limited Requests for Information released starting June 2020. Ultimately, all DOD contracts will include a minimum cybersecurity requirement by 2026.
Some questions about the CMMC audit process for contractors remain unanswered. The DOD plans to have a nonprofit oversight body handle the certification process and approve third-party auditors, but the DOD has not specified how the audits will be conducted, whether contractors will be able to choose their auditor, and the appeal options available to contractors if they disagree with the audit findings. If a contractor does not meet the minimum CMMC level, then the contractor will be unqualified to bid on the contract, so an appeal process is of critical interest.
The latest version of the CMMC also clarifies that the cybersecurity requirements for subcontractors will depend on what information has been shared by prime contractors. Therefore, a subcontractor may not have the same cybersecurity requirements as a prime contractor.
Although the CMMC program will increase the cost of compliance for contractors, it may provide some False Claims Act protection. In the past, contractors have had to self-certify their compliance under the applicable DFARS clauses that rely heavily on the NIST framework. A neutral, third-party certifying a contractor’s level of cybersecurity could reduce the contractor’s exposure for False Claims Act liability by providing additional support for the information provided and representations made as part of the bid process.