On a limited budget, government contractors need to be compliant with a litany of statutes, regulations, and industry standards in order to remain competitive in the marketplace. This has become particularly true in the cybersecurity context. With no overarching federal law for cybersecurity standards or privacy protection (though the U.S. Senate is in the process of discussing a bipartisan privacy bill as they have done, unsuccessfully, in prior legislative sessions), rulemaking authorities have taken it upon themselves to create industry regulations governing cybersecurity and data privacy. Some of them most applicable to government contractors, but by no means exclusive, are those regulations found in the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation (“DFARS”). In this labyrinth of cybersecurity requirements, the Department of Defense (“DoD”) often takes the lead in promulgating guidance, so it is beneficial to look to DoD and the defense industrial base (“DIB”) for the future of cybersecurity. This future may come with DoD’s upcoming Cybersecurity Maturity Model Certification (“CMMC”), which could fundamentally alter DoD government contract awards and maintenance.
Where are we now?
DFARS 252.204-7012 and the incorporated security requirements in the National Institutes of Standards and Technology (“NIST”) Special Publication 800-171 (collectively, the “DFARS Rule”) is currently the driving force in DoD cybersecurity compliance and sets forth 110 security controls, the response to which can be tailored to entities of all sizes. The DFARS Rule only requires government contractors to self-certify their compliance without providing any significant ability on the part of the government to conduct reasonable audits. For many contractors, the result is a system security plan that represents an ad hoc attempt to satisfy the contractual requirement at minimal cost, with little thought for how it will be implemented.
The benefit of the DFARS Rule, however, has been the flexibility in implementation and the acknowledgment that cybersecurity standards should modulate based on the type of information being secured. That flexibility has led to uncertainty as to how outside observers measure a government contractor’s security controls. Uncertainty, coupled with the ever-growing threat of cybersecurity intrusions, has long fostered within the DIB a sense that heightened standards are inevitable. They may now be imminent.
Where are we going?
More likely than not, government contractors have already heard references to CMMC. Government contractors are also likely aware of the underlying rationale for why a new standard is needed. Simply put, the current standard is not working. CMMC is meant to increase the efficacy of the DIB’s cybersecurity initiatives, create more accountability in prime contracts, serve as the new standard, and become an enforcement mechanism.
While the CMMC has not been published, we do know certain material aspects. For instance, we know that both the Johns Hopkins University Applied Physics Laboratory and Carnegie Mellon University Software Engineering Institute have been involved with the review and combination of the various cybersecurity standards into one unified standard. That “unified standard” will have levels meant to demonstrate an entity’s cybersecurity posture, with the lowest level signifying basic cybersecurity hygiene and the highest level signifying state-of-the-art controls, with all levels capturing security controls and the institutionalization of processes that enhance cybersecurity within the DIB.
Importantly, the CMMC will include the development of third-party cybersecurity certifications, audits, and tools that will allow for the accurate collection of metrics associated with a government contractor’s cybersecurity position. Certification will be a significant differentiator between government contractors when they bid for work with DoD as a prime and as they bid to be subcontractors for a DoD project. This is because the CMMC will be required to flow down to all subcontractors, and certainly represents a significant step towards bolstering the cybersecurity associated with the DIB, as companies will be required to be certified before they can compete for contracts.
Who is going to pay for this?
While there has been some indication from DoD that the costs associated with improving cybersecurity will be reimbursable for government contractors, there is nothing definitive enough to rely upon. Further, those contractors who have already expended resources to bring their entities into compliance may not be incorporating applicable cybersecurity costs in their proposals, thereby potentially presenting a more competitive bid. With the compliance framework taking shape, it would be prudent for government contractors to take the proactive steps necessary to set aside resources such that when the CMMC is published, the resources are there to adequately respond and maintain eligibility for DoD contracts.
Cybersecurity will become an increasing area of evaluation in the federal government marketplace for all businesses, large and small. While many of the current requirements are tailorable to accommodate differing levels of enterprise sophistication, the baseline cybersecurity requirements are going to be elevated. Accordingly, government contractors must take the necessary steps to understand the scope of the statutes, regulations, and guidance applicable to their business and industry, and then implement the policies and procedures required to remain a competitive bidder.