PilieroMazza has been blogging a lot over the past year about the Department of Defense’s (DoD) highly anticipated CMMC. And there has been a lot to say, from the early stages of CMMC as a new “overarching standard,” to its first public draft release, through its first major streamlining, and finally to its latest public draft release in early December 2019. The pace of developments is expected to increase in 2020 as DoD releases a compliance checklist, finalizes the certification standards, and begins accrediting third parties that will ultimately issue CMMCs to contractors. With CMMC expected to become a requirement of certain DoD contracts by the end of this fiscal year, CMMC truly is a game-changer for any government contractor working directly for DoD or in the DoD supply chain. 

Yet, did Congress just say “Not so fast” on CMMC? On December 20, 2019, President Trump signed the 2020 National Defense Authorization Act (NDAA) into law. Like many recent NDAAs, the 2020 NDAA has numerous cybersecurity provisions. One section, in particular, is clouding the future and schedule for CMMC.

Section 1648 of the 2020 NDAA, entitled “Framework to Enhance Cybersecurity of the United States Industrial Base,” includes several noteworthy provisions. Most importantly, Section 1648 directs the Secretary of Defense to develop “a consistent, comprehensive framework to enhance cybersecurity for the United States defense industrial base,” and DoD must do so by February 1, 2020. Also of note, the framework developed by February 1st must include several components, including “[i]dentification of unified cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements to be imposed on the defense industrial base for the purpose of assessing cybersecurity of individual contractors.” The framework must address the roles of prime contractors and subcontractors as well, particularly in terms of how they will implement the unified standards and requirements of this new cybersecurity framework.

As it pertains specifically to CMMC, Section 1648 casts doubt on its role and timeline. Section 1648(c) lists various matters that the Secretary of Defense must consider when developing the new framework. Among these considerations are “[r]isk-based methodologies . . . including third-party certifications such as the Cybersecurity Maturity Model Certification pilot program, as the basis for a mandatory Department standard.” There are several eye-openers here. First, we are not aware that DoD has previously considered CMMC to be a “pilot program.” This language also suggests the possibility of other third-party certifications. And, the language indicates CMMC could be used as the basis for a mandatory DoD standard—suggesting that CMMC is not currently considered to be the mandatory standard.

Perhaps we are reading too much into Section 1648—we’re lawyers after all, that’s what we do—but it does appear to take some of the wind from the CMMC sails. That said, we still expect that a final framework and mandatory standard will be very similar to CMMC, if not identical, so it remains prudent for all DoD contractors to be preparing for CMMC. We’ll just have to keep watching to see if there is a further evolution of the requirements this year based on the 2020 NDAA.

Please do not hesitate to contact us if you have questions about the 2020 NDAA or CMMC. PilieroMazza’s Cybersecurity & Data Privacy and Government Contracts Law practice groups are working with clients to help them understand and prepare for the evolving cybersecurity requirements and we will keep you abreast of further developments concerning CMMC. We also invite you to view our Cybersecurity & Data Privacy Compliance Check-Up for more information on how we can help.

Firm Partner Jon Williams co-authored this blog with Associate Anna Wright. Both are members of PilieroMazza’s Government Contracts Group and Cybersecurity & Data Privacy Team.