CMMC and Other Cyber Considerations for Management When Working with the U.S. Department of Defense
March 01, 2022
By Travis Epp and Jill Lawson
We have had the opportunity to work with companies that provide products and services to the U.S. Department of Defense (“DoD”). While companies tend to focus on the costs and risks associated with a cyber incident, inappropriate cyber hygiene may also adversely impact a company’s revenue stream. The intent of this article is to address some of the risks and considerations that may impact suppliers to the DoD in relation to NIST 800-171 compliance and the path toward CMMC 2.0.
Cybersecurity breaches continue to impact entities and consumers all around the globe, and the impact can be profound. While we as individuals tend to focus on our identities being stolen and the impact on our personal lives, the impact on all of us would be significant if certain information related to the DoD was breached. Cybersecurity requirements related to the DoD are extensive because security measures must address information within the DoD as well as its third-party contractors. The Defense Industrial Base (“DIB”) is the supply chain that provides essential products and services, which includes research and development, weaponry, infrastructure support and other key requirements.
The DoD has recently elevated the cybersecurity requirements for its supply chain. The traditional model to be followed by nonfederal organizations was NIST 800-171, which specified 110 controls that were to be implemented and documented by a Controlled Unclassified Information (“CUI”) System Security Plan (“SSP”) that details how the people, physical facilities and IT systems protect CUI. Any weaknesses identified in the 110 controls must be addressed in a Plan of Action and Milestones (“POA&M”) that specify the deficiencies and a remediation timeline. Based on the effectiveness of the CUI SSP, each supplier must calculate a score using the NIST SP 800-171 DoD Assessment Methodology. Each entity’s score is tracked in the federal Supplier Performance Risk System (“SPRS”) database along with other entity-specific information, such as a C-suite attestation. As part of the process of competing for a DoD contract, government contracting officers validate that the SPRS score had been provided. Scores are generally required regardless of being a prime contractor or subcontractor.
NIST 800-171 requirements have been incorporated in most government contracts since December 2017. While improvements in cybersecurity were made, the pace of improvements was deemed insufficient. In 2020, the DoD announced the rollout of the SPRS score with C-suite attestation and the Cybersecurity Maturity Model Certification (“CMMC 1.0”), which was to be incorporated in all DoD contracts and solicitations.
The original CMMC 1.0 proposed a five-level maturity approach. By 2025, DoD contracts would identify a specific certification level to be eligible to submit proposals. The DIB commented on CMMC 1.0, which led to the announcement of CMMC 2.0 in November 2021. CMMC 2.0 includes only three levels and excuses CMMC for many contractors, but it came with a possible accelerated implementation date of 2023 for those companies still requiring CMMC 2.0.
Management Team Considerations
Based on the assumption that being a prime contractor or subcontractor to the DoD is a part of an entity’s continued business strategy, the management team should address the following:
Business with the DoD
- Summarize which products and/or services are currently provided to the DoD.
- Identify pending or near-term products or services that may be contracted with the DoD.
- Plan for cybersecurity and CMMC. Consider the indirect costs that may be incurred to compete in proposals in accordance with IAW Defense Contract Management Agency guidelines.
Understanding Compliance Requirements
- Has the entity properly identified CUI handling instructions that are referenced in the contract and in DD Form 254: Contract Security Classification Specification?
- What is the status of the company’s CUI SSP, and are the deficiencies and corrective measures under the POA&M being achieved on a timely basis?
- What is the confidence level of the C-suite attestation that the SPRS calculated score is accurate?
- Identify cybersecurity stakeholders in departments external to IT such as facility security, human resources, contracting officers and one C-suite leader.
- Ask government contracting officers if new cybersecurity clauses are being considered for either a contract modification or to be inserted in the option-year contracts.
Steps Necessary to Achieve the Business Goals
- Continually monitor compliance with existing DoD contracts.
- Review terms and conditions of new contracts as they arise to ensure proper scoping of the compliance program.
- Perform annual reviews of enterprise policies, processes, procedures and plans that implement CUI security to coordinate expanding CUI protection efforts between multiple departments or stakeholders.
- Review resource requirements to achieve the objectives.
Determine if additional proactive steps can be performed to enhance the likelihood of success in the bid process.
The management team is responsible for the enterprise cyber hygiene of a company that has cybersecurity clauses in their contracts. While the cost, schedule and performance parameters to achieve the desired level of cybersecurity may be extensive, insufficient planning and budgeting may create unacceptable risks to the ongoing business.