FCW asked two contract lawyers what vendors really need to know about the Cybersecurity Maturity Model Certification program.
The Defense Department released its interim rule instructing contractors on how to comply with cybersecurity guidelines in September. But with less than 45 days until it goes into effect, many companies still have questions about what they should do and when.
FCW talked with contracting attorneys Kelly Kroll and Michelle Litteken with the Morris, Manning & Martin law firm to get answers on pressing questions about the interim rule for the Cybersecurity Maturity Model Certification program.
What were your first impressions of the interim rule? Did it raise any questions?
KROLL: There's two parts to it. One part was the five-year plan roll out for the CMMC which is not surprising. The obvious new part that caught everybody a little off guard, and kept us busy with client inquiries this week, was the DOD assessment for the compliance with the NIST 800-171 standards, and this new heightened requirement.
DOD already had the requirement, they could self-certify, but when you're self-certifying, people tend to check boxes and move on and may not necessarily have been doing the level of due diligence they should be doing. So this new requirement where you have to basically make an affirmative statement about your compliance with the NIST standards and in combination with the short turnaround has really thrown some people off guard because there are some clients of ours that already have DOD proposals for awards in the next month-and-a-half and they're kind of like 'do I need to do this now? Is this going to start applying to me? Should I be doing a basic assessment? How do I do it?'
LITTEKEN: Procedurally. I think it's surprising that it came out as an interim rule given how significant the implications are for industry. So changes are possible in the future and people can submit comments, but they're going to have to start responding most likely November 30.
What would you advise to companies looking at the rule with upcoming contracts or proposals that they're looking to submit? What would they need to do at this stage?
KROLL: At a minimum, we're telling our clients that are bidding on DOD contracts that they need to first of all, familiarize themselves with the 110 NIST standards that are basically a checklist of items that you need to go through. We're advising our small- to mid-sized clients that they [figure out] how they apply to you, and can you comply with them.
Some of them are savvy enough at IT and cybersecurity savvy that they can understand and get through some of them, but a lot of them are going to need outside help. What we've been advising them in that sense is to get a third-party consultant to help through this process.
The problem is because CMMC is not officially rolled out yet and they haven't identified these third-party certifiers, there's kind of this "Gotcha!" where if a company needs to go outside and get help for a basic assessment, which is like CMMC-light…they pay someone to help them with the basic assessment, then CMMC comes out and they want to be CMMC-certified. But that same company that helped in the first place, they can't use it because they may not be one of the official Certified Third Party Assessor Organization. So now they have to go find another company and do it all over again. They'll be in a better position, but there's just the cost aspect of it that I don't think DOD is really taking into consideration with the basic assessment. I think they think the basic assessment is going to be a lot easier to implement then it really is for industry.
Is there a need for more guidance now that the interim rule has teeth?
KROLL: Government contracts have a whole bunch of federal acquisition regulations incorporated by reference and if you were actually going to print out all those regulations, you'd have several books full, the contract would be several 100,000 pages long. So small businesses, they check the boxes, they move on…. [The interim rule] has a little bit more teeth, there's a little bit more scrutiny on your assessment versus checking a box so now they're concerned.
One client's first question was had the Small Business Administration set up a resource for [companies] to go so they can do this for us and we don't have to pay for it. And I was kind of like, well, that would be nice, but no. So we're getting those kinds of inquiries like why would a small business be expected to incur some of these costs when they do less than $100,000 to $200,000 a year in business with DOD. That might be a large chunk of business for them, but to then have to go spend $20,000 to make sure that they're not going to get in trouble with this assessment issue, it's a big jump for them.
What are the options and requirements for these businesses at this point? Do you just have to find the money no matter what your business level with DOD is?
LITTEKEN: There is no kind of you need to have ‘X' number of contracts in the rule. As soon as you have one contract where this applies, or potentially subcontracts, it's going to be a question of can you comply and, if so, how quickly. The NIST standards aren't foreign territory to most government contractors who do business with the DOD.
KROLL: There really are no waivers, the only exception is for commercial off-the-shelf items, which is good because previously that wasn't there. The one highlight, if you will, is the interim rule said we're not going apply this to people who sell pencils and toilet paper to DOD. There's no heightened security concerns about the IT systems of the guy selling me pencils and pens. So that's the positive part of the rule. But other than that, there's no exceptions for small businesses, there's no exceptions based on dollar threshold or anything like that.
What are the important dates people need to be aware of other than that it goes into effect Nov. 30?
KROLL: It's going depend on their contracts. Any contracts that are issued or modified after Nov. 30. So people that have proposals in queue now, they need to look at their solicitations to see if it includes the operative DFARS clause and more than likely the contracting officer is going to say 'you have to do this before I can make the award.' Those are the people that need to really act more quickly than others. But then contractors that have options coming up, such as in December or January or whatever their option year is, they have to start thinking about when the contract's going to be modified to extend the option. because the contracting officer could very well say, 'okay, you need to do not only this basic assessment, but by the way, we're going to come in and do a medium or high assessment.' That's always a possibility, too. My reading of the rule is that DOD has an office that they're just going to pick which contracts those are and who knows if you're going to get picked or not. And I'm assuming those will be higher level, classified type contracts with some of the bigger companies, but we'll see.
You don't know what you don't know. What's the most important question people aren't asking or being considered enough?
KROLL: Even if we determine this doesn't apply to you because you're supplying COTS or something like that, what's going to come up when after this gets implemented is the FAR on the civilian side of everything is going to pick up the same CMMC requirement, and they're gonna piggyback off of this and now it's gonna apply to civilian agencies. So if you're doing business with the Environmental Protection Agency or the General Services Agency or Treasury Department, all of a sudden this is gonna apply to you as well. And then it's gonna possibly go to the corporate world as well. So it's coming. To me, it's almost like go with the wave and be at the front of this and get yourself in a position where you are covered.
LITTEKEN: I think one thing people aren't necessarily thinking about is that people are gonna be hiring consultants or companies to come in and help them get up to the standards but they're not necessarily asking is this company gonna be able to come in and do a certification down the road if that's necessary or will there be a conflict of interest. Because from what I've heard from DOD personnel, and they didn't issue the rules about how accreditation is gonna work, but the companies that are allowed to do the accreditation are not going to be allowed to also go in and help companies before that accreditation to get up to standards. So companies may be assuming that they're gonna be able to get a good deal or two for one or something like that. But when those rules come out or further clarified that may not be an option.
What should people really be paying attention to?
LITTEKEN: I think people should be looking out for how the system actually rolls out. When a client asked 'how do I actually do the mechanics of this,' we had to go and look again at the rule because it's very nuts and bolts, it's not something you necessarily focus on. And it contemplates, for a basic assessment, a system where a contractor puts together an email with basically like six or seven items that are identified in this rule that need to be submitted. And if there's multiple systems or subsystems, there's a special chart you're supposed to put your information in, and then you send that into the single email address, and then someone within the government's going to look at that and then put you into the system. And then other contracting officers and acquisition people are going to be able to come and look at that system and check whether you know the contractors in there and have the requisite assessment for the procurement at issue.
But in recent years, we've seen a lot of government websites and systems like this not operate like they're supposed to. So I'm curious to see what happens when it's day one and everything needs to start working, is it going to work the way it's supposed to.
It's an interim rule so it could change. It could change in December. It could change next year. I think we all know that cyber security is going to be a long-term focus for the government and for private industry. But the specific requirements could change in the way that it's being implemented could change. So I think people just need to stay tuned and try to be a little bit flexible to the extent they can, because everything is in flux at this point.
This interview has been edited for length and clarity.