2020 Cybersecurity Requirements for Government Contractors
In 2016, the U.S. Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARs) intended to better protect defense data and networks. Beginning in 2017, DoD began issuing a series of memoranda to further enhance protection of defense data and networks via Cybersecurity Maturity Model Certification (CMMC).
In December 2019, the Department of State, Directorate of Defense Trade Controls (DDTC) issued long-awaited guidance in part governing the minimum encryption requirements for storage, transport and/or transmission of controlled but unclassified information (CUI) and technical defense information (TDI) otherwise restricted by ITAR.
The foregoing multi-year effort to protect defense data and national security networks are culminating in 2020 ̶ and government contractors must be prepared to comply or face potentially draconian consequences ranging from disqualification to enforcement.
DFARs initiated the government’s efforts to protect national security data and networks by implementing specific NIST cyber requirements for all DoD contractors with access to CUI, TDI or a DoD network. DFARs was self-compliant in nature.
CMMC provided a broad framework to enhance cybersecurity protection for the Defense Industrial Base (DIB). CMMC created a verification program to ensure that NIST complaint cybersecurity protections are in place to protect CUI and TDI that resides on DoD and DoD contractors’ networks. Unlike DFARs, CMMC requires certification of compliance by an independent cybersecurity expert.
Operational application of CMMC -- and associated DFARs NIST requirements -- will occur in 2020. Independent cybersecurity assessments and the inclusion of CMMC requirements in DoD solicitations will begin in Q2 2020, and it is expected that such will be included in all DoD solicitations by Q3 2020.
In summary, the CMMC will require government contractors and subcontractors, including small businesses, to:
- Establish the applicable level of CMMC controls to reduce cyber risks
- Verify compliance with the applicable CMMC level of protection, including DFARs/NIST
- Conduct periodic cyber audits and risk assessments by independent certifying organizations
- Agree to permit U.S. government agencies, such as the Defense Contract Management Agency (DCMA) and Defense Counterintelligence and Security Agency (DCSA), to conduct “higher level assessments”
All DoD contractors and subcontractors will be required to be certified at CMMC Level 1 to qualify for any contract award. Depending on the required access to, or generation of, CUI and TDI, a contractor will have to be certified at one of the ascending five levels of CMMC certification. Notably, each level is cumulative of each lower level of certification.
The final CMMC framework is scheduled to be released sometime later this month, January 2020, with regulations expected to follow later in the year. Once implemented, contractors will be required to represent their compliance with the CMMC level dictated in the DoD solicitation. Failure to do so will be a basis for disqualification, with misrepresentation of such subject to possible Federal False Claims Act enforcement.
Ultimately, anyone doing business with the DoD, whether as a prime or subcontractor, should be prepared to fully comply with DFARs and CMMC in 2020.
Advance preparation, including engagement of needed third-party resources, should be undertaken in the very near term – together with periodic review of relevant updates as they become available.
Additional information can be found on the CMMC website. Interested parties can also set up alerts to receive updates as they are posted to the .mil website.