In recent years cybersecurity has become an important concern for the Government, and that has resulted in changes to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). There is a big change on the horizon that all defense contractors should be aware of—the Department of Defense (DoD) is launching a Cybersecurity Maturity Model Certification (CMMC) program. Because all DoD contractors will be required to be certified by a third party to continue to do business with the Government, this a development that will affect all DoD contractors.
CMMC version 1.02 requires DoD contractors and their supply chains to have systems in place that meet the certification level cybersecurity requirements for the data that they will be required to handle under DoD contracts and subcontracts. The stringency of the requirements will depend on the nature of the information, with Level 1 being the most basic and Level 5 being the strictest. The vast majority of contracts will likely require Levels 1 through 3.
Previously, contractors were able to self-certify cybersecurity compliance. When CMMC is implemented, third-party certification will be required. Currently, implementation is expected in November when the CMMC requirement is included in solicitations. A draft DFARS rule establishing the CMMC requirements is in progress and is also expected later this year.
What does this change mean for contractors? For one, certification will be required to be eligible for award. This may affect a contractor’s costs, and it could affect a contractor’s proposal and teaming strategy. Likewise, a lack of certification may provide the basis for a post-award protest. The implementation of CMMC also creates an additional compliance concern for contractors. The Government could use a contractor’s failure to maintain its certification as a basis for termination. Additionally, a contractor that misrepresents its certification may be subject to liability under the False Claims Act or be sued by a teaming partner for breach of contract.
Cybersecurity is not only a concern for DoD contractors. There are cybersecurity requirements that apply to non-DoD contractors. Specifically, FAR 52.204-21 imposes 15 relatively basic cybersecurity requirements on all contractors that process, transmit, or store contract information. For example, FAR 52.204-21 requires contractors to authenticate the identities of users, processes, or devices before allowing access to organizational information systems. Given the importance of cybersecurity, a new FAR rule is expected that would include requirements similar to the DoD’s CMMC.
Cybersecurity has become a key operating principle for the Government and contractors. With CMMC, the Government is increasing the importance of the issue and adding third party verification. Contractors should stay attuned to the evolving requirements and contact Executive Law Partners for assistance in understanding how these changes could affect their business.