The Department of Defense (DoD) announced this month that it will be implementing new contractor cybersecurity standards by January of 2020. The new standards, known as the Cybersecurity Maturity Model Certification (CMMC), will have five maturity levels, ranging from “basic” cyber hygiene to “state-of-the-art,” and will incorporate guidance from the National Institute of Standards and Technology (NIST) with input from the private sector and academia. The level of cybersecurity required by the standards will be indicated on all contract solicitations. Under this new program, contractors will be required to have private sector third-party auditors certify compliance of information systems with the new standards. The DoD will hold 12 listening sessions across the country this summer in order to obtain feedback on the CMMC from contractors and experts. The DoD is anticipated to begin incorporating CMMC requirements into Requests for Information by June of 2020, and to start including CMMC in solicitations by September 2020.
The CMMC is expected to incorporate requirements from existing cybersecurity standards/models, including NIST SP 800-171, which DoD contractors are currently required to comply with under the Defense Federal Acquisition Regulation Supplement (DFARS). NIST recently released a new draft of that standard, NIST SP 800-171, Revision 2, as well as a “companion” publication, NIST SP 800-171B, which offers recommendations for handling Controlled Unclassified Information (CUI), ranging from individuals’ names and Social Security numbers to critical defense information, in situations where such information runs a higher than usual risk of exposure from Advanced Persistent Threats (APTs). The deadline for submitting comments on these drafts is July 19, 2019. NIST provides additional information on these updates and on the potential impact of these new requirements here.
As recently reported, details of the CMMC program were provided by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition for Cyber, in a presentation earlier this month during the Professional Services Council Federal Acquisition Conference. During that presentation, Ms. Arrington made the bold assertion that “security is an allowable cost.” Ms. Arrington had permission to make this statement from Kevin Fahey, the Assistant Secretary of Defense for Acquisition. Although this is, of course, a very significant statement, it remains to be seen to what extent contractors’ security initiatives will, in fact, be deemed allowable costs.