The U.S. Department of Defense (“DOD”) recently issued an interim rule that seeks to enhance cybersecurity requirements applicable to contractors through a five-year rollout of the Cybersecurity Maturing Model Certification (“CMMC”) framework. The CMMC will, as of October 1, 2025, apply to all DOD solicitations and contracts, other than commercial off-the shelf (“COTS”) item acquisitions, which are valued above the micro-purchase threshold. Prior to that date, as set forth in the interim rule, only DOD’s current cybersecurity framework will apply unless the Under Secretary of Defense for Acquisition and Sustainment (“USD A&S”) determines that a CMMC assessment and certification is required for certain contracts. Once the CMMC is fully implemented, all DOD contractors and subcontractors will be required to have some level of CMMC certification. Importantly, until full implementation of the CMMC is completed, DOD contractors will be required to perform a self-assessment of their compliance with current cybersecurity requirements specified in the National Institutes of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171.
The NIST practices are required by DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting and apply to “covered contractor information systems,” which generally includes private systems that store, process, generate, transmit or access DOD-related controlled unclassified information. These practices supplement the more basic safeguarding requirements for these systems, which are required under Federal Acquisition Regulation (“FAR”) clause 52.204-21.
DOD contractors will need to complete or obtain a cybersecurity “Assessment” under a new DOD Assessment Methodology, as set forth in the new DFARS clause 252.204-7020. The Assessment Methodology reviews a contractor’s implementation and compliance with NIST SP 800-171 at three levels: Basic, Medium, and High. The interim rule suggests that solicitations will identify the necessary level. A contractor’s self-representation of compliance is sufficient for the Basic Assessment, while both Medium and High Assessments require DOD review. The assessment results will be recorded in the Supplier Performance Risk System (“SPRS”) and are valid for three years.
Beginning November 30, 2020 (the effective date of the interim rule), DOD contractors will be required to have Assessment results posted on SPRS prior to the award of a new contract or exercise of an option under an existing contract. In addition, prime contractors may not award subcontracts to subcontractors that have not reported Assessment results on SPRS.
For contractors seeking CMMC certification, the framework includes five progressive (often referred to as cumulative) cybersecurity levels, with level 5 being the most advanced. The five levels are:
- Level 1—Basic Cyber Hygiene (15 practices): all practices in FAR 52.204.21.
- Level 2—Intermediate Cyber Hygiene (72 practices; 2 processes): 65 NIST SP 800-171 security requirements implemented via DFARS clause 252.204-7012, 7 CMMC practices, and 2 CMMC processes.
- Level 3—Good Cyber Hygiene (130 practices; 3 processes): all 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes.
- Level 4—Proactive (156 practices; 4 processes): all 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes.
- Level 5—Advanced/Progressive (171 practices; 5 processes): all 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes.
Under the interim rule, contractors must maintain the requisite CMMC level for the duration of the contract, ensure that subcontractors have the appropriate CMMC level, and include the requirements of the CMMC clause in all subcontracts.
In preparation for the effective date of the interim rule, DOD contractors should:
- Become familiar with the DOD Assessment and prepare to perform a Basic self-assessment. Assessment results must be reported to SPRS in order to receive an award after November 30, 2020
- If you are not required to implement NIST SP 800-171 security controls because your company does not store, process, generate, transmit or access covered defense information on its systems, be prepared to document why you do not need to conduct a DOD Assessment.
- Where possible, cybersecurity compliance gaps should be addressed and resolved by November 30, 2020.
- Continue to prepare for CMMC certification (though some contractors have several years before certification)
The interim rule is attached and available here.
For additional information or support on your compliance initiatives, contact Anne Carpenter in the Baker Botts Government Contracts Team or Matthew Baker in the Baker Botts Privacy and Data Security Team.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.