Alert

DOD Updated its New Contractor Cybersecurity Certification Program

December 19, 2019

WHAT: The U.S. Department of Defense (DOD) updated its new contractor cybersecurity certification program, including version 0.7 of its expected model and a progress report on the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body.

WHEN: December 13 and 18, 2019.

WHAT DOES IT MEAN FOR INDUSTRY: DOD continues to progress in developing the CMMC regime, which will present a significant shift in the cybersecurity compliance obligations of government contractors.

On December 13, 2019, DOD released version 0.7 of the CMMC. The primary purpose of this interim release was to detail the data security controls required to achieve the two highest levels of CMMC – levels 4 and 5. As expected, a number of these practices are derived from draft NIST SP 800-171B, though many controls are based on other information security standards or are unique to CMMC.

As contractors who have implemented NIST SP 800-171 know, many of the controls are ambiguous and open ended, leaving uncertainty as to whether a specific security practice meets the control. CMMC v0.7 has taken steps to address this for Levels 1-3 by including appendices that provide additional guidance in the form of “Clarifications” and “Examples.”

Presumably more detailed clarifications and examples for levels 4-5 will may be forthcoming in later versions of CMMC.

Still, significant questions remain about CMMC. For example, the CMMC proposals have not addressed uncertainty in the definition of Covered Defense Information or how contractors should define information system boundaries—key questions that can radically alter the steps a contractor must take to meet NIST SP 800-171. Additionally, NIST stated that it intended for NIST 800-171B to only be applicable to a very small portion of contractors, perhaps .5%. Does DOD intend the same for CMMC Levels 4 and 5? Finally, DOD has not provided further information on how it intends to implement these requirements from a contractual perspective.

DOD next intends to issue CMMC version 1.0 at the end of January 2020. Version 1.0 is expected to include tailored maturity processes for each domain, and may represent a ‘complete’ picture of CMMC.

More recently, on December 18, 2019, the working group leads for the developing CMMC Accreditation Body announced that it held a meeting to discuss recommendations for the structure, mission, membership, and constituency of the Accreditation Body. The working group leads also clarified that the Accreditation Body expects to be ready to sign a Memorandum of Understanding with DOD in January 2020. DOD had previously stated that it expected to sign the MOU by the end of the year, so this reflects a modest revision to the projected schedule. Since the Accreditation Body is charged with training and accrediting CMMC Third Party Accreditation Organizations (C3PAOs) – the entities actually tasked with certifying contractors – execution of the MOU is a critical step to making the CMMC initiative a reality. Whether DOD and the as-yet-unformed Accreditation Body can rise to the challenge of establishing a working framework for the C3PAOs is unclear, but will be monitored closely in the coming months by the contracting community.

Read Time: 3 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek