Cybersecurity Supply Chain Developments – What’s Next for CMMC?
It is now June 2020. The Department of Defense (DoD) initially projected that, this month, it would issue ten pilot Requests for Information (RFIs) as part of its efforts to develop the means for its implementation of the Cybersecurity Maturity Model Certification (CMMC) under DoD contracts. To date we have not seen any of the RFIs, but there are still scheduled milestones and efforts underway that the Defense Industrial Base (DIB) supply chain should track:
- By 2025 DoD contractors and their supply chain, including subcontractors and suppliers, except for a limited few, will need some form of CMMC certification.
- DoD has indicated that it will issue ten Requests for Proposals (RFPs), including contractor CMMC certification requirements. The initial projected timeline called for issuance in September; we expect it to be delayed until November 2020. DoD Chief Information Security Officer Arrington stated that CMMC will not be included in RFPs until the DoD Federal Acquisition Regulation Supplement (DFARS) rule is issued.
- The CMMC Accreditation Body (CMMC-AB) is taking steps to proceed with the development and implementation of the CMMC certification program.
- CMMC-AB issued requests for information on topics including: educational content review services and CMMC certification exam development and delivery services. Responses were due on June 10.
- CMMC-AB also issued a request for proposals for continuous monitoring. Responses were due on May 20, and we understand that CMMC-AB is assessing the responses to determine whether and to what extent a continuous monitoring service might be established. This requirement was not part of the duties that CMMC-AB was initially identified to perform. It is unclear whether this will be used in the certification program.
- July 6, 2020 is the projected date for CMMC-AB to issue details on the provisional program for certifying professionals and assessors. Applications for CMMC-AB Certified Third Party Assessment Organizations (C3PAOs) were due in January 2020. However, CMMC-AB’s website indicated that applications for assessors for levels 1 through 3 are available now. Training for applicants accepted to the program is currently scheduled for the Winter 2020/2021.
- To be certified, CMMC C3PAOs must be 100% US citizen owned. They also must sign a CMMC-AB license agreement, complete a verification of insurance, pass a background check and review by CMMC-AB, and pay application and activation fees. C3PAOs and assessors certification will be based on testing and assessment experience according to the CMMC-AB website. CMMC-AB’s current schedule anticipates that assessors will be available to conduct assessments by Winter/Spring 2021.
- The foregoing schedule makes it likely that DoD will not award contracts under the ten pilot RFPs until Winter/Spring 2021.
- In preparing for CMMC assessment, contractors and suppliers in the DIB should review their systems and compliance with the CMMC requirements for the level of certification that they are likely to need. If you anticipate that you will need to handle or generate controlled unclassified information (CUI), you will need to have a system that meets CMMC level 3 requirements at least.
- As you must be certified for the level required under the solicitation in order to be eligible for a contract award, and it is unclear how many CMMC-AB assessors will be certified to conduct assessments in the short term, getting all your ducks in a row now will facilitate a more efficient process and hopefully improve the chance that you will achieve your desired certification level.
- If you disagree with your certification assessment, you will have ninety days to try to resolve your disagreement with the CMMC-AB before they finalize and publish their results. There may be other options to pursue if you cannot resolve matters at this stage.
- Depending on the results of your certification, this may impact your current contracts that include cybersecurity compliance requirements and give rise to potential changes, cost or other impacts, claims, and other actions.
We are watching these matters closely. If you have questions about this blog, government contracts or supply chain risk management matters, contact the author or a member of the Stinson Government Contracts & Investigations practice group, or your Stinson counsel.
Contact Susan Ebner for more information.