“Depend upon it, sir, when a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully.”
― Samuel Johnson[i]
The CMMC Interim Rule is scheduled to “go live” on 1 December 2020. Daily webinars and panels over the past two months have focused attention on what steps the defense industrial base supply chain needs to take. We can now add panicked to perplexed and paralyzed as the frequently encountered responses from manufacturers who are current or prospective DoD contractors. The requirements for compliance with DFARS 252.204-7012 (and the newly added clauses 7019, 7020, and 7021) have provided some answers. There are still outstanding questions, known unknowns, and potential pitfalls. Based on information from briefings over the past month from a variety of experts—including the DoD CISO for Acquisition and Sustainment, a legal expert, a Defense Acquisition University faculty member, and CMMC Provisional Assessor #17—here are recommendations about where to concentrate your mind and avoid the “gallows” of contract compliance uncertainty.
What Is Known from a CMMC Assessor Perspective
False Claims Liability Act. Damages have been—and will continue to be—assessed against those contractors who have attested to compliance with DFARS provisions but have overstated or misrepresented their actual security condition with respect to CUI protection. The US Department of Justice obtained more than $3 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year ending 30 September 2019. Damages may be assessed at up to treble the contract value plus a penalty of at least $11,000 per claim.
Supplier Performance Risk System. All defense supply chain companies should be familiar with this system and follow the steps needed to gain access to it through the DoD’s Procurement Integrated Enterprise Environment (PIEE).[ii] (The registration process can be tedious and slow, according to some manufacturers who found the platform clumsy.)
Basic Self-Assessment. Complete your first pass at the cybersecurity readiness self-assessment based on the 110 NIST SP 800-171 controls[iii] and post it to the DoD’s Supplier Performance Risk System (SPRS). This is not a trivial task but is one that can be perfected over time. Newly introduced DFARS 7019 clause requires that this basic assessment be uploaded to the SPRC prior to contract award. Enforcement will come with RFPs and RFIs released beginning as early as December 2020 and which contain the CMMC reference clauses.
System Security Plan. All contractors that have agreed by reference to DFARS 7012 should have a plan in place. Appendices to the plan—what constitutes a complete plan—include a plan of action and milestones (POAM/PO&M), incident response plan (IRP), IT asset registry, network architecture and controlled unclassified information (CUI) flow diagrams.
Incident Response Plan. Current contractors and subcontractors that are beholden to DFARS 7012 must review the DFARS clause to ensure that they can fulfill the reporting requirements contained in sections c through g. These sections specify when to report (e.g., within 72 hours of a confirmed incident involving CUI compromise), how to report it, what information to include.
- CMMC Assessor Advice: Be specific with respect to which systems are covered. Be honest with respect to whether you have fully implemented the security control. Respond based on the current state, not some desired future state (even if articulated in your plan of action and milestones or POAM/PO&M). Start with the “worst possible case,” a score of -203. Add in points (1, 3, or 5) for each control depending on the relevant weighted scoring and degree of implementation Be conservative.
- DoD CISO Advice: Approval is pending for release of 15 or so contracts that will include the CMMC clauses. December is still anticipated for their release.
What is Unknown/Unclear from a Contract Law Perspective
Minimum Self-Assessment Score. What will the minimum acceptable score be for contract award? In the short term, this will depend on the specific contract terms.
Full Compliance for Basic Level Self-Assessment). How soon after contract award must a contractor be able to prove full compliance?
Medium or High-Level Assessment. What are the specific criteria for when these assessments will be performed by the DoD? How will they be prioritized? Will they act to limit competition?
CMMC Assessment Level. Is a contractor’s certification a matter of responsibility subject to Small Business Administration (SBA) review?
CMMC Conformance Assessors. Will the CMMC-AB and 3CPAOs be required to identify potential conflicts of interest and thus decrease possibility of abuse?
Alternative Frameworks. Will other certifications (e.g., ISO 27001/27002) or use of FedRAMP be recognized and awarded “credit” points.
Implementation. Can a flawed determination by the Government for assessment type or CMMC level be protested?
Allowable Cost Recovery. How will contractors
be allowed to recover costs for assessments and
CMMC certification (e.g., as a direct cost to a contract or as overhead)?
Subcontractor Oversight. What kind of responsibility will primes have for subcontractor issues?
- Contract Lawyer (Karri Palmetier) Advice: Review your SSPs. Implement your POAM/PO&M and show evidence of progress (i.e., due diligence and reasonable effort). Monitor suppliers and validate representations and certifications. Start implementation immediately. Many companies will be competing for 3CPAO attention!
Details will continue to be refined as the CMMC program is
rolled out and tested. The first cohort of 25 provisional CMMC assessors have
received first instructions, but they are the “pathfinder testbed.”
Manufacturer’s Edge has developed, delivered, and recorded a series of four,
free, DoD-funded, 2-hour webinars (with companion slide decks) on cyber
resiliency for the defense supply chain. Please contact our fearless marketing
director, Jessica Cowden <email@example.com>, for information
about how to register for access to this content.