DOD’s Cybersecurity Maturity Model Certification and Draft CMMC Model Framework

Government Contracts Update

Date: September 17, 2019

Key Notes:

  • DOD has released its draft CMMC model framework, including detailed new cybersecurity requirements.
  • Comments on the draft CMMC are due by September 25, 2019.
  • CMMC will become a requirement in DOD solicitations next year and apply throughout the DOD supply chain.

The Department of Defense recently released new information on its Cybersecurity Maturity Model Certification program, publishing Version 0.4 of the draft CMMC model framework for public comment, which is due by September 25, 2019, and releasing its latest overview briefing on the CMMC. The CMMC enforcement mechanism will build upon, and significantly add to, the current DOD cybersecurity requirements, which include DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and the incorporated requirements developed by the National Institute of Standards and Technology (NIST). Additional parameters for the CMMC program are pending in the Senate and House versions of the National Defense Authorization Act (NDAA) for Fiscal Year 2020.

CMMC Program Background

The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S)) has been working with the Johns Hopkins University Applied Physics Laboratory and Carnegie Mellon University Software Engineering Institute to “review and combine various cybersecurity standards into one unified standard for cybersecurity.” The OUSD(A&S) website states that the CMMC has been in development in a collaborative effort with industry groups and stakeholders and that the DOD team has worked “to establish a robust process of collaboration to develop Draft CMMC v0.4.”

OUSD(A&S) has been conducting a listening tour with industry at various events that continue through October. The DOD special assistant for cyber within OUSD(A&S), Katie Arrington, announced details concerning the CMMC program at industry events this summer, including the Navy’s annual Gold Coast Conference. Arrington explained that the CMMC will become a requirement in DOD procurements through solicitation proposal instructions and evaluation criteria (located in Sections L and M), which will set the required CMMC level (Levels 1-5) for a specific contract. She also announced that cybersecurity costs will be considered allowable costs. Arrington’s presentation highlights the continuing and increasing priority of cybersecurity within DOD for all DOD procurements.

According to the OUSD(A&S) website, DOD “recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward.” Notably, OUSD(A&S) has also stated that “the CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.”

New Draft CMMC Model and Overview Briefing

As stated in the recent overview briefing, the CMMC will be a unified cybersecurity standard for DOD acquisitions to “reduce exfiltration” of Controlled Unclassified Information from the Defense Industrial Base (DIB). The CMMC combines various cybersecurity standards and best practices, which are mapped across several maturity levels that range from basic cyber hygiene to advanced. Detailed assessment guidance is still under development.

The draft CMMC model framework released in September consists of 18 cybersecurity domains, which are based on “best practices.” The CMMC domains are comprised of capabilities, which are further comprised of practices and processes, which are mapped to CMMC Levels 1 through 5. The capabilities, practices and processes are each set forth in the comprehensive draft CMMC model framework. Most of the 18 domains overlap with security requirements in NIST SP 800-171 rev. 1 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations).

The new CMMC rev 0.4 requirements include additional practices derived from a variety of content sources. The overview briefing emphasizes that this comprehensive model is still being refined before a final version is released in January 2020. As summarized in the overview briefing, Level 1 includes basic cybersecurity, achievable for small companies. Level 3 includes coverage of all controls required by NIST SP 800-171 rev. 1, as well as additional practices. Level 5 includes advanced cybersecurity practices reserved for the most critical systems.

Examples of Level 1 practices include FAR requirements, antivirus protection, ad hoc incident response and ad hoc cybersecurity governance. Examples of Level 2 practices include risk management, awareness and training, and back-ups and security continuity. Examples of Level 3 practices include all NIST SP 800-171 rev. 1 requirements, an Information Security Continuity Plan and communication of threat information to key stakeholders. Levels 4 and 5 are “targeted toward a small subset of the DIB sector that supports DOD critical programs and technologies.”

According to the overview briefing, CMMC Rev. 1.0 will be released in January 2020, and its requirements will be included in RFIs starting in June 2020 and RFPs in the fall. Further, the briefing continues to state:

The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.

The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

OUSD(A&S) also states on its website that “we anticipate providing Draft CMMC Model v0.6 for public review in November 2019.”

CMMC Pending in NDAA for FY 2020

The CMMC program as planned by DOD would be consistent with section 1634 of the currently pending Senate version of the NDAA for Fiscal Year 2020. Section 1634, “Framework to Enhance Cybersecurity of the United States Defense Industrial Base,” would establish the “Cybersecurity Maturity Model Certification” for DIB companies, “scoring companies on a rating scale, and requiring certain ratings for contract awards.”

Section 1634 would require the Secretary of Defense to develop a consistent, comprehensive framework by February 1, 2020, which would include “identification of unified cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements to be imposed on the defense industrial base for the purpose of assessing the cybersecurity of individual contractors,” as well as “the responsibilities of the prime contractors, and all subcontractors in the supply chain, for implementing the required cybersecurity standards, regulations, metrics, ratings, third-party certifications, and requirements.”

The House version of the bill also states that DOD “must develop policies and regulations that move security from a cost that defense contractors seek to minimize to a key consideration in the award of contracts, equal in importance to cost, schedule, and performance.” The House and Senate versions must be reconciled in conference committee before the NDAA is signed into law.

Supply Chain Application

The Senate Armed Services Committee’s report on the Senate NDAA bill illustrates concern over cybersecurity compliance throughout the entire supply chain, the enforcement of the standards and requirements developed by NIST, and prime contractors’ responsibility for subcontractor compliance:

The committee is concerned that contractors within the defense industrial base are an inviting target for our adversaries, who have been conducting cyberattacks to steal critical military technologies. Currently, the Department of Defense mandates that defense contractors meet the requirements of NIST Special Publication 800-171 but does not audit compliance to this standard.

The committee is concerned that prime contractors are not overseeing their subcontractors’ compliance with these cybersecurity requirements through the entire supply chain and that the Department lacks access to information about its contractors’ subcontractors. The committee believes that prime contractors need to be held responsible and accountable for securing [DOD] technology and sensitive information and for delivering products and capabilities that are uncompromised. Developing a framework to enhance the cybersecurity of the defense industrial base will serve as an important first step toward securing the supply chain.

CMMC Will Add to Existing Auditing, Investigations and Other Enforcement

The CMMC program is expected to bring a new enforcement mechanism to cybersecurity that will enhance security for contractors and the industrial base and help DOD avoid future losses to cyber breaches. Cybersecurity can also be expected to be an increasing target for current and future auditing, investigations and other enforcement efforts. In a January 2019 memorandum issued by the Undersecretary of Defense for Acquisition and Sustainment, DOD instructed the Defense Contract Management Agency to include in its audit of a contractor’s purchasing system a review of compliance with the cybersecurity requirements of DFARS 252.204-7012 and NIST SP 800-171, for both the contractor and its “Tier 1 Level Suppliers.”

Recent developments also include False Claims Act (FCA) and other enforcement actions. In May, a district court denied a motion to dismiss an FCA complaint against a major defense contractor alleging violations of the cybersecurity requirements of DFARS 252.204-7012 and a related NASA cybersecurity clause. In June, U.S. Customs and Border Protection suspended a contractor following a high-profile data breach. And in July, it was announced that a major IT company had agreed to pay $8.6 million to settle DOJ and relator allegations that it had violated the FCA by selling video surveillance equipment with cybersecurity flaws to federal agencies. These recent events serve as a reminder that even as DOD develops new enforcement mechanisms, contractors must devote substantial and increasing resources toward compliance with the current cybersecurity regulations, including the comprehensive DFARS and NIST requirements.


For more information, please contact:

Joseph R. Berger

Tom Mason

Ray McCann

Francis E. Purcell, Jr.

Steven G. Stransky

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions.