On January 30, 2020, the US Department of Defense (DoD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, which is available here, with appendices available here. This highly anticipated 390-page release supersedes the prior draft versions, the last of which was released in December 2019. The DoD will begin requiring contractors to obtain certification under the CMMC later this year, giving companies in the supply chain little time to assess their obligations, identify and remediate cybersecurity weaknesses that might preclude their desired certification, retain an appropriate certification vendor and obtain the certification.
This certification process raises a host of legal considerations. For instance, the identification of cyber weaknesses requires a candid and thorough assessment that will result in a list of the areas where the contractor’s cybersecurity is lacking. This list may be critical in mitigating cyber risks, helping to plan for certification and in reducing the business risks that would result from a failed certification effort, but it also can be highly damaging from a legal risk perspective, especially in the hands of plaintiffs’ lawyers or regulators that may want to use it to support allegations of inadequate security. The same information required to support certification could be used to establish that a DoD contractor knew of risks and failed to take action.
These considerations underscore the importance of involving legal counsel in the process and taking steps to support a claim that key self-critical deliverables are protected under attorney-client and/or work-product privileges, while also ensuring that the contractor fully prepares for CMMC certification.
Why Did the DoD Create the CMMC?
The DoD created the CMMC to combat malicious cyber actors targeting intellectual property in the DoD’s supply chain, as such attacks threaten economic security and national security. The CMMC encompasses the security requirements for controlled unclassified information (CUI) specified in NIST SP 800-171 for DFARS Clause 252.204-7012 as well as the basic safeguarding requirements for federal contract information (FCI) specified in FAR Clause 52.204-22.
- CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations and government-wide policies, excluding information classified under Executive Order 13526 or under the Atomic Energy Act of 1954.
- FCI is information provided by or generated for the government under contract and not intended for public release.
Although DoD contractors have already been subject to requirements for data security and cyber incident reporting, they soon will be required to verify their level of compliance under the CMMC framework in order to continue serving the DoD.
What Are the CMMC Certification Requirements?
The CMMC sets forth five cybersecurity maturity certification levels and associated certification processes. Each CMMC level is cumulative and designed to provide the DoD with increased assurance that a contractor can adequately protect certain types of sensitive information, including CUI and FCI. For example, achieving level 3 requires satisfying all the requirements of levels 1 and 2. Each level provides a cybersecurity focus, process maturity level and practice maturity level:
|Level||Focus||Process Maturity||Practice Maturity|
|Level 1||Safeguard FCI||PerformedNo process assessment||Basic Cyber Hygiene17 practices (meeting FAR Clause 52.204-21)|
|Level 2||Transition step to protecting CUI||DocumentedDocument policies and implement practices||Intermediate Cyber Hygiene72 practices|
|Level 3||Protect CUI||ManagedEstablish, maintain and resource a plan||Good Cyber Hygiene130 practices (includes all NIST SP 800-171 plus others)|
|Level 4||Protect CUI and reduce risk of advanced persistent threat||ReviewedReview and measure activities for effectiveness||Proactive156 Practices|
|Level 5||OptimizingStandardize and optimize an organizational approach||Advanced/Progressive171 Practices|
The framework further divides the practices into 17 domains, with most practices contained in six domains: Access Control, Audit and Accountability, Incident Response, Risk Management, Systems and Communications Protection, and System and Information Integrity. The remaining 11 domains have most of their practices required for higher levels of certification.
What to Expect Next
The DoD will implement CMMC certification as part of its procurement processes in 2020. Select DoD requests for information are expected to have CMMC certification requirements this summer. By fall 2020, CMMC requirements are also expected for requests for proposals. Because the CMMC requires attestation by an accredited assessor, DoD contractors will need to obtain a certification from yet-to-be named assessors. The assessors are expected to be announced by the CMMC Accreditation Body. More information is available in the CMMC’s FAQs.
The Role of Counsel in CMMC Preparation
Any DoD contractor or subcontractor will need to become CMMC certified by an accredited assessor in the coming years. It is imperative that companies seeking DoD contracts or doing business with DoD contractors on projects involving CUI and FCI carefully consider the CMMC level that they will be required to achieve and prepare to undergo the CMMC certification process.
Companies also should consider whether and to what extent to conduct their pre-audit, preparatory activities under a claim of attorney-client privilege. The preparation process necessarily will require consideration of many areas on which legal advice may be necessary, including:
- Analysis of legal obligations under DFARS
- Cyber improvement priorities based on legal/regulatory considerations
- Advice on the scope of the company’s network that is subject to the CMMC certification requirement
- Advice with respect to controls that are impracticable, including whether compensating controls are sufficient with respect to particular CMMC requirements
- Advice on legal/regulatory risk mitigation in contracts up and down the DoD supply chain.
There are a number of steps companies should consider taking to support a claim of attorney-client and work-product privilege, keeping in mind that success on a claim of privilege is not guaranteed and may turn on jurisdiction-specific issues. These steps largely involve counsel:
- Taking an active role in the assessment process
- Implementing a strict confidential communications protocol
- Running meetings and conducting interviews to gather information pertinent to the legal issues
- Reviewing and revising draft reports
- Communicating work product to the company’s leadership
- Providing analysis of legal and compliance risks relevant to improving the DoD contractor’s chances of obtaining the desired CMMC certification.
Taking these precautionary steps can support arguments that may keep the pre-certification assessment and resulting list of compliance gaps out of the hands of regulators and interested plaintiff’s attorneys down the road, and provide confidence that legal issues have been considered in the CMMC certification process.