Cybersecurity is of increasing of concern to the federal government, especially the Department of Defense. Since the start of the COVID-19 pandemic, the number of ransomware, malware and phishing attacks have surged. As a result, DoD recently implemented new and enhanced cybersecurity requirements for defense contractors and subcontractors.

Defense contractors and subcontractors who process, store or transmit what is known as covered defense information (CDI) or controlled unclassified information (CUI) must have a cybersecurity program in place. Generally speaking, CDI/CUI are categories of unclassified information that is sensitive and cannot be released to the general public. Some government construction contracts include CDI/CUI.

Defense contractors and subcontractors who have access to CDI/CUI are required to implement the security requirements in the National Institute of Standards and Technology’s Special Publication 800-171. NIST SP 800-171 has 110 security controls, including controls on access to contractor computer systems, awareness and training of employees, incident responses, personnel security and physical protection of contractor buildings and facilities.

Recently, DoD expanded its cybersecurity requirements for defense contractors and subcontractors beyond the NIST SP 800-171 controls through its Cybersecurity Maturity Model Certification Program. CMMC is designed to measure a defense contractor’s or subcontractor’s ability to protect CDI/CUI as well as Federal Contract Information – a category of less sensitive government information that also cannot be released to the general public. Under CMMC, defense contractors and subcontractors (except those selling commercially available off-the-shelf (COTS) items) will have to be certified by a CMMC Third Party Assessment Organization (C3PAO).
Defense contractors and subcontractors will be certified to one of five levels:

• Level 1 (Basic Cyber Hygiene);
• Level 2 (Intermediate Cyber Hygiene);
• Level 3 (Good Cyber Hygiene – equivalent to meeting the 110 controls in NIST SP 800-171);
• Level 4 (Proactive); and
• Level 5 (Advanced/Progressive).

Defense contractors must be certified to the CMMC level specified in the specific DoD solicitation on which the contractor wants to bid to be eligible for contract award. Defense subcontractors have to be certified to the level that is appropriate based on the type of CDI/CUI or FCI that the subcontractor will access. DoD anticipates that most defense contractors and subcontractors will not have access to CDI/CUI and will only have to be certified to Level 1. Defense contractors and subcontractors who will have access to CDI/CUI will have to be certified to Level 3 or higher.

DoD has just started its roll out of CMMC, and the program will not be fully rolled out until the end of Fiscal Year 2025. Starting on October 1, 2025, CMMC will be in all DoD solicitations and resulting contracts. In the meantime, defense contractors need to review any solicitations they are pursuing to see if there are CMMC requirements in the solicitation.

It is important to note that CMMC will not replace the requirement to meet the 110 NIST SP 800-171 controls for defense contractors and subcontractors who will have access to CDI/CUI. In fact, DoD is tightening up the requirement. Originally, defense contractors and subcontractors would self-certify their compliance with the 110 security controls. Defense contractors who did not meet all 110 security controls were required to implement a Plan of Action and Milestones (POAM) that identified the tasks that the contractor still needed to accomplish to be in full compliance and the scheduled completion dates for those milestones. Under CMMC, defense contractors and subcontractors have to meet all 110 controls to be certified to Level 3 or above. In other words, a defense contractor or subcontractor with a POAM will not be eligible to be certified to Level 3 or higher.

In addition, effective November 30, 2020, defense contractors and subcontractors have to conduct a self-assessment of their compliance with the NIST SP 800-171 security controls and report the result of that assessment to DoD in order to receive new defense contracts and subcontracts. A defense contractor or subcontractor who has implemented all 110 controls will have a score of 110. A defense contractor or subcontractor who has not implemented all 110 controls must use the scoring methodology to assign a value to each unimplemented control, add up those values, and subtract the total value from 110 to determine its score. DoD itself also may conduct an assessment if it has concerns about a defense contractor’s or subcontractor’s self-assessment.

Currently, CMMC and the NIST SP 800-171 assessment are limited to DoD contracts and subcontractors. However, other government agencies likely will implement similar cybersecurity requirements in the future.

Cybersecurity increasingly is a key requirement to obtaining and performing federal government contracts so it is important that contractors and subcontractors stay abreast of the government’s requirements. If they have not done so already, defense contractors and subcontractors need to take action now to prepare for CMMC. Defense contractors and subcontractors should evaluate the CMMC level that they believe applies to them. They should start by reviewing existing contracts and subcontracts to see whether those contracts and subcontracts had CDI/CUI, as this can be a good gauge of whether future DoD contracts and subcontracts will require access to CDI/CUI and thus the level of CMMC certification the contractor or subcontractor may require. Defense contractors and subcontractors also need to conduct the NIST SP 800-171 self-assessment by reviewing the 110 controls and their own cybersecurity programs to see how many controls they meet.

It takes time and money to implement an effective cybersecurity program. Defense contractors and subcontractors should act sooner rather than later to get up to speed with DoD’s cybersecurity requirements if they wish to continue to do work for DoD.