An interim rule released this week by the Pentagon raises issues about the transparency around audit results from assessors and who will have access to the information under DOD’s landmark cyber certification program, according to supply chain attorneys.
The rule sets up the implementation of the Cybersecurity Maturity Model Certification program and a new set of requirements for contractors who want to do business with DOD, through the National Institute of Standards and Technology Special Publication 800-171 and the CMMC Framework. The rule was published Tuesday in the Federal Register.
Attorneys who specialize in supply chain issues and advise industry on meeting federal cybersecurity requirements discussed with Inside Cybersecurity their first impressions on the rule and questions that they hope to see the Defense Department address before the rule goes into effect on Nov. 30.
All of the assessment results conducted for 800-171 and CMMC will be uploaded to DOD’s Supplier Performance Risk Management System, which will give DOD and its components access to the information. However, attorney Susan Cassidy, a partner at Covington, said she is concerned about how the relationship will work between the prime and subcontractor.
“All contractors will need to have a basic assessment [under 800-171] done for any new contract actions once the rule is effective,” Cassidy said. “And a prime will not be able to award a subcontractor unless that subcontractor has a basic assessment score. But it appears that prime contractors will need to rely on certifications from subcontractors as to whether that assessment has been done because contractors only will have access to their own information in SPRS.”
Cassidy said it is “not entirely clear” how the information submitted to DOD will be used and more clarity is needed on medium and high assessments for 800-171 and how to resolve disputes over results between the assessor and contractors. In addition, there is confusion over who will complete the assessments for 800-171--the Defense Contract Management Agency or individual DOD components, Cassidy said.
“There is a lot of information that will be collected by DoD and it is not entirely clear how it will be used,” Cassidy said. “As always, contractors will need to be careful and accurate in their assessments, but the 800-171 controls do allow for some interpretation.”
The basic assessment submitted could also raise concerns under the False Claims Act, according to Robert Metzger, co-chair of Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group.
Companies need to realize when submitting their basic assessment information “where required by regulation and contract clause could expose them to serious sanctions, potentially including liability under the False Claims Act, should they knowingly or recklessly misrepresent their state of compliance as represented by the score,” Metzger said.
Holland & Knight partner Eric Crusius said the self-assessment allowed under 800-171 requires contractors to “be especially careful…because now third-parties (be it the government or an assessor) can come in and verify compliance. While some DoD verification of compliance with 800-171 is to be expected, it will be interesting to see how voluminous these audits are and how they impact a CMMC assessment.”
Timeline for CMMC compliance
While the rule goes into effect in November, attorneys agreed the process to roll out the CMMC program itself sets out a reasonable process for contractors who are following DOD’s current standards for cybersecurity.
DOD will require all contractors in the defense industrial base to get certified by Oct. 1, 2025, and new contract solicitations with CMMC requirements will require approval by Office of the Under Secretary of Defense for Acquisition and Sustainment. Cassidy said these provisions in the rule “will hopefully result in coordination” among the Defense Department, its components and contractors to ensure the “roll out is not too quick.”
The rule assumes that contractors are already meeting the requirements in 800-171, mandated under the current standard Defense Federal Acquisition Regulations Supplement clause 252.204-7012.
“As expected, DOD made clear the compelling need for why it chose to issue an Interim Final Rule and left limited room for the private sector to push back on the 60-day deadline, drilling into the timeline for when varying mandates and requirements have been in effect since 2013,” said Norma Krayem, vice president and chair of Cybersecurity, Privacy & Digital Innovation Practice Group at Van Scoyoc Associates.
Krayem continued, “More challenging to contest are situations where companies have been attesting they meet current cyber requirements in the DFARS. The biggest challenge will be for those companies have been attesting they meet the standards but in reality don’t, they will have the hardest up-hill climb to quickly become compliant.”
The Pentagon lays out “new gates that will govern when and to whom the rule applies,” Metzger said. “Only if required by a solicitation or Statement of Work must a contractor have a specified CMMC level -- and then only if the CMMC requirement is approved by the Office of the Undersecretary of Defense (Acquisition and Sustainment).”
Metzger said the five-year time frame will give DOD “a lot of time to work out the details, correct mistakes and improve the regulations.”
More clarity is needed over the process to adjudicate disputes between contractors and their assessors over results of CMMC audits, according to Metzger.
“The Interim Rule discusses a dispute resolution process that is to occur within the Accreditation Board,” Metzger said. “And DoD clarifies that CMMC level certification -- when included as a solicitation requirement -- is to be determined ‘at the time of award’ rather than at the time of proposal or offer submission or after contract award. While this makes sense, there are likely to be protests as to how the Government evaluates offerors who submit proposals without having the required CMMC certification in hand at the time of proposal.”
Cassidy said she questions how the actual audit and certification process will work. She pointed to the lack of guidance “on how contractors can contest assessments they disagree with, whether a contractor can seek a new assessment in the midst of the three-year period, a/or how conflicts for assessors will be addressed.” -- Sara Friedman (email@example.com)