Questions about the CMMC interim rule? Two lawyers have answers

Two contract lawyers take on what vendors really need to know about the Cybersecurity Maturity Model Certification program.

The Defense Department released its interim rule instructing contractors on how to comply with cybersecurity guidelines in September. But with less than 45 days until it goes into effect, many companies still have questions about what they should do and when.

Defense Systems talked with contracting attorneys Kelly Kroll and Michelle Litteken with the Morris, Manning & Martin law firm to get answers on pressing questions about the interim rule for the Cybersecurity Maturity Model Certification program.

What were your first impressions of the interim rule? Did it raise any questions?

KROLL: There's two parts to it. One part was the five-year plan roll out for the CMMC which is not surprising. The obvious new part that caught everybody a little off guard, and kept us busy with client inquiries this week, was the DOD assessment for the compliance with the NIST 800-171 standards, and this new heightened requirement.

DOD already had the requirement, they could self-certify, but when you're self-certifying, people tend to check boxes and move on and may not necessarily have been doing the level of due diligence they should be doing. So this new requirement where you have to basically make an affirmative statement about your compliance with the NIST standards and in combination with the short turnaround has really thrown some people off guard because there are some clients of ours that already have DOD proposals for awards in the next month-and-a-half and they're kind of like 'do I need to do this now? Is this going to start applying to me? Should I be doing a basic assessment? How do I do it?'

LITTEKEN: Procedurally. I think it's surprising that it came out as an interim rule given how significant the implications are for industry. So changes are possible in the future and people can submit comments, but they're going to have to start responding most likely November 30.

What would you advise to companies looking at the rule with upcoming contracts or proposals that they're looking to submit? What would they need to do at this stage?

KROLL: At a minimum, we're telling our clients that are bidding on DOD contracts that they need to first of all, familiarize themselves with the 110 NIST standards that are basically a checklist of items that you need to go through. We're advising our small- to mid-sized clients that they [figure out] how they apply to you, and can you comply with them.

Some of them are savvy enough at IT and cybersecurity savvy that they can understand and get through some of them, but a lot of them are going to need outside help. What we've been advising them in that sense is to get a third-party consultant to help through this process.

The problem is because CMMC is not officially rolled out yet and they haven't identified these third-party certifiers, there's kind of this "Gotcha!" where if a company needs to go outside and get help for a basic assessment, which is like CMMC-light…they pay someone to help them with the basic assessment, then CMMC comes out and they want to be CMMC-certified. But that same company that helped in the first place, they can't use it because they may not be one of the official Certified Third Party Assessor Organization. So now they have to go find another company and do it all over again. They'll be in a better position, but there's just the cost aspect of it that I don't think DOD is really taking into consideration with the basic assessment. I think they think the basic assessment is going to be a lot easier to implement then it really is for industry.

Is there a need for more guidance now that the interim rule has teeth?

KROLL: Government contracts have a whole bunch of federal acquisition regulations incorporated by reference and if you were actually going to print out all those regulations, you'd have several books full, the contract would be several 100,000 pages long. So small businesses, they check the boxes, they move on…. [The interim rule] has a little bit more teeth, there's a little bit more scrutiny on your assessment versus checking a box so now they're concerned.

One client's first question was had the Small Business Administration set up a resource for [companies] to go so they can do this for us and we don't have to pay for it. And I was kind of like, well, that would be nice, but no. So we're getting those kinds of inquiries like why would a small business be expected to incur some of these costs when they do less than $100,000 to $200,000 a year in business with DOD. That might be a large chunk of business for them, but to then have to go spend $20,000 to make sure that they're not going to get in trouble with this assessment issue, it's a big jump for them.

What are the options and requirements for these businesses at this point? Do you just have to find the money no matter what your business level with DOD is?

LITTEKEN: There is no kind of you need to have ‘X' number of contracts in the rule. As soon as you have one contract where this applies, or potentially subcontracts, it's going to be a question of can you comply and, if so, how quickly. The NIST standards aren't foreign territory to most government contractors who do business with the DOD.

KROLL: There really are no waivers, the only exception is for commercial off-the-shelf items, which is good because previously that wasn't there. The one highlight, if you will, is the interim rule said we're not going apply this to people who sell pencils and toilet paper to DOD. There's no heightened security concerns about the IT systems of the guy selling me pencils and pens. So that's the positive part of the rule. But other than that, there's no exceptions for small businesses, there's no exceptions based on dollar threshold or anything like that.

What are the important dates people need to be aware of other than that it goes into effect Nov. 30?

KROLL: It's going depend on their contracts. Any contracts that are issued or modified after Nov. 30. So people that have proposals in queue now, they need to look at their solicitations to see if it includes the operative DFARS clause and more than likely the contracting officer is going to say 'you have to do this before I can make the award.' Those are the people that need to really act more quickly than others. But then contractors that have options coming up, such as in December or January or whatever their option year is, they have to start thinking about when the contract's going to be modified to extend the option. because the contracting officer could very well say, 'okay, you need to do not only this basic assessment, but by the way, we're going to come in and do a medium or high assessment.' That's always a possibility, too. My reading of the rule is that DOD has an office that they're just going to pick which contracts those are and who knows if you're going to get picked or not. And I'm assuming those will be higher level, classified type contracts with some of the bigger companies, but we'll see.

You don't know what you don't know. What's the most important question people aren't asking or being considered enough?

KROLL: Even if we determine this doesn't apply to you because you're supplying COTS or something like that, what's going to come up when after this gets implemented is the FAR on the civilian side of everything is going to pick up the same CMMC requirement, and they're gonna piggyback off of this and now it's gonna apply to civilian agencies. So if you're doing business with the Environmental Protection Agency or the General Services Agency or Treasury Department, all of a sudden this is gonna apply to you as well. And then it's gonna possibly go to the corporate world as well. So it's coming. To me, it's almost like go with the wave and be at the front of this and get yourself in a position where you are covered.

LITTEKEN: I think one thing people aren't necessarily thinking about is that people are gonna be hiring consultants or companies to come in and help them get up to the standards but they're not necessarily asking is this company gonna be able to come in and do a certification down the road if that's necessary or will there be a conflict of interest. Because from what I've heard from DOD personnel, and they didn't issue the rules about how accreditation is gonna work, but the companies that are allowed to do the accreditation are not going to be allowed to also go in and help companies before that accreditation to get up to standards. So companies may be assuming that they're gonna be able to get a good deal or two for one or something like that. But when those rules come out or further clarified that may not be an option.

What should people really be paying attention to?

LITTEKEN: I think people should be looking out for how the system actually rolls out. When a client asked 'how do I actually do the mechanics of this,' we had to go and look again at the rule because it's very nuts and bolts, it's not something you necessarily focus on. And it contemplates, for a basic assessment, a system where a contractor puts together an email with basically like six or seven items that are identified in this rule that need to be submitted. And if there's multiple systems or subsystems, there's a special chart you're supposed to put your information in, and then you send that into the single email address, and then someone within the government's going to look at that and then put you into the system. And then other contracting officers and acquisition people are going to be able to come and look at that system and check whether you know the contractors in there and have the requisite assessment for the procurement at issue.

But in recent years, we've seen a lot of government websites and systems like this not operate like they're supposed to. So I'm curious to see what happens when it's day one and everything needs to start working, is it going to work the way it's supposed to.

It's an interim rule so it could change. It could change in December. It could change next year. I think we all know that cyber security is going to be a long-term focus for the government and for private industry. But the specific requirements could change in the way that it's being implemented could change. So I think people just need to stay tuned and try to be a little bit flexible to the extent they can, because everything is in flux at this point.

This interview first appeared on FCW, a Defense Systems partner site. It has been edited for length and clarity.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.