There are many reports that the effective date for the expected CMMC 2.0 rules will be delayed, perhaps to 2024. Should companies comply now with DoD’s cyber requirements? Yes – definitely.
The core DoD requirements are established in the regulations and imposed by contract. There are three regulations. The “Safeguarding” clause, at DFARS 252.204-7012, requires DoD contractors and their subs to implement the 110 security controls of NIST Special Publication (SP) 800-171 to protect the confidentiality of Controlled Unclassified Information. This clause has been around for years, and it is present in hundreds of thousands of DoD contracts and as a flow-down requirement in subcontracts at all levels.
The clauses at DFARS 252.204-7019 and -7020 have been effective since November 2020. These are present in many current DoD contracts. Every solicitation or RFP for new DoD business, if it might involve handling of CUI, will contain these clauses. This means that companies who bid on and receive contracts, where the three DFARS clause are present, are legally obligated to comply with the stated requirements. The status of pending CMMC 2.0 rules in no respect, affects, defers, or otherwise justifies avoidance of these contract requirements.
The DFARS cyber rules serve purposes that have been and remain very important to the Defense Department. There are reams of evidence that hostile parties, particularly China, have stolen vast quantities of valuable but unclassified information from companies in the U.S. defense industrial base. This theft has boosted the ability of China to copy our accomplishments and, unfortunately, it threatens the mission capabilities of our military if our technological advantages have been compromised by potential foes who’ve hacked DoD suppliers.
According to an official DoD document, dated 22 June 2022:
Should DoD pursue such remedies against a company for ignoring its DFARS cyber regulations, the business consequences can be devastating. The company may struggle to be eligible for future DoD business, and it may be excluded by primes from subcontracting opportunities on DoD programs. Exposure goes beyond these contractual remedies. The Department of Justice has announced a “Civil Cyber Fraud Initiative,” with the intent of bringing actions under the False Claims Act against companies who knowingly, or with reckless disregard, fail to fulfill applicable obligations imposed by contractual requirements.
Companies should know that they now are required, by DFARS 252.204-7019, to perform a cyber self- assessment, using a DoD-specified methodology, and to report their score to DoD’s Supplier Performance Risk System (SPRS). SPRS is used to determine whether a company is presently “responsible” for award. Also in force now is DFARS 252.204-7020, which authorizes DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a unit of the Defense Contract Management Agency (DCMA), to assess whether contractors can document and support their claimed SPRS scores. Misleading the Government, by filing a SPRS score without having a System Security Plan, or other supporting evidence, can result in serious contractual and legal risk.
Failure to comply with DFARS has security consequences apart from compliance implications. It is undeniable that hostile actors, including ransomware criminals, constantly seek to exploit targets with weak security. Every business, of any size, should act to reduce its exposure to breach or exploit. The NIST -171 security measures, as they are achieved, will help make companies more robust, and resistant to attack, and more resilient, and able to recover.
All the foregoing depends entirely on existing regulations, now in force, and now in contracts. The CMMC 2.0 rules do not change the basic implementation obligation, which is in the DFARS -7012 clause, or the baseline cyber requirements, which are stated in the well-established NIST SP 800-171. When the CMMC 2.0 rules are effective, many companies will be subject to mandatory third-party assessments, by credentialed assessors (C3PAOs). Contract eligibility may depend upon receipt of “certification” that follows a successful assessment.
To be clear, the assessment feature of CMMC 2.0 will increase the pressure on DoD industrial participants. But CMMC 2.0 assessments are to validate compliance with today’s DFARS regulatory requirements – DFARS 252.204-7012, -7019, and -7020. Defense suppliers are obliged today to comply with these clauses. Starting early, and doing it well, improves security now, demonstrates compliance, and reduces the risk of problems later once assessments are mandated by the new rules.
Robert S Metzger is widely recognized as one of the nation’s top government contracts, compliance and cybersecurity attorneys. He heads the Washington, D.C. office of Rogers Joseph O’Donnell, PC, a law firm that has specialized in government contracts for over 40 years. Bob is a shareholder and co-chair of the firm’s Cybersecurity and Privacy Practice Group.