A key aspect of the new CMMC is how it alters DFARS 252.204-7012 requirements

Even though the new Cybersecurity Maturity Model Certification (CMMC) meant to only add a verification component to the security requirements in DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) there is one area where it is changing the clause; sub-contractors.

Currently vendors doing work for the DoD need comply with subsection *(m) of DFARS 252.204-7012 which states “Contractor shall include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties”.

The language in the first drafts and presentations of CMMC imply that the standard for flowing down the requirement for being certified to at least level 1 will no longer be dependent on whether the sub-contractor is handling covered defense information.  Instead all companies conducting business with the DoD will be required to be certified, including sub-contractors. Under the new CCMC language, which is scheduled to be inserted into RFPs starting next year, the required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.  The result would be the government would bear some if not all the cost to get everyone certified. 

With the cost being subsidized the big question will be can small businesses who are sub-contractors on DoD contracts obtain a level 1 certification? Fortunately, the current description of level 1 requirements seems to be a low threshold which can be reached by following rudimentary cybersecurity best practices.

As always, the details are what will be important when CMMC is finally launched but as of now one of the biggest impacts will be the inclusion of a significant number of companies who had previously been exempted from DFARS 252.204-7012.

*(m)  Subcontracts. The Contractor shall— 

            (1)  Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties. The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause, and, if necessary, consult with the Contracting Officer; and 

            (2)  Require subcontractors to— 

                    (i)  Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800-171 security requirement to the Contracting Officer, in accordance with paragraph (b)(2)(ii)(B) of this clause; and 

                    (ii)  Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD as required in paragraph (c) of this clause.

—————

Andre (Andy) Barrera is an Information Systems Security Manager (ISSM) at the RAND Corporation. Prior to that, he worked as a Lead Associate at Booz Allen Hamilton in their government cybersecurity practice serving Los Angeles Air Force Base. Andy also served in the United States Air Force and has more than 20 years of cybersecurity experience spanning the public and private arenas.