DoD Contractors Beware: CMMC & DFARS 252.204-7012 & NIST SP 800-171
Later today, the Department of Defense will release version 1.0 of its Cybersecurity Maturity Model Certification ("CMMC"). With the CMMC moving full steam ahead, several new pieces of information (below) have come to light regarding the timing of when the CMMC will appear DoD solicitations and the CMMC Accreditation Body's ("CMMC-AB") efforts to train the third-party assessors who will be performing CMMC assessments.
Given that this recent news might cause some defense contractors to think they have some breathing room with respect to their cyber compliance efforts, this article serves to provide a brief reminder about the requirements under Defense Federal Acquisition Regulation Supplement ("DFARS") 252.204-7012 clause and National Institute of Standards and Technology Special Publication ("NIST SP") 800-171.
DoD anticipates that, by the start of FY21, 15 contracts (or so) will include the requirement that offerors meet one of the five CMMC levels (as a "go/no-go" threshold) to be eligible for an award. According to reports, offerors will likely need to be assessed at a level equal to or greater than the CMMC "go/no-go" threshold at the time of award.  In addition, DoD anticipates that third-party assessors will have completed about 1,500 CMMC assessments by the start of FY21 and about 7,500 more by FY22.
So, while the chances of being one of the small number of defense contractors competing for an award (this fall) under a solicitation that contains a CMMC "go/no-go" threshold are relatively slim, that does not mean everyone else is in the clear or that there is nothing to worry about until FY21 or FY22. Contractors should remember that these figures are only current estimates/goals and that DoD could increase the number of solicitations issued this fall that contain CMMC "go/no-go" thresholds.
Moreover, despite all the buzz surrounding the CMMC, when DoD releases v1.0 later today, it will not immediately change the current state of cybersecurity within the defense industrial base. In other words, for now, the status quo remains. So, what does that mean?
CMMC & DFARS 252.204-7012 & NIST SP 800-171
The CMMC is the standard that third-party assessors will adhere to when assessing the cyber maturity of defense contractors. Under the CMMC, defense contractors will need to obtain a third-part assessment of their cybersecurity posture (which ranges from basic to advanced cyber hygiene). After the third-party assessment, contractors will be given a CMMC rating (Levels 1–5) depending on the maturity of their cybersecurity capabilities, practices, and procedures. Notably, draft versions show that CMMC Level 3 meets the requirements under NIST SP 800-171.
When CMMC v1.0 is released, it will not immediately be, or be incorporated into, a DoD regulation and it will not immediately replace the requirements under the DFARS 252.204-7012 clause.
On the other hand, DFARS 252.204-7012 is a DoD contract clause that, among other things, requires contractors to provide "adequate security on covered contractor information systems." When the DFARS clause is utilized in DoD solicitations/contracts, defense contractors are required to self-certify that they are in compliance with the cybersecurity controls under NIST SP 800-171. The CMMC seeks to bolster this regime by incorporating maturity into a contractor's cybersecurity efforts as well as requiring third-party assessments.
So, while the CMMC brings an added twist to cyber-securing the defense industrial base, contractors should beware that, despite recent DoD figures and timetables, the DFARS 252.204-7012 clause, including self-certifying compliance with NIST SP 800-171, remains undisturbed... for now.
CMMC could take five years to fully roll out and it may not really gain momentum until FY21.
Expectation is that third-party assessors will certify about 1,500 vendors in 2021, 7,500 more by 2022, and 25,000 more by 2023.
In the coming weeks, DoD will release an update to the Defense Federal Acquisition Regulations to incorporate CMMC into DFARS 252.204-7012 (goal of finalizing the rule by September).
Most contracts will default to CMMC Level 1; however, if you are touching CUI, and you have the DFARS 252.204-7012 clause in your contracts, then you will need to certify at CMMC Level 3.
The CMMC-AB will begin training third-party assessors this spring.
At least 15 contracts to include the CMMC requirements by fiscal year 2021.
At least 1,500 certified contractors by fiscal year 2021.
Ty Schieber, the CMMC Accrediting Body chair, told FCW following the event that "solidification of schedule will occur once we get the relationship codified" via memorandum of understanding and "mutually agree upon what we can do and what that means in terms of hitting those guidelines."
DOD is also in the initial planning stages for its CMMC databases and infrastructure and plans to launch a pathfinder effort in March with beta testing in July.
 It is unclear, however, if DoD will eventually require offerors to meet a CMMC "go/no-go" threshold at the time of proposal submission.
. . .