While the coronavirus (“COVID-19”) has upended much of American life, it appears as though it has had little impact on the Cybersecurity Maturity Model Certification (“CMMC”) program. The Chief Information Security Officer (“CISO”) for the Department of Defense’s (“DoD”) Acquisition Office confirmed on a webinar this month that the DoD has officially entered into an agreement with the nonprofit accreditation body for the program. While the memorandum of understanding (“MOU”) has not been released publicly, it is expected soon and is yet another confirmation that the CMMC requirement for all DoD government contractors is still coming to the Defense Industrial Base in the coming months. Among the many things expected to be covered in the MOU is the training requirements for the Certified 3rd Party Assessment Organizations (“C3PAO”) that will ultimately be responsible for certifying the 300,000+ DoD contractors by 2025.
However, it is also widely anticipated that the CMMC will eventually extend past DoD contractors to include civilian agencies as well. While details are still being worked out, the DoD’s CISO recently met with the head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) to discuss CMMC and how it could translate eventually to civilian, non-defense federal contractors.
The CMMC, based largely upon the National Institute of Standards and Technology (“NIST”) SP 800-171 standard, provides five (5) levels of maturity which will be required for contractors who desire to do work with the DoD. Every contract, from Other Transactions Agreements (“OTA”) to Small Business Innovation Research (“SBIR”) contracts and even grants, will be marked with a corresponding CMMC level that bidding contractors and their subcontractors must meet in order to bid for a contract. The current timeline has the first requirements being rolled out in RFIs later this summer and then in initial RFPs in the fall. These RFPs are expected to cover a range of requirements and set the stage for what contractors, C3PAOs and the government can expect in the years to come. It is estimated that less than 1 percent of RFPs will require a Level 4 or 5. Rather, the bulk will cover Levels 1 through 3 with the majority of those being Level 1. Level 3, required when a contractor is handling Covered Unclassified Information (“CUI”) and therefore most closely aligned with the NIST 800-171 requirements of the Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, currently stipulates on-site visits by C3PAOs for certification. Due to COVID-19, this is currently being addressed by the DoD and the CMMC Advisory Board (“CMMC AB”).
While becoming certified at the different levels will come with a cost, it should be noted DoD has issued guidance that the costs should be considered allowable. The expense for certification would be recoverable based on contract type but can and should not be questioned for contract pricing and estimating. Typically, the cost would be included as part of an indirect pool and allocated to all flexibly priced contracts through the application of the contractor’s indirect rates. If the contractor has fixed price contracts, the indirect costs would be a part of the fixed price amount charged to the government.
Cherry Bekaert will continue to provide updates as things progress but, with this recent confirmation by the DoD, we are still recommending to our clients that they not wait and get started now. In addition, we are encouraging those contractors serving civilian agencies to also begin familiarizing themselves with CMMC. If you have any questions, feel free to contact us.