BLUF: Government representatives have stated that complying with CMMC 2.0 Level 2 shouldn’t cost contractors or the government anything, because contractors have been attesting to the government for years that they are doing these things. This article explores why this is correct only for a small minority (17 out of 110) of the controls in CMMC 2.0 Level 2.

Background

Cybersecurity has moved well beyond something only IT staff needs to worry about. It is a fundamental business imperative on par with good accounting. And the benefits of a strong cyber program go beyond just an organization itself; the organization’s customers and all those in the organization’s supply chain also benefit.

Over the past few years, the US Department of Defense (“DoD”) has applied increasing pressure to get government contractors to accept this new reality. But contractors are resisting.

Why?

As trite as it may sound, contractors’ reluctance to enhance their cybersecurity programs typically comes down to cost. Retrofitting an organization’s systems to address today’s cybersecurity reality is expensive, which inherently means that goods or services delivered through such a system will cost more.

To date, most customers, including corporations and governments, have not taken a vendor’s actual cybersecurity posture into account when they make a purchasing decision. Although sophisticated corporate buyers are starting to ask cybersecurity-related questions of some of their suppliers, most purchases are still made based on price. This means there is little, if any, motivation¹ for vendors to implement cybersecurity controls when their competitors who don’t implement controls are rewarded with sales/contracts because the competitors’ goods or services cost less.

Cybersecurity Requirements in Government Contracts

To be clear, the federal government HAS been requiring at least a modicum of cybersecurity protection from essentially all² contractors since 2016. After four years of planning, on May 1, 2016, DoD, GSA, and NASA issued Federal Acquisition Regulation (“FAR”) 52.204-21. This is referred to as “the -21 clause” in this article. The -21 clause describes fifteen³ basic safeguarding protections⁴ (also referred to as “controls”) that a contractor organization is expected to have in place whenever the contractor is storing, processing, or transmitting (i.e., “handling”) Federal Contract Information (“FCI”)⁵.

“The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:…”

FAR 52.204-21(b)(1)

To date, the government has rarely enforced the -21 clause. The Executive Branch, as a whole, has yet to adopt any other regulations that make a contractor’s cybersecurity a priority. This means companies which turn a blind eye toward the -12 clause requirements are rewarded with contracts because their cost of delivery is less than their competitors which comply with the clause. They know that government is not likely to even ask any questions beyond requiring the -12 clause be embedded with the numerous other provisions in a typical contract.

DoD Amps Things Up

In 2017, as a follow-on to the broader FCI protections in the -21 clause, the United States Department of Defense (“DoD”) published two DoD-specific acquisition clauses in the Defense Federal Acquisition Regulations Supplement (“DFARS”). DFARS 252.204-7008 and DFARS 252.204-7012 (“the -7008 clause” and “the -7012 clause”, respectively) impose additional cybersecurity requirements on those handling Controlled Unclassified Information⁶ (“CUI”) on behalf of DoD. The -7008 and -7012 clauses require that any contractor who handles CUI must not only have in place the basic safeguarding requirements from the -21 clause, but also 93 additional cybersecurity controls defined in the National Institute of Standards and Technology (“NIST”) Special Publication 800-171.

“By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” […]) that are in effect at the time the solicitation is issued or as authorized by the contracting officer, not later than December 31, 2017.”

DFARS 252.204-7008(c)(1)

As with the -21 clause, to date, the government has not aggressively enforced the DFARS cybersecurity requirements. As a result, contractors are not incentivized to adopt compliant cybersecurity programs.

Enter CMMC and the 2020 Interim Rules

To their credit, this is exactly what the Office of the Undersecretary of Defense for Acquisition and Sustainment (“OUSDA&S”) realized several years ago. For at least the past 3 or 4 years, they have been pushing for changes to the government’s acquisition model that focus on encouraging compliance up front. This is the origin of the Cybersecurity Maturity Model Certification (“CMMC”) program⁷.

Since CMMC was first rolled-out, Katie Arrington and others from OUSDA&S made it clear that cybersecurity needed to be more than just a “pillar” of acquisition. They repeatedly stressed that cybersecurity needs to be the foundation upon which purchasing decisions are made.

Under CMMC 2.0, the latest version of the CMMC program, the majority of contractors which handle CUI must obtain third-party certification that the contractors’ cybersecurity programs meet all of the controls defined in NIST SP 800-171. This creates a positive incentive (being allowed to bid on a contract) that rewards proactive contractors, rather than trying to weed out the bad actors⁸ after those contractors have allowed government information to be leaked to our adversaries, allowed their goods or services to be compromised by our adversaries, or worse.

A recent study suggest that over 3/4 (>75%) of government contractors are not meeting the -21 clause requirements. An even greater percentage is likely to not be meeting the requirements in NIST SP 800-171. The CMMC program is therefore expected to significantly strengthen our nation’s overall cybersecurity posture, and especially the posture of our government contractors. However, the cost of goods and services delivered under the CMMC program will go up, and arguments to the contrary by government officials are misplaced.

Subtle but Critical Differences

Government officials’ reliance on the -7008 and -7012 clauses when it comes to cost analyses for CMMC suffer from some significant flaws. In addition to the lack of enforcement described above, which created a status quo that permitted incomplete adoption of the requirements, there is also a fundamental difference in the approaches taken in FAR and DFARS that further complicates DoD’s reliance on the existing DFARS clauses.

The -21 clause lays out fifteen requirements and states unequivocally that they must be met. By contrast, the -7008 and -7012 clauses refer to implementing the security requirements in NIST SP 800-171, and NIST SP 800-171 does not require full adoption of all 110 controls¹⁰.

Instead, NIST SP 800-171 only requires that contractors develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in the contractors’ systems. NIST SP 800-171 does not require that the deficiencies be remediated in a particular timeframe. Or at all. This means that contractors can meet the -7008 and -7012 clause requirements without investing in the actual steps that make the contractor more secure.

NIST SP 800-171 does not require that the deficiencies be remediated in a particular timeframe. Or at all.

The $0 CMMC Level 2 Compliance Fallacy

The discrepancy in the approaches taken in the FAR and DFARS cause a problem when it comes to the government’s more recent assertions that complying with CMMC and/or DFARS 252.204-7019 and DFARS 252.204-7020 clauses shouldn’t be a cost burden on the contractors. The result is subtle, but it is important because these differences will result in increased costs for contractors compared to today’s compliance requirements.

As noted above, the -21 clause requires that contractors actually implement the basic safeguarding controls. These are the same controls that are required under CMMC Level 1. Therefore, current government contractors who argue that those requirements, or their imposition via CMMC Level 1, will increase the contractors’ costs are effectively admitting that they have not implemented the requirements and, in turn, that they are in violation of the False Claims Act. This is not likely to be a good position for most contractors to take.

By contrast, as discussed above, the -7008 and -7012 clauses simply require that contractors create plans to address, not actually address, any deficiencies identified in their programs. Therefore, it is not unreasonable for contractors to assert that, under CMMC 2.0 Level 2, the costs associated with addressing deficiencies in the remaining 93 controls are new and are likely to necessitate cost increases. Such assertions are also not likely to create False Claims Act jeopardy for the contractors based on the contractors’ -7008 or -7012 assertions given the inherent issues with NIST SP 800-171.¹¹

Summary

Assertions by government representatives that, since contractors are already attesting to their compliance with the -7008 and -7012 clauses, complying with CMMC 2.0 Level 2 should not cost a contractor anything are therefore incorrect, at least with respect to the vast majority of the CMMC Level 2 controls. When analyzing the potential cost impact of CMMC on the government, these additional costs cannot be ignored. The cost of delivering goods and services under the CMMC program will increase for the vast majority of contractors. Contractors are entitled to pass along those costs to their customers, including the federal government. Failure to allow contractors to recoup at least the portions of the costs that can be allocated to the contractors’ government contracts will simply incentivize contractors to cheat. We cannot afford to allow that to happen, or the status quo will remain.

Footnotes

1. Incentives Through Penalties – The government’s current acquisition system does not reward contractors who invest in cybersecurity. Instead, it focuses on trying to find the “bad apples” who are not meeting their contractual requirements. The US Department of Justice (“DoJ”) recently increased staffing and enforcement efforts around government contracts fraud. DoJ’s efforts include a specific eye toward enforcing cybersecurity requirements in government contracts. These “false claims act” cases can arise in a variety of ways, including contractors suffering data breaches or ransomware attacks, or if a whistleblower at the contractor alerts the government. As the number of these false claims act cases increases, more contractors may see a financial motivation to invest in cybersecurity. But the government will have to ensure there are a statistically significant number of enforcement cases before any real impact on the contractor base will be seen. And by then it may be too late.
2. VERY Limited Exceptions – The government did recognize that some contractors should be exempt from these requirements, and they created a few exceptions. For example, contractors providing Commercial off the Shelf (“COTS”) products or contractors which are only handling simple transactional information, “such as that necessary to process payments,” are not subject to these requirements. As a practical matter, the vast majority of contractors will not qualify for an exception. There are a few practical reasons for this, including: a) many RFPs include nonpublic information; and b) contractors routinely exchange nonpublic government-related information with the government or their prime contractor throughout the contract lifecycle. This means that most contractors handle FCI and would not qualify for the exception.
3. When 15=17 – The 15 requirements in the -21 clause are derived from 17 controls in NIST SP 800-171. When they were written into the FAR, a few of the requirements were consolidated.
4. Basic Safeguarding Requirements – Examples of the basic safeguarding requirements include:
   1. prohibiting the general public from entering spaces where FCI is kept and logging visitors to those spaces;
   2. limiting access to computer systems that handle FCI such that only authorized individuals can use them;
   3. ensuring that any FCI is properly sanitized or destroyed from all physical media, such as hard drives, CD-ROMs, USB drives, and backup tapes; and
   4. installing, updating, and running anti-malware software on any systems that handle FCI.
5. FCI – As defined in the -21 clause, FCI is essentially any non-public information that a contractor creates or receives under a government contract.
6. CUI – Controlled unclassified information is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. Examples of CUI include: Unclassified nuclear information; personally identifiable information, like social security numbers; and healthcare records. The National Archives and Records Administration (“NARA”) maintains a list of various information types that meet the CUI definition and the laws and regulations that make the information CUI. This list is referred to as the CUI Registry.
7. CMMC – The CMMC 2.0 program requires that contractors comply with the controls defined in NIST SP 800-171, but adds a third-party certification requirement for most contractors handling CUI.
8. Attestations and Enforcement – Every time a contractor signs a contract, and again every time the contractor asks for payment, that contractor makes an attestation to the government that all of the basic safeguarding requirements in the -21 clause are in place. Each attestation carries with it some pretty hefty fines and penalties, including possible debarment (i.e., being prohibited from supplying goods or services to the government), if the contractor isn’t meeting the requirements.
9. Updating the -21 Clause – FAR 52.204-21 was initially crafted nearly a decade ago, and has largely been unchanged since its publication. The nature and number of cybersecurity threats has significantly changed in the intervening years, and the Executive Branch should consider updating the -21 clause to better reflect today’s cybersecurity landscape.
10. NIST SP 800-171 – NIST SP 800-171 includes four relevant controls, 3.12.1 through 3.12.4. These controls require that the organization:
    1. 3.12.1 – Periodically assess the security controls in organizational systems to determine if the controls are effective in their application;
    2. 3.12.2 – Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems;
    3. 3.12.3 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls; and,
    4. 3.12.4 – Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
11. Due Diligence – The False Claims Act creates a minefield for contractors, and contractors should carefully document all of their compliance steps, especially in light of the DoJ’s recent announcements (see footnote 1). This would include, for example, documenting how/why the organization complies with each control and objective defined in NIST SP 800-171A (the assessment guide for NIST SP 800-171), and ensuring POA&Ms are create for each deficiency. Under 3.12.3 and 3.12.4, this information must be regularly reviewed and updated.