Podcast - Cybersecurity Roundup: Analyzing New and Proposed Rules for Contractors

Eric Crusius: Hi everyone, this is Eric Crusius. Welcome to the latest episode of Regulatory Phishing. It's been a while since we last met. The podcast was a little bit of a victim of its own success, and things got very busy. But the good news is, is we've carved out some more time in everyone's schedule. We can restart these episodes again. And now we have this one here, which is going to look back at what has happened since we last spoke. So, there's been a lot of activity in the cybersecurity space, and I thought this episode would be a good way to kind of walk through it and just kind of talk about where we've been in the last few months, because I think it will help inform where we're going. I think that the next six months or so promise to be very active in this space. There's a lot of things that are on the cusp of coming out. There are quite a few things that, you know, have recently come out that are impacting contractors in this space. So, buckle up and let's, let's go through it all.

The Cybersecurity Maturity Model Certification (CMMC) Program Proposed Rule

Let's, of course, start with the Cybersecurity Maturity Model Certification program known as CMMC. Well, the programmatic rule — proposed rule, I should say — came out on December 26 of 2023, and that was a doozy. It had a lot of information in it and kind of really interesting roadmap on where we think the CMMC program is going to go. DoD is proposing a very aggressive rollout of the program, with self-assessments required in all new contracts essentially immediately after the final rule is effective and third-party assessments required under phase two, which is six months after rule implementation.

Now we think about the three levels of CMMC. And Level 1 is a self-assessment, Level 2 is a split level with some contractors needing a self-assessment and other contractors getting a third-party assessment, and then Level 3 kind of building on top of a Level 2 third-party assessment, requiring an assessment from DoD. Now, with Level 2 being a split level, it was not entirely clear before this rule came out how the Department of Defense viewed how this level would be split. Would the majority be self-assessments, would the majority of these be third-party assessments? And the feeling was, just based on the language that they used, that it would be majority third-party assessments, but when the rule came out— or proposed rule came out — there's a vast difference between third-party and self-assessment: Only 4,000 estimated self-assessments versus almost 77,000 third-party assessments. So DoD really views the default for a Level 2 being a third-party assessment, in some narrow cases, only requiring a self-assessment. And I do wonder if for those companies that are in that one of those 4,000 companies, if they'll get a third-party assessment anyway, because that one contract may require self-assessment, but the other contracts they're going for in that same area will require a third-party assessment. So that remains to be seen as the program rolls out, but it's very interesting to see kind of DoD view on that.

Third-party assessments, confirmed will last for three years. That three years is not guaranteed, though. If a contractor makes a modification to an assessed system, they have to get recertified. So really, if there's merger and acquisition activity involved, then that will require a new assessment. Companies waiting on a third-party assessment may be competing with companies getting assessed a second assessment. So for instance, if you wait a couple of years to get a third-party assessment, there may be some companies that have already gotten one. We're going to have to see how the community responds to that. But there may be kind of a shortage of assessors and assessment organizations in the near term. And the hope is that the Department of Defense will recognize that and roll this out more slowly, if need be.

False Claims Act Risks Related to the CMMC

Of course, this rule, as we've been saying, poses enormous False Claims Act risk. We already see a large risk for contractors in the cybersecurity space just based on other activity that we've seen in some cases that the Department of Justice has intervened into. We will have a podcast about that coming up shortly. And the risk assessment continues to grow when you take CMMC into account, because for each level, an affirmation is required to be filed with DoD, at least on an annual basis. Affirmations are required other times as well. And those affirmations DoD views as being material as well as the CMMC program, which is an element to, which is an element for False Claims Act liability.

The Role of Managed Service Providers

Then we have managed service providers. They play a crucial role in the CMMC ecosystem, and this is especially true for small/medium-sized businesses. It's not entirely clear what MSPs will be required to do. Well, they would be required to get a Level 2 assessment. That's what the proposed rule said. We'll see if that continues to the final rule. I know DoD got a lot of feedback in that area. And also small businesses, small businesses have to do the very same thing that large businesses do, and that's get certified. Same is true for subcontractors. The same is true for companies outside the United States. These are all parties that will have to get assessed just like anybody else. So there's no exceptions except for under the micro-purchase threshold. And except for COTS products, commercial-off-the-shelf products. So the vast majority of the defense industrial base will have to get some kind of CMMC assessment, whether it's a self-assessment or a third-party assessment.

CMMC's Impact on Government-Wide Acquisition Programs

Then kind of the last thing just to think about with this programmatic rule, it remains to be seen how it's going to be implemented on those kind of government-wide acquisition programs like the GSA schedule program, like NASA SEWP, so we'll just have to see how that runs through those programs. Or maybe it's implemented on a task order basis. As I mentioned, this came out on December 26. Right now, DoD has already edited the proposed rule and resubmitted the final rule to the Office of Management Budget (OMB) that is considering it right now. This is as of early September. I would expect that we'll see the final programmatic rule released sometime in the next 30 to 45 days, if not sooner. So, we should be on the lookout for that, and that will map out the entire program.

A Closer Look at the DFARS Title 48 Rule

Now, just having a programmatic rule does not mean that the program is implemented. We need to have a DFARS rule in order to implement the program into contracts, and that's the Title 48 Rule. That rule came out — or proposed rule, I should say— came out on August 15, 2024, and comments are open until October 15, 2024. And this DFARS rule has some interesting things. One, they have prime contractors being required to ensure their subcontractors have the right CMMC level for the information that they have. Now, these prime contractors won't have access to the databases that DoD has access to, so they'll have to be something worked out between the prime and the sub to ensure that the prime, to give the prime comfort that the subcontractor has the right level for CMMC. There's also this interesting thing in the rule requiring — seemingly requiring — additional incident notifications in the proposed regulation where contractors have to notify the contracting officer within 72 hours when there are any lapses in information security. It's unclear exactly what a "lapse" may be. It also could be possible that this includes contractors holding federal contract information. And in that instance, if that's true, the kind of universe of disclosure required to DoD is much broader than previously with the DFARS 252.204-7012 clause. So we'll have to wait and see how that plays out. Also, if there is a change in assessment, change in level or something like that, contractors have to notify the contracting officer within 72 hours. For international companies and systems, DoD has made very clear that this also applies to them. They're going to be held to the same standard as their U.S.-based counterparts. So if you are operating internationally, or you have a system that's international, that's going to have to be looked at overseas. It's really important to kind of start looking at assessors that are capable of giving an overseas assessment and understand if there are any restrictions from your home government in doing so. The time to start that is now because it could be a longer process for overseas companies versus U.S.-based companies.

CMMC Implementation Timeline

Then we're kind of looking at timing, of course. The programmatic rule was pretty specific on timing as to when things would happen. DoD notes in this rule that there'll be a phased-in approach. It's unknown kind of based on this rule, if that changes anything in the programmatic rule. But we should prepare for the possibility that in the end of the first quarter, I'd say 2025, we will start seeing CMMC be required as part of performance in some DoD contracts. And when I say that, I mean in the solicitations that will be bid on, in the first quarter of 2025, we'll have a CMMC requirement. And I mentioned before, and I'll mention again, False Claims. This kind of raises the specter of False Claims Act liability. Affirmations will have to say we're compliant and there have been no material changes to our system. So if there has been a material change to the system, that, of course, is going to require a new certification, and that means a new assessment.

And there is a second clause that will be coming out. So we have 252.204-7021 and then a new clause besides that where DoD will notify offerors which CMMC level will be required for each information system that will store and process data. And this will probably raise some pre-war protests tied to DoD's categorization of those systems and of the level. So we'll have to see how that nets out. And they confirm the broad applicability of CMMC. So DoD confirmed that's going to be applicable to contracts below the simplified acquisition threshold. [The] only exceptions are for contracts solely for the purchase of commercial-off-the-shelf items, COTS items, or contracts under $10,000, which is currently the micro-purchase threshold. So a lot of movement in this area. This is finally coming to fruition.

Potential Election Impacts on CMMC

I don't think the election's going to have much impact on CMMC. This is a program that was started under the Trump Administration, continued under the Biden Administration, albeit with some changes. So I expect that we'll largely see this push forward, because it's not as much a political football as maybe some other regulations are, like regulations focused on labor under government contracts.

Examining the National Institute of Standards and Technology's (NIST) Latest Revision to 800-171 and a New FAR Clause on CUI

So that wasn't the only thing, of course, that happened over the last nine months or so. So we also have a new version of NIST 800-171, came out, and this came out this spring and this is revision three. And if for those who are not familiar, DFARS 252.204-7012, which is a current requirement, requires compliance with NIST revision two and all 110 controls within NIST 800-171 revision two. So revision three came out, and that kind of caused an issue with some contractors, because the DFARS clause 252.204-7012 says that the version of NIST 800-171 that contractors must be compliant with is the one that is current at the time solicitation is issued. That would mean that new contractors would have to be compliant with NIST 800-171 revision three right away. Now, DoD didn't like that outcome and I think made a good decision and issued a class deviation saying to contractors, “Look, let's just be compliant with revision two for now. We'll worry about revision three in the future. Everyone just get up to speed on revision two, and we'll do with revision three in the future.” Now I think it is part of an effort to revise DFARS 252.204-7012. That revision is currently ongoing. As far as I can tell, that DFARS clause is being edited within the Department of Defense, and it's still there as of now.

We also have a new FAR clause, that is going to come out and it's at OMB right now. So it's at its last stop before it's being released, and it's called controlled unclassified information, CUI. And it's going to require protection of controlled unclassified information in non-DoD settings. [It] doesn't say this in the description, but I strongly suspect it will require compliance with NIST 800-171 in civilian settings. So for instance, just non-DoD contracts. That's at OMB right now. The expected release date for that proposed rule is October of this year, so we should see it very soon. Maybe when you're listening to this it has already come out. And we'll see if it does require compliance with NIST 800-171. And if it does, which revision of NIST 800-171 does it require?

Status of the Cybersecurity and Infrastructure Security Agency’s (CISA) Final Rule

Then the last thing I kind of want to talk about that happened that was major — we could, we could go on for hours about all the things that happened over the last nine months or so — but the last kind of large thing that happened was a new rule from CISA, the Cybersecurity and Infrastructure Security Agency, and there was a statute passed in 2022 after some cyber incidents called the Cyber Incident Reporting for Critical Infrastructure Act of 2022, CIRCIA. And that requires the reporting of cybersecurity incidents by some contractors and others, too, but really folks in critical infrastructure, but it does bring in some defense sector contractors and IT government contractors also. This proposed rule was issued in early April. Comments were due already, and I expect that we'll see final version of this rule sometime later this year or sometime next year. But what it requires is companies in the critical infrastructure space to report cyber incidents within 72 hours. And if they make a ransomware payment, they should report that within 24 hours of that payment. As I said, critical infrastructure companies are included in this requirement. That definition is very broad, so it includes defense and IT government contractors in a lot of instances. There are exclusions to this rule for substantially similar reporting requirements. It's not clear which ones qualify at this time and whether or not those substantially similar reporting requirements will include, for instance, the incident reporting required under DFARS 252.204-7012. In order to kind of figure that out, those agencies have to get together and kind of agree that one incident can be reported to one place instead of multiple places. As it is now, we are starting to see an issue where we could have one incident requiring multiple reports. There's a new FAR clause that's in the proposed rule stage that would require reporting of cybersecurity incidents. Of course, we have the DoD clause, and now we have a CISA clause, among others too  — DHS and VA also have reporting requirements — so you could have multiple reporting requirements if you are a company that has had a cybersecurity incident. And I would just note that the different definition of "incident" is not consistent among all the agencies. So something that's reportable one place may not be reportable somewhere else. The kinds of information that's required to be provided is slightly different among all these reporting requirements, too, which could add to the confusion, especially in such a short time frame. And the time frames are different, and whether you have to report back in a certain interval is different as well. So a lot of going on in that space too, the cyber incident reporting space.

Looking Ahead

And that's it on kind of major updates for now. We have some really cool and interesting episodes coming up, so I hope you'll kind of watch the feed for that. And this fall really promises to be a fall with a lot of developments. Of course, there's an election going on right now, which usually impacts the kind of regulatory state. But I do think here we see regulations that are agreed to, for the most part, by both parties, so not controversial so much. So, I expect we'll see DoD and civilian agencies marching forward on these requirements and look forward to discussing them all with you on the podcast in coming episodes. Thanks for joining.