Heads up, federal contractors: DoD has announced “CMMC 2.0” with significant changes to program structure and requirements, including expanded self-attestation that heightens False Claims Act exposure.

DOD REVAMPS CYBERSECURITY MATURITY MODEL CERTIFICATION (“CMMC”)

ROBUST ENFORCEMENT LIKELY USING THE FALSE CLAIMS ACT

CMMC Program Overview

The CMMC program enhances cyber protection standards for companies in the Defense Industrial Base. It is designed to protect sensitive unclassified information that is shared by the Department of Defense (“DoD”) with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides DoD increased assurance that contractors and subcontractors are meeting these requirements. The framework has three key features:

• Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
• Assessment Requirement: CMMC assessments allow DoD to verify the implementation of clear cybersecurity standards.
• Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

In September 2020, DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented DoD’s initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

In March 2021, DoD initiated an internal review of CMMC’s implementation, informed by more than 850 public comments in response to the interim DFARS rule.

CMMC 2.0

On November 4, 2021, DoD announced “CMMC 2.0,” an updated program structure and requirements. With the implementation of CMMC 2.0, DoD is introducing several key changes to the original program requirements. These include:

• Streamlining the CMMC model from 5 to 3 compliance levels.
• Better alignment of the CMMC model with NIST cybersecurity standards.
• Allowing all companies at Level 1, and a subset of companies at Level 2, to demonstrate compliance through self-assessments.
• Increasing oversight of third-party assessors.
• Allowing waivers to CMMC requirements, as well as Plans of Action & Milestones (POA&Ms) to achieve certification, under certain limited circumstances.

The changes reflected in CMMC 2.0 will be implemented through the rulemaking process. Companies will be required to comply once the forthcoming rules go into effect. While these rulemaking efforts are ongoing, DoD intends to suspend the current CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in any DoD solicitation; however, DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period.

CMMC and the False Claims Act

We wrote earlier that enforcement of the CMMC is likely to occur by way of the False Claims Act (“FCA”). Recent developments at the Department of Justice (“DOJ”) confirm this. On October 6, 2021, DOJ announced the Civil Cyber-Fraud Initiative to combat cyber threats to sensitive information and critical systems of the United States Government. Deputy Attorney General Lisa Monaco made clear that a primary focus of the Initiative is to police government contractors and ensure that they are protecting government information and infrastructure and promptly reporting any cybersecurity incidents or data breaches. Deputy Attorney General Monaco stated:

“[W]e will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard . . . [the] public trust.”

According to the DOJ Office of Public Affairs, the Civil Cyber-Fraud Initiative

“ will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” “The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.”

The new CMMC 2.0 model arguably further heightens contractors’ FCA exposure beyond that presented by CMMC 1.0. For example, since CMMC 2.0 will permit many DoD contractors to self-attest to their implementation of NIST cybersecurity practices, companies who self-attest and are subsequently discovered to not be complying, may well find themselves facing a devastating FCA lawsuit for fraudulent certifications.

Ward & Berry assists federal contractors in establishing and maturing corporate compliance programs to maintain legal and contract compliance and reduce such exposure. Please contact us if you are interested in learning more.