Interview transcript:
Terry Gerton Well, the CMMC memo that was in the works for five years has finally come out, its final form. Was there anything new in this, or is it just what people should be expecting?
Eric Crusius So the rule didn’t change very much as to what people were expecting. Like you said, this has been in the works for a long time. The CMMC program I think was first talked about in 2018 or so or 2019, but it really took its final, its current form about five years ago. And what the effect of this rulemaking is, is that now the CMMC program, which they’ve worked so hard to establish, can now be put into contracts. So the effective data of the rule will be November 10th, most likely. So that way, starting November 10th, contracts can start having CMMC in it, and that will require self and third-party certifications for companies for their cybersecurity standards. To answer now finally your question, there are a couple of interesting changes. The first is, this isn’t an automatic that CMMC will be in every contract starting on that date. The program office will review whether CMMC is appropriate for that contract, and then put it in the contract if they feel like it’s appropriate. That’s going to be what’s going to happen for the next three years or so. And that’s interesting because there was an assumption that it would be every contract, but I think they’re doing that because there’s a little strain on the marketplace itself right now. There are just 75, 80 companies that are capable of doing third party assessments. And by DoD’s own estimates, there are more than 100,000 companies that need a third party assessment. So if you required that anytime soon, the way the CMMC program was thought to ramp up, that would be required starting in a year, but if that, even if in a year, there’s not enough capacity to kind of get those companies through an assessment. So kind of this slower rollout could be helpful, but at this point at least, DoD has not identified which programs will have a CMMC requirement in it. So if I’m a contractor and I have a contract that’s coming up for bid that’s important to me in six months, I’m not going to assume it’s not going to be CMMC. So I’m going to go ahead and get myself certified so that way I’m safe and I’m protecting my business. And I bet a lot of other companies in that position will feel the same way. There was also one other kind of interesting kind of nugget from the rule where the proposed rule had a requirement that if a company fell, essentially fell out of compliance or they got assessed successfully and then their system changed and that threw into doubt whether that assessment was still valid, they had to tell the contracting officer within 72 hours. That requirement is now gone from the final rule. They don’t have to tell a contracting officer within 72 hours, but that doesn’t take away the requirement that they are continuously positively assessed. So they still have a duty, I would see the government arguing, to still do something about it, even if there isn’t a notification requirement in that instant. There’s still an affirmation process that’s required. They still have to get recertified. All those protections that are in place are still there, but the actual having to go to tell the contracting officer within 72 hours is not there. I could see that creating like a little bit of a False Claims Act trap, maybe, because you are taking this government money and you’re not compliant. So we’ll see where that kind of nets out, but for now, that requirement’s gone.
Terry Gerton So there were probably a lot of contractors thinking this final rule would never come out, right?
Eric Crusius Right.
Terry Gerton Now it’s out, what do they need to do?
Eric Crusius There have been a lot of naysayers out there and I understand where they’re coming from. We had CMMC 1.0, the government kind of stepped back from that and put out CMMC 2.0. And the messaging behind that, I think, led a lot people to believe that this would never happen, and now, like you said, it’s here. And for companies that have thought it would never come, there’s a lot of catch up to do. First of all, CMMC is just a verification program. So a company should already be implementing these cybersecurity controls, CMMC is just a way to verify it. So to the extent that they’re not implementing these controls, they need to go back and really double down on that effort. And two, they should understand what CMMC is and the marketplace that’s there to help them get to a point. It’s not like a solo adventure CMMC. There are a lot of companies that are out there, legitimate companies that can be very helpful to get companies to the right place so they can accelerate what they’re trying to do. And do it for a reasonable price. I mean, I think that’s a big criticism of the program, it’s going to impact small businesses. That criticism is not unwarranted, but there are fairly economical alternatives out there where you’re not kind of building your own bespoke system. So I think there’s a lot that companies can and should do at this point.
Terry Gerton I’m speaking with Eric Crucius. He’s partner and government contracts practice chair at Hunton Andrews Kurth. Well, let’s pull that string a little bit, both on the cost of the credentialing and the timeline for it. If there are only 75 or 80 firms out there who can do this attestation, you better get in line pretty quick, right?
Eric Crusius That’s right. And I think, and I’ve been telling clients that for a long while now, even if you don’t, even if you’re not ready to get assessed tomorrow, get on somebody’s list so you reserve a spot for next summer, even, because the companies, some companies are booking out that far right now where they’re six, nine months ahead. So I think that’s very wise to say that because when you think about it, they say this in rule a few times, if there is a CMMC requirement in the rule and you’re not assessed properly or have the level of assessment needed, whether it’s a self-assessment or a third-party assessment, you’re not going to get the contract award. You just won’t be eligible for award. There’s one interesting thing, kind of wrinkle in the rule, which I haven’t kind of smoothed out yet in my own head at least anyway, but maybe a listener will. An interesting thing is that it says you have to be assessed or certified upon award. So right before the award, the DoD contracting officer, I presume, would check the supplier performance risk system and see, alright, what level assessment does this contractor have? If it’s what is necessary in the solicitation, good to go. If it’s not, there’s a problem. The interesting thing is they have a few references in the rule making to talk about, well you have to submit the unique identification number of your system to show that it’s assessed when you put in your proposal. That’s a different timeline than upon award. So if a company is in the process of getting assessed when they put their proposal in, they won’t have a unique identification number. They shouldn’t, anyway. But they would have it by the time the award is made, because as you know, probably too well, sometimes this process can take a while between solicitation and award, and that may be enough time for companies who are not yet there to get there. So I’ll have to see how that works out, but that’s an interesting kind of wrinkle in it.
Terry Gerton Where TBD goes into that, that’s based on the form. Well, how does this fit in now with DFARS? Is there implementation direction that people should be expecting to come out in DFARS that really ties all of this together?
Eric Crusius I would think so. So we have this rulemaking, it’s going to go into contracts. There’s going to be a lot more, I think, guidance that DoD puts out. And I’m referring it to DoD, by the way. I know there’s been a rename to Department of War. In the rulemaking they refer to themselves as DoD, so I’m using that nomenclature right now. But as far as DoD is concerned, I think they’re going to issue a lot more guidance in this to help companies along the way, and it sounds very self-centered to say this, but contact your local government contracts lawyer, too. Most government contractors have their own GovCon counsel. Reach out to those folks and get advice on what to do as well.
Terry Gerton So as elements in DoD start to issue contracts with the CMMC clause in them, what should they be thinking about in terms of managing compliance throughout the whole supply chain?
Eric Crusius I think that’s a really great point. The supply chain is where a lot of companies are going to struggle. It’s one thing for you to ensure you get your own CMMC assessment that you need, whether it’s a level one, whether it’s a level two third party. But most companies, if not all of them in the DoD space, are reliant on subcontractors and suppliers, and having them kind of get to the point where they’re ready is going to be a different story. A lot of this kind of implementation of CMMC is not going to be driven by the government, it’s going to be driven by large prime contractors that are trying to get their supply chains there so that they don’t lose a billion-plus-dollar contract because a subcontractor two levels down doesn’t have the right assessment. And there’s going to be a lot of pressure on those larger primes, and even smaller primes too, to manage that and to understand where’s my supply chain and how do I ensure that they’re there and which kind of information should I give them, because if I give them less information maybe they need less of an assessment. So there’s all those factors that come into play that will be really fascinating.
Terry Gerton Is there going to be any training for contractors on this? Or does DoD sort of feel like this is all water under the bridge and you just ought to know how this is going to roll out?
Eric Crusius There’s a little bit of both on the substantive part of it. I think DoD feels like, hey, these security controls have been around for a long time, you should know what to do. But they have put out training. Defense Acquisition University, they wrote this in a press release, has training that’s already out there on CMMC that I think is available to the general public. I’ll just say a lot of lawyers and non-lawyers alike have put training too. Just check the source and check to make sure that it, trust but verify kind of thing. So there’s a lot of free resources out there and that should help companies through this.
The post With the issuance of the final CMMC rule, contractors brace for audits, assessors, and aspirin first appeared on Federal News Network.