• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

McCarter & English Logo

  • People
  • Services
  • Insights
  • Our Firm
    • Leadership Team
    • Social Justice
    • Diversity, Equity & Inclusion
    • Pro Bono
    • Client Service Values
    • Alumni
  • Join Us
    • Lawyers
    • Summer Associates
    • Patent Professionals
    • Professional Staff
    • Job Openings
  • Locations
    • Boston
    • Philadelphia
    • East Brunswick
    • Indianapolis
    • Stamford
    • Hartford
    • Trenton
    • Miami
    • Washington, DC
    • New York
    • Wilmington
    • Newark
  • Share

Share

Browse Alphabetically:

  • A
  • B
  • C
  • D
  • E
  • F
  • G
  • H
  • I
  • J
  • K
  • L
  • M
  • N
  • O
  • P
  • Q
  • R
  • S
  • T
  • U
  • V
  • W
  • X
  • Y
  • Z
  • All
Bankruptcy, Restructuring & Litigation
Blockchain, Smart Contracts & Digital Currencies
Business Litigation
Cannabis
Coronavirus Resource Center
Corporate
Crisis Management
Cybersecurity & Data Privacy
Delaware Corporate, LLC & Partnership Law
Design, Fashion & Luxury
E-Discovery & Records Management
Energy & Utilities
Environment & Energy
Financial Institutions
Food & Beverage
Government Affairs
Government Contracts & Global Trade
Government Investigations & White Collar Defense
Healthcare
Hospitality
Immigration
Impact Investing
Insurance Recovery, Litigation & Counseling
Intellectual Property
Labor & Employment
Life Sciences
Manufacturing
Products Liability, Mass Torts & Consumer Class Actions
Public Finance
Real Estate
Renewable Energy
Sports & Entertainment
Tax & Employee Benefits
Technology Transactions
Transportation, Logistics & Supply Chain Management
Trusts, Estates & Private Clients
Venture Capital & Emerging Growth Companies
  • Broadcasts
  • Events
  • News
  • Publications
  • View All Insights
Search By:
Insights News Printing News
Main image for Getting Started with CMMC: How to Prepare and What to Expect from the Assessment
News|Quote

Getting Started with CMMC: How to Prepare and What to Expect from the Assessment

Cybersecurity Law Report

2.3.2021

Growing concerns around supply chain threats have led to the DoD’s increased regulatory focus on strengthening and securing the federal supply chain with the Cybersecurity Maturity Model Certification (CMMC) framework. Current and prospective contractors should be preparing now for compliance with the framework, which requires a third-party cybersecurity audit and certification by 2025 (earlier for some) as a prerequisite to doing business with the DoD.

Also touting the value in conducting a “self-assessment to get an understanding of where the company thinks it is,” McCarter & English partner Alexander Major opined that companies in the Level 3 or 4 space should enlist a vendor “to come out and just kind of check their math.” While he recommends that all companies at Levels 3 and 4 (explained in more detail in part one) should seek third-party assistance, he noted that many companies, especially small- to medium-sized ones, face the challenge of having a very savvy IT department, but not necessarily a very savvy IS department. “That can become problematic if the IT department says it implements certain controls but there is no one to push back on that, or double check the systems.” In those instances, it is helpful to have a third party come in to check that the necessary controls and procedures are in place, he advised.

For companies that have not been part of the government contractor space yet, a very basic starting point for getting into the space would be to “meet the requirements of NIST SP 800‑171, and ensure that the company is scoring above 100 in the DFAR 7020 assessments. That should be where the company is targeting,” advised Major.

Major cautioned, however, that “a lot of companies tend to view NIST SP 800‑171 as a race that starts at mile 0, but it’s actually a race that starts at mile 10.” NIST SP 800‑171 is built on assumptions, set forth in the appendix, that companies already have an incident response plan and other policies and procedures in place, he explained. What many contractors also may not realize, he pointed out, is that NIST SP 800‑171 addresses confidentiality, “but to have robust cybersecurity you also need to make sure that your data integrity and data availability is protected.” NIST SP 800‑171, for example, does not contain a requirement for companies to back up their data. It only requires that if a company does back up its data that it also secures it.

CMMC Levels 1 and 2 build in the NIST SP 800‑171 assumptions, requiring companies have those plans, policies and procedures in place before they get to Level 3, Major noted. Levels 1 and 2 not only require data safeguards, but also necessitate steps to back up data, protect access to it, and ensure that if it is altered, it can revert back. “That is a benefit of CMMC – it fleshes out robust cybersecurity, not just the safeguarding component,” he opined.

Many of the companies that already have a contract with the DoD with a DFARS 7012 clause likely qualify or are close to qualifying for Level 3 certification, Major suggested. They should examine the CMMC standards and create an assessment to see what additional steps they will need to take, which is basically the equivalent of a POA&M (plan of action and milestone), to satisfy the additional 18 elements of Level 3. Likely, they “will just have to fill in some of the blanks on the NIST SP 800‑171 appendix assumptions that they might not have operationalized.”

From a business practicality standpoint, companies also should “examine what is inherent in Level 4 that makes sense and is within reach,” because, Major predicted, “there’s going to be a lot of fallout due to the SolarWinds breach,” and that may prompt DoD to “require the enhanced security requirements of NIST 800‑171B, which will be found in CMMC Level 4,” for companies that are “working on high-profile or novel weapon systems, or are tangentially connected to operational missions.” Those companies could find their current DFARS 7012 contract including a Level 4 or higher requirement and should “definitely begin prepping or understanding the path from Level 3 to Level 4, and then maybe start doing cost estimates for what that will entail,” he suggested.

Given the time that compliance can take, companies should start down that path now and not rely on the fact that certification is required at the time of the award and not when the proposal is submitted, Major advised. Putting a proposal together is also expensive, he noted, so a company does not want to find itself in a position where it put together a proposal for a job it cannot fulfill because it is not at Level 4 and it cannot be certified at Level 4 for another six months. “Generally, you may not know when these draft RFPs are going to come out with a Level 4 requirement but when they do, you want to be in a position to say you can meet those requirements,” he stressed.

MORE INFORMATION (subscription required)

sidebar

pdfemail

Related People

Media item: Alexander W. Major
Alexander W. Major

Partner

Related Services

Government Contracts & Global Trade
Subscribe to our Insights
McCarter & English, LLP
Copyright © 2023 McCarter & English, LLP. All Rights Reserved.
  • Login
  • Attorney Advertising
  • Privacy
  • Awards Methodology
  • Contact
  • Subscribe
  • Sitemap

The McCarter & English, LLP website is for informational purposes only. We do not provide legal advice on this website. We can provide legal advice only to our clients in specific inquiries that they address to us. If you are interested in becoming a client, please contact us, but do not send any information about your specific legal question. We cannot serve as your lawyers until we establish an attorney-client relationship, which can occur only after we follow procedures within our firm and after we agree to the terms of the representation.

Accept Cancel