Skip to main content
Top Button
Heightened Cybersecurity (CMMC) Requirements in Federal Contract Solicitations Counsel Advance Prepa Heightened Cybersecurity (CMMC) Requirements in Federal Contract Solicitations Counsel Advance Prepa

Heightened Cybersecurity (CMMC) Requirements in Federal Contract Solicitations Counsel Advance Preparations

The General Services Administration (GSA) is beginning to insert Cybersecurity Maturity Model Certification (CMMC) provisions in federal contract solicitations, another indication that the transition toward a more robust set of supply chain security requirements is underway. The GSA recently included CMMC language in several governmentwide acquisition contracts, including the Polaris draft request for proposals to provide customized IT services and IT services-based solutions. The GSA’s approach at this point has two notable elements worth highlighting.

First, the GSA intends at this stage to introduce the CMMC requirements in the contract task orders on a case-by-case basis, rather than at the broader contract level. In particular, the five CMMC levels (i.e., Maturity Levels 1-5) will be order specific. Applying the CMMC requirement to subsequent task orders flowing from the contract, instead of across all aspects of the contract, should allow the GSA and contractors more time to balance its acquisition priorities, recognizing contractors will need time to obtain CMMC qualification (which is not yet possible). In the meantime, the GSA’s advice, to the Polaris contractors, is helpful counsel for others as they prepare for the CMMC:
  1. Determine whether your company receives federal funds from the Defense Department either as a prime contractor or indirectly via subcontracts, purchase orders, or other contractual agreements. If so, be prepared to obtain a Maturity Level 1 certification at the minimum.
  2. Determine whether your company currently or in the future expects to electronically process, store, or transmit Controlled Unclassified Information (CUI) in the performance of military contracts. If so, you should be prepared to obtain at least a Maturity Level 3 certification.
  3. Review your company’s current compliance with NIST SP 800-171 Rev 1 in relationship to your expected CMMC level requirements. Begin drafting a System Security Plan (SSP) in accordance with NIST SP 800-18 Rev 1. If you currently have a Plan of Action and Milestones (POAM) in place or identify additional concerns, dedicate appropriate resources to ensure progress is being made to close any gaps as quickly as possible. Review Draft NIST SP 800-172 for enhanced security requirements to improve cybersecurity maturity capabilities as applicable given the CMMC level you intend to attain.
  4. Review your company’s current compliance with NIST SP 800-161 to include the establishment of a Supply Chain Risk Management (SCRM) Plan.
  5. Diligence your subcontractor base as CMMC and SCRM requirements may flow down to subcontractors, including commercial item subcontractors. It is expected that consent to subcontract at the task order level may consider subcontractor CMMC Maturity Level.
  6. Participate in SCRM and/or CMMC workshops.

Secondly, and looking further down the road, the GSA indicated the CMMC may also be used as “a baseline for civilian acquisitions”—currently it is only applicable to certain Defense Department contracts. Consequently, the GSA recommended “that contractors wishing to do business on Polaris [should] monitor, prepare for and participate in acquiring CMMC certification.”

Ice Miller has extensive experience with cybersecurity requirements and military contract compliance and can assist you with implementing CMMC requirements. Our team includes Guillermo Christensen, managing partner of the Firm’s Washington DC office and a former CIA officer with almost 20 years extensive national security experience in the intelligence community, FBI and State Department; and Christian Robertson, a former US Air Force intelligence officer who regularly advises clients on government contract matters.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized