Bradley Arant Boult Cummings LLP
  November 11, 2024 - Birmingham, Alabama

Pentagon's cybersecurity rules reflect the growing threat from state-sponsored hackers
  by Setterlund Eric D

On October 11, 2024, the United States Department of Defense (DOD) published a final rule implementing its Cybersecurity Maturity Model Certification (CMMC) program, which is designed to verify that defense contractors are adequately protecting sensitive information from cybersecurity threats.
 
The CMMC applies to contractors who process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), which is most DOD contractors. The final rule is the culmination of a half-decade long process and part of the federal government's response to recurrent and increasingly sophisticated cyberattacks targeting the defense industrial base.
 
While cybercriminals conducting denial-of-service and ransomware attacks are certainly of concern, the CMMC is designed to meet the rising threat from state-sponsored hackers attempting to pilfer defense technologies, plans, and intelligence to undermine our national security.
 
While Russia, Iran, and North Korea all pose cybersecurity risks to the nation's defense industrial base, the primary threat is from China. In February 2024 at the Munich Security Conference, FBI Director Christopher Wray noted "[t]he cyber threat posed by the Chinese government is massive. China's hacking program is larger than that of every other major nation, combined."
 
The DOD recognizes that vulnerabilities at smaller, downstream contractors allow hackers to move upstream toward the Pentagon itself.

A risk-based, three-tiered system

The CMMC program identifies three levels of progressively more rigorous cybersecurity standards based on the criticality of the information handled by the contractor.
 
Each level is keyed to security requirements published by the National Institute of Standards and Technology (NIST) and permits either self-assessment, an assessment by a "Third-Party Assessor Organization" (C3PAO), or an assessment conducted by the DOD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
 
Level-1: For defense contractors who process, store, or transfer FCI only, they can secure the most basic certification by complying with the 15 NIST cybersecurity standards in the Federal Acquisition Regulation's (FAR) existing "Basic Safeguarding of Covered Contractor Information Systems" clause.1 The contractor may conduct a self-assessment to achieve CMMC Level-1 certification.
 
Level-2: For those defense contractors who handle CUI, the CMMC will require that they comply with the 110 controls in NIST Special Publication 800-171. Depending on certain factors, contractors requiring Level-2 certification will require either a self-assessment annually or a C3PAO assessment every three years.
 
Level-3: For defense contractors who handle CUI associated with a "critical program or high value asset," they will need to meet all the requirements of Level-2 certification plus an additional 24 security requirements from NIST's more advanced Special Publication 800-172. Instead of outsourcing assessments to C3PAOs, all Level-3 certification requires assessments conducted every three years by the DIBCAC.

Timing and implementation

Although the DOD published the final rule describing the CMMC, the program won't take effect likely until mid-2025 when a related Defense Federal Acquisition Regulation Supplement (DFARS) rule is finalized.
 
The related DFARS rule will set out how the CMMC requirements will be incorporated into contracts and contract solicitations and, once final, will trigger a four-phased progressive implementation schedule over the course of three years. That said, the publication of the final rule gives defense contractors a head start developing and implementing CMMC-compliant programs.
 

Notable takeaways

A disproportionate impact to small business — Although arguably less complicated than previously proposed versions, industry groups are already highlighting the potential negative impact to small businesses in complying with the final rule. Approximately 70% of the defense industrial base are small businesses who do not have the same resources or expertise as prime contractors and large integrators but will still be required to meet the same cybersecurity standards depending on the nature of the contract. The final rule states that a lower CMMC level may apply to a subcontractor if the prime only flows down limited information. However, if a prime contractor requires a Level-3 certification, then every subcontractor must achieve at least a Level-2 certification.
 
Contractors need to flip on a light switch to their data — As CMMC requirements are keyed to the category of data handled by the contractor, it is imperative that companies understand the nature and extent of the CUI and FCI in their holdings. Subcontractors should start communicating immediately with their prime contractors to assess the information category requirements of current and likely future DOD contracts to prepare for CMMC implementation.
 
Begin developing or revising corporate cybersecurity policies — Now is the time to begin preparing for the CMMC, not mid-2025. Defense contractors should be developing or revising internal cybersecurity policies to align with CMMC requirements, set forth clear roles and responsibilities within their organizations, and test incident response plans. Contractors subject to Level-2 certification should begin working with C3POAs to be postured to bid on CMMC-compliant contracts as soon as possible.
 
Consider privileged assessments of existing cybersecurity programs — By engaging with qualified legal counsel to assess cybersecurity policies and programs, companies can rely on the protection of attorney-client privilege to mitigate the risks of disclosing negative assessment results.
 
Take advantage of government resources — The DOD has a vested national interest in ensuring the defense industrial base is adequately protected from cyberattack. Federal agencies such as the Cybersecurity & Infrastructure Security Agency (CISA) offer free training and resources. Even the National Security Agency (NSA), known best for collecting foreign signals intelligence, offers free cybersecurity services, including Protective Domain Name Systems (PDNS) and Attack Surface Management, to any DOD contractor. In fact, in coordination with the CMMC, the U.S. Army is rolling out a new initiative to assist small businesses in meeting the new cybersecurity requirements. Known as the Next-Generation Commercial Operations in Defended Enclaves (NCODE), the pilot program will provide tools to protect sensitive data and reduce vulnerabilities.
 
Republished with permission. This article, "Pentagon's cybersecurity rules reflect the growing threat from state-sponsored hackers," was published by Westlaw Today on November 8, 2024.
 
Notes:



Read full article at: https://www.bradley.com/insights/publications/2024/11/pentagons-cybersecurity-rules-reflect-the-growing-threat-from-state-sponsored-hackers