The Department of Defense (DoD) will establish uniform cybersecurity compliance standards for its defense contractors; and may permit contractors to treat as allowable, and therefore reimbursable, the costs of bringing their programs into compliance.

The costs of achieving compliance with the DoD cybersecurity requirements may be allowable in certain cases, as announced by Katie Arrington, Special Assistant to the Assistant Secretary of Defense. This is a welcome change, especially in view of expected changes in the DoD’s cybersecurity compliance requirements.

Under the Cybersecurity Maturity Model Certification (CMMC) Program, the DoD will establish uniform standards against which DoD contractors’ compliance will be measured. The standards are expected to include five “Maturity Levels” of required cybersecurity protections, from a level one of “basic cybersecurity hygiene,” which will be inexpensive and straightforward, to level five for “state-of-the-art” protections. Each DoD request for proposal (RFP) will specify which Maturity Level is required for the contract. Suppliers that do not meet the specified Maturity Level in the RFP will not be considered for the contract.

DoD believes that a very small percentage of its contractors now comply with the National Institute of Standards and Technology Publication (NIST) SP 800-171, which contains the standards on which DoD’s current cybersecurity requirements are based. Compliance with the standard will require certification by a third-party cybersecurity assessor; companies will no longer be allowed to self-certify that their cybersecurity practices are sufficient. CMMC will require defense contractors to get third-party audits of their compliance with the NIST SP 800-171 controls, down through their supply chains. CMMC may also incorporate additional cybersecurity frameworks in addition to NIST SP 800-171. The DoD expects third-party certifiers to begin their certification efforts in January of 2020.

Contractors whose cybersecurity protections do not meet the NIST requirements should consider implementing the NIST SP 800-171 standards now.

This alert does not purport to be a substitute for advice of counsel on specific matters.

Harris Beach has offices throughout New York State, including Albany, Buffalo, Ithaca, Melville, New York City, Rochester, Saratoga Springs, Syracuse, Uniondale and White Plains, as well as New Haven, Connecticut and Newark, New Jersey.