Malicious cyber activity costs the U.S. economy billions of dollars every year. The federal government has recognized this threat to economic and national security. In recent years the federal government in general, and the Department of Defense in particular, has begun requiring prime contractors, subcontractors, manufacturers, suppliers, and any entity in its supply chain to implement certain cybersecurity standards. The most prominent of these requirements are NIST SP 800-171, Cybersecurity Maturity Model Certification, and "Section 889 Part B."
In 2016, the federal government required all federal contractors to comply with the standards set forth in NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Among other requirements the NIST SP 800-171 rule imposed a set of several 鈥渂asic鈥 security controls for contractor information systems upon which 鈥渇ederal contract information鈥 transits or resides, in particular any Controlled Unclassified Information/Covered Defense Information (CUI/CDI) data. As of Novemeber 2020, federal contractors must perform a self-assesment with Supplier Performance Risk System (SPRS) which requires entry of a contractor's Commercial and Government Entity Program (CAGE) code. If a contractor does not have a cage code, it can be obtained either: 1) and a CAGE code will be assigned during processing; or 2) if the contractor does not intend to do business with the federal government a request from the directly by completing the request online.
In 2019, the Department of Defense initiated the Cybersecurity Maturity Model Certification (CMMC). CMMC will be 鈥済o/no go鈥 requirement in all Department of Defense solicitations. The purpose of CMMC is to become the 鈥渦nified cybersecurity standard鈥 for all defense contractors, subcontractors, and any entity in its supply chain. Under this model, defense contractors will be required to be certified by a third-party certifier (C3PAO) among the five different levels of cybersecurity in order to be eligible for contract award. CMMC Accreditation Body is the sole authorized accreditation and certification partner CMMC program and C3PAOs. Initially, the timeline was roughly a year for all of the more than 300,000 contractors that does business with the Department of Defense to be CMMC certified. Later, DoD announced a phased rollout ending in 2025. However, in November 2021, after months of internal review, the Department of Defense significant changes to the CMMC program, now called CMMC 2.0. Among these changes are: reducing the number of companies that would require a 3rd party assessment, reducing the CMMC rating from 5 levels to 3 levels, suspending CMMC pilot programs until a final regulation, allow for annual self-assessments for certain levels, and brings back Plans of Action and Milestone (POAM). These changes were met with oppositions from some stakeholders who argue that these changes are counter to DoD policies and President Biden鈥檚 recent Executive Orders increasing cybersecurity reporting requirements for businesses. 麻豆传媒 has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges of that the CMMC model brings. DoD acknowledges the challenge of being 100% complaint with CMMC, but suggest a firm鈥檚 鈥減olicies, plans, processes, and procedures鈥 may offset the need for full compliance. The proposed CMMC 2.0 rule will go through the public notice and comment period, but a date has yet to be announced.
鈥婭n 2020, the rule often referred to as 鈥淪ection 889 Part B鈥 went into effect that prohibits federal agencies from entering into, extending, or renewing, a contract with a contractor that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. In brief, Section 889 Part B prohibits contractors from using certain telecommunications equipment mainly from Chinese companies, for example Huawei or ZTE. The rule states that the prohibited 鈥渦se鈥 of the covered technology applies 鈥渞egardless of whether the usage is in performance of work under a Federal contract.鈥 The rule is likely to expand the scope of this prohibition to apply to affiliates, parents, and subsidiaries of the prime contractors.
麻豆传媒 recognizes the threat malicious cyber actors have and the need to better protect the federal government and construction industry. 麻豆传媒 is committed to working with the federal government to ensure that cybersecurity requirements are clear and consistent that reflect input from impacted stakeholders and provide adequate lead time for compliance.
鈥婫overnment Resources
麻豆传媒 Resources
- WebEd: CMMC Overview with Katie Arrington
- WebEd
- WebEd Presentation
- WebEd: A Practical Examination of CMMC for Construction Contractors
- WebEd Recording
- WebEd Presentation
- WebEd: Cybersecurity 鈥 New Mandatory Requirements for Defense Contractors
- WebEd
- WebEd Presentation
- (11/20/2020)
- (9/14/2020)