Five things to remember about CMMC

The draft rule for how government contractors will protect their customers' information is long and defense as it was two years in the making, but here are five things to keep in mind in putting together your comments.

The draft rule for the Cybersecurity Maturity Model Certification is a hefty 264 pages and lays out the Defense Department’s expectations for how government contractors will protect sensitive military data on their networks.

The rule has been in the works for two years and the draft holds few surprises, but there are several factors worth highlighting during the comment period.

Here are five things worth noting.

No quarter for small businesses

Complying with CMMC and earning a certification at levels two and three will be expensive and time consuming. There had been some questions over whether there might be provisions for small businesses to get a waiver, or maybe an extension for when they need to comply.

But the draft offers no caveats or dispensation for small businesses. The requirements for protecting controlled unclassified information on networks are the same for companies of all shapes and sizes in the market.

DOD isn’t talking, but there is a certain logic to not giving small businesses a pass. Small businesses have some of the same sensitive defense and national security data on their systems as their much larger brethren.

If DOD gave small businesses a pass, adversaries would know the weak points to exploit.

Not having a different set of expectations for small businesses also is a clear signal of how seriously DOD takes the cybersecurity threat in the supply chain.

Onus on the primes

CMMC is all about supply chains, both in protecting data that can be stolen and for guarding against disruptions.

The draft rule makes it clear that prime contractors and their suppliers need to comply with CMMC rules.

DOD also makes clear that primes are to play the role of enforcer with their supply chain partners and make sure everyone is in compliance. The prime is whom DOD will hold accountable.

Requirements for managed services providers

The draft rule makes it clear that managed services providers and managed security services providers will have to comply with CMMC.

After that, things get a little vague. On one hand, MSPs and MSSPs should be included because contractors all across the market rely on their services for at least parts of IT infrastructures.

At the same time, these are primarily commercial companies providing a commercial service. I’ve heard whispers that some may leave the government market completely.

From how DOD writes about MSPs and MSSPs, this might be an area where the department is looking for comments. It also is areas where we’ll see changes in the final rule. The requirement won’t change, but we’ll get more clarity on how CMMC will be implemented.

The False Claims Act hammer

Something new in the draft CMMC rule is the affirmation requirements.

DOD says a “senior official from the prime contractor and any applicable subcontractor” will need to affirm continuing compliance with CMMC. The affirmations will happen after every assessment and then annually from then on.

Companies need to be aware of that and take it seriously. I’ve heard this referred to alternatively as a hammer and bludgeon that opens companies up to False Claims Act litigation risks if there are shortcomings in that affirmation.

Shortcomings open the door to legal action by the departments of Defense and Justice. They can mean real money for contractors.

This is another area that might benefit from detailed comments and questions.

Don’t delay

The deadline for comments is Feb. 26, exactly two months after the draft rule dropped. It might seem like a lot of time, but don’t wait to the last minute.

There might be plenty of things to gripe about, but the market is better served with constructive criticism. CMMC is not going to stop, so offer suggestions and constructive criticism. Not just complaints.

Editor’s note: Many of the thoughts above are ones I gleaned from covering CMMC over the last several years. Others come from Cyber AB’s town hall on CMMC held Tuesday and a soon-to-be released video interview I conducted with the Cyber AB's CEO Matt Travis and Eric Crusius, a partner at the law firm Holland & Knight who specializes in government contracts.