The Department of Defense (DOD) has finally promulgated its Final Rule (Rule) implementing the Cybersecurity Maturity Model Certification (CMMC) program, which goes ‘live’ on December 16th. There is plenty of content summarizing what the Rule is. Here, PilieroMazza attorneys offer their opinions on some of the practical effects, consequences, and strategies federal contractors can take away from the Rule and the DOD’s commentary. This blog touches on potential protest arguments flowing from the Rule, the Rule’s effect on small businesses and joint ventures, False Claims Act liability, and considerations for companies planning a future merger or acquisition (M&A).
Protest Arguments: Pre-Award and Post-Award
Obtaining the requisite CMMC level and uploading the attendant affirmation into the Supplier Risk Performance System (SPRS) will be a condition of contract award. The necessary CMMC level offerors must obtain will be identified in the solicitation. DOD Program Managers must consider several factors when assigning a CMMC level to a solicitation, including but not limited to:
- criticality of the associated mission capability;
- type of acquisition program or technology;
- threat of loss of the FCI or CUI to be shared or generated in relation to the effort;
- impacts from exploitation of information security deficiencies; and
- other relevant policies and factors, including Milestone Decision Authority guidance.
To the extent a contractor believes a CMMC status identified by an agency is too low (e.g., Level 1 instead of Level 2), too high (e.g., Level 3 instead of Level 2), or should be something different based on these factors, there may be a basis to file a pre-award protest challenging the solicitation’s CMMC status.
After an award is identified, the potential protest arguments are likely more limited. If a disappointed offeror has knowledge that the apparent successful offeror did not complete an assessment or certification (as applicable), does not have the necessary minimum CMMC status, did not upload an affirmation into SPRS prior to award, or does not have the requisite safeguards required by the assigned CMMC status, a post-award protest may be a viable route. Showing that an apparent successful offeror does not have the necessary CMMC status (or conditional status) would disqualify that offeror from the competition and potentially prejudice the protester, depending on the agency’s evaluation of the protester.
Small Businesses
Many small businesses are concerned with the financial burden associated with CMMC compliance. DOD received many comments concerning the increased financial burden on small businesses implementing CMMC, as well as how those costs could lead to further barriers to entry and drive small businesses out of the DOD market.
DOD references CMMC’s effect on small businesses throughout the Rule and appears to even acknowledge that CMMC will negatively impact small businesses financially. Some commenters suggested certain flexibilities and carve-outs aimed at small businesses to minimize burdens resulting from CMMC implementation. Other commenters suggested that DOD reduce the financial burdens to small businesses by providing certain tax incentives. Ultimately, DOD declined to accept many of these suggestions, explaining that it “must enforce CMMC requirements uniformly across the Defense Industrial Base for all contractors who process, store, or transmit FCI and CUI.”
Although DOD declined to accept many of these suggestions, DOD did, however, acknowledge the importance of small businesses to the DOD and stated that it has “streamlined CMMC requirements to align directly to NIST guidelines and has eliminated unique security practices to ease the burden on small companies.” Additionally, DOD explained that through its phased implementation of the CMMC program, DOD intends to minimize the financial impacts to defense contractors, especially small businesses. Lastly, DOD explains that the Rule reduces the burden on small businesses by implementing flexibilities with respect to self-assessments, Plans of Action and Milestones (POA&Ms), and waivers.
DOD notably received comments from the Chief Counsel for Advocacy of the U.S. Small Business Administration (SBA). In particular, SBA had concerns “with the ability for small businesses to meet and comply with the standards and timelines set out in the CMMC program without further clarification and guidance documents from the DOD.” Additionally, SBA had concerns that the Rule will “impose high cost of compliance on small businesses and any means to reduce the burden on small businesses will increase the participation of these impacted businesses.” While acknowledging the SBA’s concerns, DOD explained it is committed to enhancing CMMC trainings after the Rule is effective and further pledged to reinstate outreach efforts specifically targeting small businesses to increase familiarity with CMMC requirements.
In sum, it appears that DOD acknowledges CMMC may disproportionately impact small businesses and is prepared to take some, albeit limited, actions to alleviate some of these financial burdens.
Joint Ventures
A common question is whether the joint venture entity or the individual members must obtain the requisite certifications or capabilities in response to solicitation requirements. Indeed, joint ventures are regularly unpopulated and generally utilize the personnel, systems, and certifications of their individual joint venturers. The SBA regulations require that when evaluating Mentor-Protégé Joint Venture (MPJV) business systems and certifications for offers on set-aside small business contracts, the procuring activity may not require the protégé firm to individually meet the same evaluation/responsibility criteria as that required of other offerors generally and that the MPJV partners, “in the aggregate,” must demonstrate the business systems and certifications necessary to perform the contract. 13 C.F.R. § 125.8.
With the above context, the DOD explained in the Rule’s commentary that “CMMC Program requirements will apply to information systems associated with contract efforts that process, store, or transmit FCI or CUI, and to any information system that provides security protections for such systems, or information systems not logically or physically isolated from all such systems. The identity of an offeror or contractor as a joint venture does not in and of itself define the scope of the network to be assessed.” According to the DOD, depending on which joint venture member has the relevant information system, the individual joint venture member (including the protégé) will be required to have the requisite CMMC status. Thus, depending on which firm houses the information system, the solicitation’s CMMC status could require the protégé firm meet the same responsibility criteria that other offerors are generally required to meet, potentially in contravention of the SBA’s regulations.
False Claims Act Liability
In recent years, the DOJ has prioritized cybersecurity and has used the False Claims Act (FCA) as its primary mechanism to do so under the department’s Civil Cyber-Fraud Initiative. Recently, contractors have been under a microscope as the DOJ continues to crack down on contractors who fail to comply with cybersecurity requirements and falsely state otherwise. With CMMC comes yet another avenue for significant FCA exposure, and contractors should be aware.
Under the Rule, a contractor must affirm, through its “Affirming Official,” that it holds the requisite CMMC level and complies with the requirements of that level in response to solicitations and annually thereafter. Under the FCA, annual affirmations and certifications are considered false statements if they are indeed untrue. Contractors may risk FCA exposure by misrepresenting their compliance level or by providing inaccurate self-assessments where applicable. As such, it is imperative that contractors conduct their due diligence and ensure the Affirming Official is involved in all CMMC compliance efforts and all affirmations are thoroughly reviewed to ensure their accuracy. Lastly, it is critical that contractors seek legal counsel early on in the process to assist with CMMC compliance.
Mergers and Acquisitions
Most things in government contracts are connected in some way or fashion; the same holds true for CMMC. The CMMC Program will have a major effect on M&As for government contractors in the Defense Industrial Base. Self-assessments and certification assessments are valid for a defined CMMC Assessment Scope, with a CMMC Assessment Scope being the set of all assets in an entity’s environment that will be assessed against CMMC security requirements. If this Assessment Scope changes, a new assessment and attestation will be required. A merger or acquisition oftentimes affects the structural and architectural integrity of a company’s information technology (IT) systems, necessitating a change in the CMMC Assessment Scope.
If you are planning or undergoing any M&A activity, or even if you are investing in a federal contractor, make sure you are aware of all contractual requirements that will be going into effect and ensure the companies involved are in compliance with all such requirements of their contracts, and that there were no misrepresentations in bids or proposals, including to prime contractors. It is important to note that an IT architectural change could result in a previous CMMC assessment or certification no longer being applicable and/or valid, potentially making a company’s SPRS attestations inaccurate and causing it to be non-compliant with its DOD’s contracts.
Key Insights
- Contractors should carefully review all solicitations for CMMC requirements and should challenge the CMMC status identified in the solicitation if they believe it is not appropriate for the procurement by filing a pre-award protest. Contractors need to file any challenges to the agency’s identified CMMC status prior to the date for receipt of proposals and should not wait to raise any challenges to the agency’s identified CMMC status until after the contract award. Additionally, if you do not win the contract, you should investigate whether the apparent awardee has the minimum CMMC status, completed an assessment or certification, uploaded an affirmation into SPRS prior to award, and has the requisite safeguards required by the assigned CMMC status. If you discover that the apparent awardee does not meet any of the foregoing, you may be able to file a post-award protest.
- Although DOD acknowledges the financial burdens small businesses will likely encounter with CMMC compliance, the final rule does not address all of the concerns raised. While DOD has taken some actions to alleviate financial burdens for small businesses, there is still a lot more that can be done, such as tax incentives for small businesses.
- Joint ventures should be cognizant that each individual joint venture member that processes, stores, or transmits CUI or FCI must meet the requisite CMMC status. For MPJVs, irrespective of whether you are the mentor or protégé, as long as you will process, store, or transmit CUI or FCI, you will need to individually meet the requisite CMMC status.
- The CMMC program is fraught with FCA exposure, and the DOJ has taken notice—and contractors should, too. Contractors must ensure, before affirming compliance, that they have conducted due diligence and that their affirmation is accurate. Affirming Officials should be heavily involved with CMMC compliance.
- Lastly, before undergoing an M&A, contractors should consider the potential effects of the M&A on any pre-existing CMMC status. An M&A may affect the structural and architectural integrity of a company’s IT systems, necessitating a change in the CMMC Assessment Scope. This could result in any previous CMMC assessment or certification no longer being valid or accurate, further exposing contractors to potential FCA liability.
If you have questions regarding the Rule or CMMC generally, please contact Cy Alba, Daniel Figuenick, Joseph Loman, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups.
____________________
Looking for practical insights on gaining a competitive advantage through a deeper understanding of the government’s compliance requirements? Check out PilieroMazza’s podcasts “GovCon Live!” and “Clocking in with PilieroMazza.”