How CMMC poses legal risks for contractors and their suppliers

As a government contracts attorney and former contract officer in the Departments of Defense and Homeland Security, Michael Gruden is in a unique position to research the impact of the DOD certification program on the Cybersecurity Maturity Model.

Gruden, who is now an associate of the law firm of Crowell & Moring, is in constant contact with companies looking to prepare for adoption of the CMMC standard while there is increased focus on securing information systems and assets.

“Every day I hear from the major defense contractors struggling with the requirements and how they are being passed on to their subcontractors and suppliers,” Gruden said at the Washington Technology CMMC Summit Nov. 9. “Then later that same day I talk to the suppliers and manufacturers who say, ‘We don’t have the infrastructure. We have no compliance plans. We have no funding. How do we do that?'”

“This” refers to CMMC 2.0, the second iteration of a security standard that DOD is developing to require the defense industry to meet security standards with its networks and systems. How high companies have to go depends on how much sensitive government data they hold.

Gruden shared the legal implications and risks associated with CMMC. As many of the other speakers pointed out, defense contractors should not wait for the final rule to come out next year.

Contractors currently self-certify that their systems are secure. But despite the development of security standards over the past decade, there was no mechanism for the Department of Defense to verify a contractor’s compliance.

“We still had data loss,” Gruden said, meaning self-certification just wasn’t working.

The draft rule is a good indicator of where the DOD is headed and how CMMC has changed from the original version to the second, Gruden said, adding three points that stood out to him.

CMMC 2.0 enables so-called action plans and milestones, known by the acronym POAMS, which companies can use to document controls that they are not yet fully implementing. These plans must state how organizations expect to achieve full compliance.

DOD has limited open POAMS to 180 days. This time for suppliers and manufacturers to become CMMC certified as they work towards full compliance, but the plan has yet to be in place.

“This is a remarkable change,” Gruden said.

A second change that Gruden highlighted concerns the fact that high-level company representatives are the ones who self-certify and provide attestations of compliance.

If there has been a violation but the company has confirmed compliance with safety standards, the company could be subject to claims under the False Claims Act.

“That could lead to significant recourse claims against a company, and we are talking about significant financial damage,” Gruden said.

At the same time, the Justice Department has launched a cyber fraud initiative targeting companies that fail to meet expected security standards.

Both CMMC’s Senior Executive Attestations and the Justice Cyber ‚Äč‚ÄčInitiative mean companies must meet new expectations.

“Now the government is saying that we expect you to stand by your word and that we can rely on that,” Gruden said. “If not, we have remedies that we can take.”

The third major change from the first version of CMMC to the second is a focus on cloud computing security.

“If you’re a government contractor handling controlled unclassified information (CUI) and you rely on an external cloud service provider to handle your CUI, you need to ensure that your CSP meets certain cybersecurity standards,” explains Gruden said.

The standards for cloud security differ from those on which CMMC is based, Gruden said. Cloud offerings must be certified through the FedRAMP authorization process or equivalent, e.g. B. by documenting security controls.

Cloud companies with direct government business must meet additional security requirements under the CMMC. They must conform to the DOD Security Requirements Guide.

Gruden sees the mention of cloud services in the CMMC 2.0 draft as significant.

“It tells me that CMMC is looking at compliance from a much broader perspective,” he said.

Echoing previous speaker Robert Metzger, Gruden emphasized that companies should not wait to start working on compliance issues.

“If you don’t work toward cybersecurity compliance now, you’re going to lag behind all of your competitors,” Gruden said.

According to Gruden, three things are clear that companies need to work on:

corporate governance. The broad compliance team must include the chief executive, head of business operations, IT executives, chief security officer, general counsel, and human resources.

“You need everyone involved in the same room and everyone needs to be united and understand what’s at stake and what’s required to get the job done,” Gruden said.

Focus on company policies and procedures. Refine them if they exist and start developing if they don’t, Gruden said. This is important because at some point an outside assessor will review the company’s policies and procedures to assess the CMMC level.

Action point number three is closed understand your data and where it flows.

“If you can segment your CUI, you’re able to limit potential compliance issues,” Gruden said.


Leave a Reply

Your email address will not be published. Required fields are marked *