the biden administration’s cybersecurity requirements for defense contractors in 2023

By Dr. Jim Castagnera, Esq.

Partner, Portum Group International

IT and cybersecurity are booming sectors for government contractors in 2023. But cybersecurity is a double-edged sword. Defense contractors in particular are under pressure to harden themselves as targets. Late in 2021, the Department of Defense (DoD) released an updated version of the Cybersecurity Maturity Model Certification, CMMC 2.0. The enhanced “CMMC 2.0” program maintains the program's original goal of safeguarding sensitive information, while:

• Simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements;
• Focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and
• Increasing Department oversight of professional and ethical standards in the assessment ecosystem.

Together, these enhancements are touted as:

Ensuring accountability for companies to implement cybersecurity standards while minimizing barriers to compliance with DoD requirements;

Instilling a collaborative culture of cybersecurity and cyber resilience; and

Enhancing public trust in the CMMC ecosystem, while increasing overall ease of execution.

Explaining the rationale, the Department asserted that the Defense Industrial Base “is the target of increasingly frequent and complex cyberattacks by adversaries and non-state actors. Dynamically enhancing DIB cybersecurity to meet these evolving threats, and safeguarding the information that supports and enables our warfighters, is a top priority for the Department. CMMC is a key component of the Department's expansive DIB cybersecurity effort.”

[https://www.defense.gov/News/Releases/Release/Article/2833006/strategic-direction-for-cybersecurity-maturity-model-certification-cmmc-program/]

On March 2, 2023, the Biden Administration released its “National Cybersecurity Strategy” with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.” The new strategy highlights the government’s commitment to investing in cybersecurity research and technologies, and highlights five “pillars of action”: 1) defending critical infrastructure, 2) disrupting and dismantling threat actors, 3) shaping market forces to drive security and resilience, 4) investing in a resilient future, and 5) forging international partnerships to pursue shared goals.

In regard to government contractors specifically, “Strategic Objective 3.5: Leverage Federal Procurement to Improve Accountability” states:

Contracting requirements for vendors that sell to the Federal Government have been an effective tool for improving cybersecurity. EO 14028, “Improving the Nation’s Cybersecurity,” expands upon this approach, ensuring that contract requirements for cybersecurity are strengthened and standardized across Federal agencies. Continuing to pilot new concepts for setting, enforcing, and testing cybersecurity requirements through procurement can lead to novel and scalable approaches.

When companies make contractual commitments to follow cybersecurity best practices to the Federal Government, they must live up to them. The Civil Cyber-Fraud Initiative (CCFI) uses DOJ authorities under the False Claims Act to pursue civil actions against government grantees and contractors who fail to meet cybersecurity obligations. The CCFI will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.

[https://www.governmentcontractslegalforum.com/2023/03/articles/cybersecurity/biden-administration-releases-comprehensive-national-cybersecurity-strategy/]

The CMMC framework has three key features:

Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.

Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.

Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

In September 2020, the DoD published an interim rule to the DFARS in the Federal Register (DFARS Case 2019-D041), which implemented the DoD's initial vision for the CMMC program (“CMMC 1.0”) and outlined the basic features of the framework (tiered model, required assessments, and implementation through contracts). The interim rule became effective on November 30, 2020, establishing a five-year phase-in period.

In March 2021, the Department initiated an internal review of CMMC's implementation, informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation.

In November 2021, the Department announced “CMMC 2.0,” an updated program structure and requirements designed to achieve the primary goals of the internal review:

Safeguard sensitive information to enable and protect the warfighter

Dynamically enhance DIB cybersecurity to meet evolving threats

Ensure accountability while minimizing barriers to compliance with DoD requirements

Contribute toward instilling a collaborative culture of cybersecurity and cyber resilience

Maintain public trust through high professional and ethical standards

[https://dodcio.defense.gov/CMMC/]

DOD expected the rulemaking process to be complete by March 2023, but according to MxD, a cybersecurity company:

Previously, CMMC 2.0 was anticipated to receive an “interim final rule” by the DoD in March 2023, published in the federal register. That would give manufacturers that contract with the DoD 60 days to comply with the new cybersecurity rules.

Instead, the requirements for CMMC 2.0 are anticipated to be published as a “proposed rule” which includes a 12-month review and comment period, giving manufacturers at least another year to provide feedback to the DoD and also to put the proposed rules in place for their businesses. The new rule making schedule tentatively shifts full implementation of CMMC to 2025.

[https://www.mxdusa.org/2023/04/03/cmmc-2-0-deadline-extended-to-2024-for-cmmc-2-0-implementation/]

However, MxD experts noted the CMMC 2.0 Level 2 requirements may be delayed, but they are not going away.

With the implementation of CMMC 2.0, the DoD intends to allow companies to receive contract awards with a Plan of Actions and Milestones (POA&M) in place to complete CMMC requirements. The DoD's intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The DoD also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification.

The five steps suggested by the DoD are to:

Educate people on cyber threats

Implement access controls

Authenticate users

Monitor your physical space

Update security protections

[https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF]

The “Zero Trust” Program for Federal Agencies

The federal government's “Zero Trust” cybersecurity program requires agencies to meet specific cybersecurity standards and objectives by the end of fiscal year 2024 in order to reinforce the government's defenses against increasingly sophisticated and persistent threat campaigns. According to the Office of Management and Budget, “Those campaigns target federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in government.”

This strategy envisions a federal government in which:

Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.

The devices that federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.

Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.

Enterprise applications are tested internally and externally, and can be made available to staff securely over the Internet.

•Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.

This strategy places significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication. OMB contends,

Without secure, enterprise-managed identity systems, adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks. This strategy sets a new baseline for access controls across the government that prioritizes defense against sophisticated phishing, and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied. Tightening access controls will require agencies to leverage data from different sources to make intelligent decisions, such as analyzing device and user information to assess the security posture of all activity on agency systems. [https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf]