How CMMC raises legal exposures for contractors and their suppliers

As a government contracts lawyer and a former contracting officer from the Defense and Homeland Security departments, Michael Gruden has a unique perch to look at the implications of DOD's Cybersecurity Maturity Model Certification program.

Now an associate at the law firm Crowell & Moring, Gruden is in constant contact with companies looking to get ready for the CMMC standard's rollout amid the heightened focus on securing information systems and assets.

“On a day-to-day basis, I’m hearing from the large defense contractors wrestling with the requirements and how they flow down to their subcontractors and suppliers,” Gruden said at the Washington Technology CMMC Summit held Nov. 9. “Then later the same day, I’m talking to the suppliers and manufacturers, who are saying 'We don’t have the infrastructure. We don’t have the compliance plans. We don’t have funding. How do we do this?'”

"This” refers to CMMC 2.0, the second iteration of a security standard DOD is developing to require the defense industrial base to certify their networks and systems meet security standards. How high companies need to go depends on how much sensitive government data they contain.

Gruden shared of the legal implications and risks involved with CMMC. Like many of the other speakers emphasized, defense contractors should not wait until the final rule comes out next year.

Contractors currently self-certify that their systems are secure. But despite development of security standards over the last decade, there was no mechanism for DOD to verity a contractor’s compliance.

“We still had data spillage,” Gruden said, meaning that self-certification just wasn’t working.

The draft rule is a good indicator of where DOD is headed and how CMMC changed from the original version to the second, Gruden said, adding three items stood out to him.

CMMC 2.0 allows for so-called plans of action and milestones, known by the acronym POAMS, which let companies document controls they are not fully implementing yet. Those plans do have to state how companies expect to reach full compliance.

DOD has put a cap on open POAMS of 180 days. That time for suppliers and manufacturers to be CMMC-certified while they work toward full compliance, but the plan still must be in place.

“That’s a notable change,” Gruden said.

A second change Gruden highlighted regards how senior company officials are the ones who self-certify and submit attestations of compliance.

If there is a breach but the company certified their compliance with the security standards, the company could be open to False Claims Act lawsuits.

“That could bring significant recourse against a company, and we are talking significant monetary damages,” Gruden said.

At the same time, the Justice Department has launched a cyber fraud initiative that targets companies not meeting expected security standards.

Both CMMC’s senior executive attestations and the Justice cyber initiative mean companies have new expectations to meet.

“Now the government is saying that we expect you to stand by your word and that we can rely on it,” Gruden said. “If not, we have legal recourse that we can take.”

The third major change from CMMC's first version to the second is a focus on cloud computing security.

“If you are a government contractor that handles controlled unclassified information (CUI), and you are relying on an external cloud service provider to handle any of your CUI, then you are required to ensure that your CSP is meeting certain cybersecurity standards,” Gruden said.

The standards for cloud security are different than those for which CMMC is based on, Gruden said. Cloud offerings must be certified through the FedRAMP authorization process or via an equivalent means, such as by documenting  security controls.

Cloud companies with direct federal government business have yet another set of security requirements to meet under CMMC. They have to comply with the DOD security requirements guide.

Gruden sees the CMMC 2.0 draft's mention of cloud services as significant.

“What that tells me is that CMMC is looking at a much broader perspective of compliance,” he said.

Echoing earlier speaker Robert Metzger, Gruden emphasized that companies should not wait to start working on compliance issues.

“If you are not right now working towards cybersecurity compliance then you are going to be behind all of your competitors," Gruden said.

Three things are clear for companies to work on, according to Gruden:

Corporate governance. The broad compliance team must include the chief executive, head of business operations, IT leaders, chief security officer, general counsel and human resources.

“You need all the stakeholders in the same room and all have to agree and understand what is at stake and what’s required to get the job done," Gruden said.

Focus on corporate policies and procedures. Refine them if they are there and start developing them if not, Gruden said. This is important because at some point, a third-party assessor will look at the company's policies and procedures to assess the CMMC level.

Action item number three is to understand your data and where it flows.

“If you can segment your CUI, then are you are able to limit the compliance issues you might have,” Gruden said.