Defense Contractors Get Ready: DoD Close to Unveiling New Cyber Certification Program

The Department of Defense (“DoD”) recently announced that a new cybersecurity standard and certification program for defense contractors, the Cybersecurity Capability Model Certification program (“CCMC”), is currently under development and nearly ready for deployment.

Of course, being mindful of cybersecurity should be nothing new for companies contracting with the DoD (or subcontractors of those companies).  After all, for the past several years, contractors working for the government have been bound by the Defense Federal Acquisition Regulation Supplement (“DFARS”), which generally requires the safeguarding of sensitive, unclassified information and the reporting of breaches involving such information. 

But the CCMC is expected to bring new requirements and additional layers of complexity to the table.  Most notably, CCMC will require anyone wishing to contract with the DoD to undertake a cyber audit, the results of which will be measured against the program’s five-level cybersecurity maturity model.  The various levels will be used as minimum benchmarks that must be met by contractors that wish to bid on DoD projects.  If a contractor’s certified maturity level falls below the one required for any particular contract, that contractor cannot bid on the project.  Moreover, companies will not be able to self-certify, meaning that the audits they must perform need to be completed by independent, third-party firms, which raises potential confidentiality and privilege concerns.

Additional information pertaining to CCMC, including a DoD website containing FAQs, is expected within the coming months.  In the meantime, Pentagon officials have already started to make their rounds to familiarize the industry with what is coming down the pike.  With a launch of the new program expected in January 2020, defense contractors should be preparing themselves now for what’s ahead.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2022 Harter Secrest & Emery LLP