January/February 2021 - 103

BRIAN S. WOOD, PARTNER,
AND ALEXANDER GORELIK,
ASSOCIATE, SMITH CURRIE

L E G A L LY

SPEAKING

New Cybersecurity Requirements for
Government Contractors
Cybersecurity is a growing concern for most businesses.
Cybersecurity Ventures, a leading cybersecurity research
firm, predicts that, by 2021, malicious hackers will mount an
attack against a business every 11 seconds. Some of these
attacks have been orchestrated by foreign governments and
their state-sponsored agents, according to data from the
Center for Strategic & International Studies.
The Department of Defense (DoD) considers cybersecurity
threats a major concern and, for several years, has promised
more stringent requirements for contractors doing business
with DoD to confront this concern. On September 29, 2020,
DoD delivered on those promises by releasing an Interim Rule
on cybersecurity.
The Interim Rule establishes a two-pronged approach to
cybersecurity. They involve DoD assessments of contractors'
compliance with the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-171
Standards, and the Cybersecurity Maturity Model
Certification (CMMC) Program. Most DoD contractors will
likely have to undergo a NIST SP 800-171 assessment before
obtaining a CMMC certification, as DoD plans to incorporate
the CMMC requirements into solicitations and contracts
incrementally over the next 5 years (through October 1, 2025).
Both programs, however, will apply broadly. The Interim Rule
indicates that the DoD will incorporate each of these
requirements into all DoD solicitations and contracts, with
the exception of contracts for goods and/or services below the
micro-purchase threshold (currently, $10,000); or the
acquisition of commercially available off-the-shelf ( " COTS " )
items. Importantly, these rules will apply to subcontracts on
DoD projects, and contractors will be obligated to ensure
subcontractor compliance.
As the requirements will apply to and affect many
geotechnical contractors and subcontractors on U.S. Army
Corps of Engineers (USACE), Naval Facilities (NAVFAC), and
other DoD projects, such contractors are well advised to
understand and distinguish between these two sets of
requirements for cybersecurity. An outline of the
requirements is as follows:
More information about the new cybersecurity
requirements can be found at DoD's website:
https://www.acq.osd.mil/cmmc/index.html.

NIST SP 800-171 Assessment
*

DoD's NIST SP 800-171 assessments are an effort to verify
contractor compliance with pre-existing requirements for
DoD contractors in the Defense Federal Acquisition
Regulation Supplement (DFARS) 252.204-7012,
Safeguarding Covered Defense Information and Cyber Incident
Reporting, which ordered contractors to comply with NIST
SP 800-171. DFARS 252.204-7012 establishes requirements for " adequate security, " reporting cyber incidents,
preserving records of affected systems, performing
damage assessments and taking other measures to
safeguard cyber systems.

NIST compliance assessments are required for any new
and applicable solicitations and contracts beginning on
December 1, 2020.

DoD will require contractors to have one of three types of
NIST assessments: basic, medium or high. While most
contractors will be required to perform basic assessments
of their systems themselves, DoD will select certain
contractors for higher-level assessments to be performed
by DoD. These DoD assessments may be performed through
the Defense Contract Management Agency (DCMA).

Regardless of the assessment level DoD requires, the results
of any assessment will be reported in the Supplier Performance Risk System (SPRS). The results for each assessment will generally stay current for a period of three years.

Cybersecurity Certification
In addition to the NIST SP 800-171 assessments, DoD will
require federal contractors to put into place and utilize the
Cybersecurity Maturity Model Certification (CMMC)
Framework, new cybersecurity practices and processes
intended to protect federal contact information (FCI) and
controlled unclassified information (CUI) residing on
contractors' networks.
This framework categorizes cybersecurity best practices
and processes into five " maturity " levels, each with a
different focus. For example, Level 1 focuses on the protection
of FCI and consists only of basic safeguarding requirements.
Level 5, on the other hand, includes advanced, proactive and
sophisticated capabilities and practices to protect CUI from
advanced persistent attack. In general, note that:
DEEP FOUNDATIONS * JAN/FEB 2021 * 103

https://www.acq.osd.mil/cmmc/index.html

January/February 2021

Table of Contents for the Digital Edition of January/February 2021