Are you ready? The trend towards ever more prescriptive cybersecurity controls further reaches DOD contractors

On October 11, 2024, the US Department of Defense (DOD) finalized its Cybersecurity Maturity Model Certification (CMMC) rule, which mandates cybersecurity requirements for nearly all DOD contracts.

The CMMC is structured in three levels, with requirements scaling based on the sensitivity of information handled:

• Level 1: Requires basic cybersecurity standards for contractors dealing with Federal Contract Information (FCI), including an annual self-assessment.
• Level 2: For contractors handling Controlled Unclassified Information (CUI), it mandates 110 security controls. Most contractors will need third-party assessments, but a small subset will be allowed to self-assess.
• Level 3: Applies to contractors managing CUI tied to critical programs or high-value assets, requiring compliance with an additional 24 security requirements. These assessments will be conducted by the DOD’s internal team.

The CMMC level required for each contract will be determined based on the type and sensitivity of information, with requirements flowing down to subcontractors. Notably, contractors meeting at least 80% of Level 2 or 3 requirements can receive conditional eligibility with a Plan of Actions and Milestones (POAM) to comply within 180 days.

The rule will phase in over four years, with Level 1 and Level 2 self-assessment requirements beginning in the first year and full implementation anticipated within a few years. The DOD projects compliance costs of approximately $39 billion over ten years. This could significantly impact smaller companies as achieving certification, particularly for higher levels, may require considerable financial and operational resources. Further, contractors will not be eligible to win contracts until they have achieved the appropriate CMMC certification.

This final rule reflects updates to the proposed rule, including an extended initial phase rollout. Additionally, External Service Providers (ESPs) used by contractors are no longer required to get their own CMMC assessment if they do not handle CUI. Further guidance on contract implementation will be published by mid-2025.

Contractors should consider urgently reviewing their cybersecurity measures and prepare for compliance with the new CMMC requirements to ensure eligibility for DOD contracts now, as the certification process is likely to be lengthy. The rule finalization is indicative of a trend of increasing cybersecurity requirements and expectations.

Also reflective of that trend is the issuance of new guidance on October 15 by the New York Department of Financial Services highlighting certain cybersecurity risks posed by artificial intelligence (AI), including AI-enabled social engineering and AI-enhanced cyberattacks. While the guidance is not a new requirement and only applies to state-regulated financial institutions, it makes clear that NY DFS expects a reasonable, risk-based cybersecurity program to address emerging AI-driven cybersecurity risks.

The cybersecurity risk assessments NY DFS already requires should now incorporate cybersecurity risks such as deepfakes, and address the organization’s own use of AI, AI used by third-party service providers and vendors, and address potential vulnerabilities in AI applications.

As with the DoD’s CMMC requirements and controls, we can expect NY DFS to update its cybersecurity regulations as technologies and threats evolve.

 

__________


If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work.