2023 promises to be a pivotal year for cybersecurity in government contracts. Besides the implementation of the Cybersecurity Maturity Model Certification (CMMC) program, new regulations are coming for civilian contractors, including new cybersecurity regulations from the U.S. Department of Homeland Security (DHS). Further, an update to a key standard, the National Institute Standards and Technology (NIST) Special Publication (SP) 800-171, is expected in 2023. This will impact CMMC and current U.S. Department of Defense (DOD) regulations including Defense Federal Acquisition Regulatory Supplement (DFARS) 252.204-7012, 252.204-7019 and 252.204-7020.
The center of all of this is the definition of Controlled Unclassified Information (CUI). The definition of CUI dictates contractor and government obligations under CMMC and various DOD regulations and forthcoming civilian requirements. The 2022 National Defense Authorization Act (NDAA) required the clarification of the definition of CUI, which we should also see in 2023.
The 2023 NDAA also contains updates to cybersecurity requirements and priorities, which we will cover at a later date. With that, let’s take a look at what to expect in the coming year.
New Civilian Requirements
DOD contractors that process, store, create or transmit CUI have long had to comply with the standards outlined in NIST SP 800-171. On the other hand, civilian contractors have had to comply with a much looser standard outlined in FAR 52.204-21. A new proposed rule that has not yet been published will likely align standards and also require civilian contractors to be compliant with NIST 800-171. This proposed rule already underwent a review by the Office of Information and Regulatory Affairs (OIRA) – the last stop for many regulatory requirements – in August 2022. Because of issues identified by OIRA, regulators are making further revisions to the proposed rule. The FAR case is 2017-016, and the latest status is available online.
New DHS Requirements
DHS released proposed cybersecurity regulations in January 2017, and those regulations have been undergoing revisions since that time. OIRA received the final rule for review and publication on Aug. 15, 2022, so its release is possible at any time. As a refresher, the proposed rules:
- Expand the Scope to Include Contractor-Owned and Contractor-Operated Systems or Any Situation Where Contractor and/or Subcontractor Employees May Have Access to CUI: The current version of the regulations only “applies to all or any part of the contract that includes information technology resources or services for which the Contractor must have physical or electronic access to sensitive information contained in DHS unclassified systems.”
- Provide New Requirements for the Handling of CUI: The proposed clause links to DHS standards which DHS can change at any time.
- Require New Authority to Operate Standards for Operators of DHS Systems.
- Institute New Incident Security Reporting Requirements: This includes requirements to report incidents within eight hours or one hour, depending on the type of information involved. Further, contractors will be required to give DHS (and third-party contractors) access to relevant contractor systems impacted by the incident. Incidents must be reported to the DHS Component Security Operations Center as well as the contracting officer and contracting officer representative. If personally identifiable information is involved, there will be other requirements, including credit monitoring for impacted individuals.
No cybersecurity update would be complete without reviewing the status of CMMC. DOD officials have long said that they expect the CMMC program to ramp up by summer 2023. Because it is unknown which contracts are being covered by CMMC, contractors (whether prime contractors or subcontractors) should prepare for implementation of the program. Even so, for contractors handling CUI, the requirements to institute the controls under NIST SP 800-171 have been in place for a number of years now and, even if there are material changes to the CMMC program, these requirements are not expected to change. In any event, we should expect the following soon:
- Rulemaking from DOD (in the first or second quarter) that could institute the CMMC program; it is unknown yet whether it will be a proposed rule or a final interim rule
- An updated CMMC Assessment Process (CAP) in the first quarter of 2023 (per Matt Travis, President of the Cyber Accreditation Body)
- Continued initial CMMC accreditation reviews by the Defense Industrial Base Cybersecurity Assessment Center in coordination with Cybersecurity Third-Party Assessor Organizations
Updated NIST SP 800-171
As noted above, a revision of NIST SP 800-171 is forthcoming. In the fall of 2022, NIST released an update that an initial public draft of SP 800-171, Revision 3, is expected in late spring 2023. Further, based on feedback NIST leaders received, they plan on the following for the upcoming revision:
- Update the security requirements for consistency and alignment with SP 800-53, Revision 5 (including inclusive language updates), and the SP 800-53B moderate-impact baseline
- Develop a CUI overlay (Supplementary Appendix to the existing security requirement catalog) to better link the CUI security requirements to the SP 800-53 controls for stakeholder feedback
- Consider and propose options on how best to address stakeholder feedback on the [Non-Federal Organization] NFO control tailoring
When DOD moved from CMMC 1.0 to CMMC 2.0, it removed bespoke DOD controls. It remains to be seen whether those controls will be added to the upcoming version of NIST SP 800-171.
Additional Cybersecurity Information Sharing
DOD currently runs a cyber-incident information sharing program that is limited to classified programs. In a proposed rule due to be released in May 2023, DOD will propose expanding the scope of the program to contractors that “process, store, develop, or transit” CUI from DOD.
Continued False Claims Act Risk
It is not a coincidence that the U.S. Department of Justice released its new Civil Cyber-Fraud Initiative around the same time that CMMC 2.0 was released announcing that contractors not handling CUI will be permitted to self-certify compliance with cybersecurity standards. In case you missed it, the initiative will target contractors that do not meet contractual standards or fail to report cybersecurity standards. More specifically:
The press release about the initiative touts the following benefits of the program:
- Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners
- Holding contractors and grantees to their commitments to protect government information and infrastructure
- Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services
- Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage
- Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations
- Improving overall cybersecurity practices that will benefit the government, private users and the American public
Further, as currently constituted, the base self-certification level for CMMC (Level 1) requires contractors to undergo extensive validation procedures.
All of the above translates to increased risk for contractors of civil fraud cases brought by relators or the federal government.
As the above cybersecurity developments come to fruition (and others not mentioned here), we will provide updates.