Malicious cyber activity costs the U.S. economy billions of dollars every year. The federal government has recognized this threat to economic and national security. In recent years the federal government in general, and the Department of Defense in particular, has begun requiring prime contractors, subcontractors, manufacturers, suppliers, and any entity in its supply chain to implement certain cybersecurity standards. The most prominent of these requirements are NIST SP 800-171, Cybersecurity Maturity Model Certification, and "Section 889 Part B."
In 2016, the federal government required all federal contractors to comply with the standards set forth in NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Among other requirements the NIST SP 800-171 rule imposed a set of several “basic” security controls for contractor information systems upon which “federal contract information” transits or resides, in particular any Controlled Unclassified Information/Covered Defense Information (CUI/CDI) data. As of Novemeber 2020, federal contractors must perform a self-assesment with Supplier Performance Risk System (SPRS) which requires entry of a contractor's Commercial and Government Entity Program (CAGE) code. If a contractor does not have a cage code, it can be obtained either: 1) SAM.gov and a CAGE code will be assigned during processing; or 2) if the contractor does not intend to do business with the federal government a request from the DLA CAGE Branch directly by completing the request online.
In 2019, the Department of Defense initiated the Cybersecurity Maturity Model Certification (CMMC). CMMC will be “go/no go” requirement in all Department of Defense solicitations. The purpose of CMMC is to become the “unified cybersecurity standard” for all defense contractors, subcontractors, and any entity in its supply chain. Under this model, defense contractors will be required to be certified by a third-party certifier (C3PAO) among the five different levels of cybersecurity in order to be eligible for contract award. CMMC Accreditation Body is the sole authorized accreditation and certification partner CMMC program and C3PAOs. Initially, the timeline was roughly a year for all of the more than 300,000 contractors that does business with the Department of Defense to be CMMC certified. Later, DoD announced a phased rollout ending in 2025. However, in November 2021, after months of internal review, the Department of Defense announced significant changes to the CMMC program, now called CMMC 2.0. Among these changes are: reducing the number of companies that would require a 3rd party assessment, reducing the CMMC rating from 5 levels to 3 levels, suspending CMMC pilot programs until a final regulation, allow for annual self-assessments for certain levels, and brings back Plans of Action and Milestone (POAM). These changes were met with oppositions from some stakeholders who argue that these changes are counter to DoD policies and President Biden’s recent Executive Orders increasing cybersecurity reporting requirements for businesses. AGC has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges of that the CMMC model brings. DoD acknowledges the challenge of being 100% complaint with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance. The proposed CMMC 2.0 rule will go through the public notice and comment period, but a date has yet to be announced.
In 2020, the rule often referred to as “Section 889 Part B” went into effect that prohibits federal agencies from entering into, extending, or renewing, a contract with a contractor that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. In brief, Section 889 Part B prohibits contractors from using certain telecommunications equipment mainly from Chinese companies, for example Huawei or ZTE. The rule states that the prohibited “use” of the covered technology applies “regardless of whether the usage is in performance of work under a Federal contract.” The rule is likely to expand the scope of this prohibition to apply to affiliates, parents, and subsidiaries of the prime contractors.
AGC recognizes the threat malicious cyber actors have and the need to better protect the federal government and construction industry. AGC is committed to working with the federal government to ensure that cybersecurity requirements are clear and consistent that reflect input from impacted stakeholders and provide adequate lead time for compliance.
Government Resources
- Cybersecurity Maturity Model Certification (CMMC)
- CMMC Accredation Body
- NIST SP 800-171
- Supplier Performance Risk System (SPRS)
- "Section 889 Part B" Interium Rule
- SAM.gov
- DLA CAGE Branch
AGC Resources
- WebEd: CMMC Overview with Katie Arrington
- WebEd Recording
- WebEd Presentation
- WebEd: A Practical Examination of CMMC for Construction Contractors
- WebEd Recording
- WebEd Presentation
- WebEd: Cybersecurity – New Mandatory Requirements for Defense Contractors
- WebEd Recording
- WebEd Presentation
- AGC Regulatory Comments - CMMC (11/20/2020)
- AGC Regulatory Comments - Section 889 Part B (9/14/2020)