I think I will get started. It is twelve o one. Good afternoon, everyone. It is my pleasure to welcome you to today's webinar titled CMMC and the New FR, dramatic changes in federal contracting. My name is Archisha Mihan, and I am the founder of Fed Consult and will be your moderator today. Fed Consult basically helps companies navigate and thrive in the federal contracting arena. A couple of a couple of housekeeping. The webinar is being recorded and will be shared along with these slides. You can also find a recording on GovSpend's website along with all the past webinars that they have hosted. Also, please ask your questions on the Q and A tab, and we will be answering them at the end of the presentation. So next slide. For those who do not know, GovSpend basically provides intelligence on the federal and state, local, and education com sectors through their platforms. The GovSpend platform basically provides a comprehensive view into the buying and selling at the state, local and educational levels. The FedMind platform is the federal platform that integrates the nineteen data sets into one easy to use market intelligence solution. And next slide. You can go to the next one. It is my pleasure actually to introduce Eric Crucios. I have known Eric for many years. In fact, he was the first one who talked about CMMC for so many years ago. I remember that Eric. So I was like, I need to have you present on CMMC. He is the partner and chair of government contracts at Hunton Andrews Kirt. He practices on a wide range of government contract matters, including bid protests, claims, disputes, compliance, subprime issues, and has extensive experience in government contract litigation, having successfully prosecuted and intervened in numerous bid protests before the US Court of Federal Claims, the GAO, Boards of Contract Appeals, and other federal agencies. He also counsels clients regarding the Service Contract Act, the Davis Bacon Act and other labor issues, cybersecurity, subcontracting, teaming agreements, and everything related to federal contracting, in my opinion. But besides helping government contractors through all the contracting compliance and litigation issues, he provides strategic and practical advice with matters connected to cybersecurity and privacy in the government contracting space. He also counsels clients on obligations in the FR and on agency specific requirements from the DOD, Homeland Security, and the Veterans Affairs, amongst others. And he also is an expert on the cybersecurity maturity model certification program and the FedRAMP program. He's a thought leader. He's appeared on numerous government matters and federal net news network sessions, has been featured at conferences. And I am so excited to have Eric to talk about CMMC and the FR. So, Eric, I'm gonna hand it over to you and looking forward to this presentation. Same here. And, yeah, we've known each other for about I'm sorry. That's my cat. I fed them before this thinking they wouldn't interfere. Yeah. We've known each other for about fifteen years, I think. Oh my god. You know, time flies. But, it's really a pleasure, and I should bring you everywhere to do my introductions because that was awesome and totally unnecessary, but I appreciate it And happy to get started with the substantive part of the presentation as long as one of my there is a second cat, hopefully she doesn't appear also. So our agenda is we're going to talk about cybersecurity, mostly CMMC, but we're gonna talk about a few other things too. And we're gonna focus of course on the Department of Defense slash war initiatives. Just a word about that. I'm going to refer to it as the Department of Defense, because that's how it's referred to in the rulemaking and all the rules that have been issued so far. There needs to be probably likely some statutory changes to officially change it to Department of War. So it's not a political statement. The reason why I'm calling it DOD or Department of Defense is just how the rules refer to it right now. And then we'll, talk a little bit about the FAR overhaul, where it's at, what it means, and where it's going on the last bit of this presentation. So really great to be here today to talk through these things. And why don't we go on to cybersecurity initiatives? We can go to the next slide. So you think about cybersecurity, and we're gonna get to CMMC in a moment, there is the government wide aspect of cyber. So you have the the FAR clause that covers the entire government, FAR fifty two two zero four dash twenty one that outlines, depending how you divide them up, fifteen to seventeen controls in the clause itself. These are fairly basic controls that most companies can pretty much do in their sleep, although it's important to kind of look at the controls and verify that you are doing them, especially if you're on the DoD side, but even on the civilian side as well. This clause has been around for a long time, and arguably, it does not protect information well enough. That's what the government believes, at least anyway. So They have issued a proposed rule. We're waiting for the final rule that would require a NIST eight hundred-one hundred seventy one compliance for the entire civilian side of the government. So if you're thinking about CMMC, we're gonna talk about this more in detail coming up. The basis, you know, CMMC is really a verification program, and it's a verification that if a company has controlled unclassified information, that they are protecting that information in the manner prescribed by DOD, and that is consistent with the controls In a in the National Institute of Standards and Technology, special publication eight hundred dash one seventy one, the second revision. So this new rule on the FR side would require non DOD contractors to do the same. And Before they shut down at least schedule to release that final rule was going to be December. Don't know that they're still working on it now. They may still be working on the background, but it has not cleared the FR Council yet. So I doubt that December is a viable date at this point. It's gonna bleed into sometime next year. Just don't know when, but that will become a requirement across the board. The nice thing actually about this rule that will hopefully make things easier for folks is that there is a form that is also part of the rulemaking, and in the form, the contracting officer is supposed to identify the controlled and classified information that's going to be used in the performance of the contract. So again, we have some slides that is coming up. A lot of the issues that we have right now is a lack of consistent identification of CUI. Either it's overmarking or undermarking, right? They're both equally difficult problems to overcome. And there could be disagreement on on on whether something is CUI or not that's genuine. In any event, this form would hopefully help that a little bit at least anyway, where companies would be on notice on what the government thinks the controlled and classified information is that needs to be protected, that's part of the contract. There's also another rule that would require disclosure of cybersecurity incidents within eight hours and updates every seventy two hours. DoD has a similar rule, which we'll talk about on On disclosures of cybersecurity incidents. I will say that in the proposed the way the proposed rule is drafted, the definition of cybersecurity incidents was very broad and includes failure to follow internal policy, spillage internally outside a CY environment, not necessarily an incident where, or an exfiltration where a bad actor has gotten ahold of the information. There may be none of that, and it would still be reportable. So we'll see. But that's upcoming on the civilian side, which would cover the entire government. The VA and DHS were not willing to wait for the FRQ council to finish its work. So they have gone ahead and issued new cybersecurity regulations if you If you are a contractor in that space, it's important to look at those and see if those clauses are in your contract. They require data protection. They also require incident notifications. And in the VA in particular, if you have personally identifiable information as part of the contract performance, not your own PII for your employees, but PII of, like, of the warfighters, medical records, things like that. And there is a cybersecurity incident connected with that, there are damages that you may have to pay, and there's a clause that specifies what those damages are. So look to your contracts in order to look for that. But those are some government wide initiatives. Let's go to the next slide. Now turning to the Department of Defense, we have kind of this three step process, and if you've seen me present on CMMC before, you may have seen this slide. Don't worry, are some new slides in here too that you haven't seen before. So the first step, we had DFARS two fifty two two zero four seventy twelve, and it required protection of controlled unclassified information under NIST eight hundred-one hundred seventy one, and it was a complete self assessment, and it was DOD saying, we trust you, and we're not even gonna verify. If you take the work in this contract and you sign up for this contract and it has this clause in it and you have CUI, then we trust that you are fulfilling your obligations under this clause, and that includes protection of information under NIST eight hundred-one hundred seventy one. Now, DOD realized after a short period of time, this rule come into effect about seven or eight years ago in its current iteration. Before this time, by the way, it was a subset of NIST eight fifty three that was part of the rule. Now it's the whole of NIST eight hundred one hundred seventy one, which confusingly is actually a subset of NIST eight fifty three. But DoD realized that this was not happening and they said, okay, we need to kind of go to a program where there's a third party verification, which is the CMMC program. But in the midst of that, realizing that CMMC would take a little while to roll out, they came up with DFARS two fifty two, two zero four, seventeen, nineteen, and twenty, which collectively require companies to go and determine how many of those controls they actually are compliant with. So before, they just assume that you're doing it. Now, they say go and figure out how many of those controls you're compliant with and report it into the supplier performance risk system. So it's kind of psychologically that changes a lot, right? You're not gonna, most people will not just go in and report one hundred and ten, which is the number of controls you're compliant with, unless they actually do something to kind of figure that out. And there you know, as part of these two clauses, DoD has a right to go in and verify that. So if somebody gives a score of one hundred and ten and they don't believe it, they can go in and look at that score by doing their own assessment. And then we have DFARS two fifty two-four seventy-twenty one, which is the CMMC clause, which would require third party assessments. And that's where we are now. That clause was initially issued in twenty twenty. It was essentially it was always out there, but it was essentially suspended and now superseded by the new language, which which came out on September ninth, I believe, which which is effective November tenth. So it's effective just about three, two, three weeks from now. And we're gonna talk a little bit about that, of course. Let's go to the next slide. So when we're thinking important to kind of look at these steps. So this is applicable. The seventy twelve clause has been applicable when the company has CUI as part of its contract performance. Now There is an update. There is an update forthcoming for this regulation, but that update shouldn't affect what it requires, and that's compliance with NIST eight hundred-one hundred seventy one. You could see it also requires cybersecurity incidents to be reported within seventy two hours and cooperate with any DoD investigations that come out of those cybersecurity incidents. It's being modified to include NIST eight hundred-one hundred seventy two also in certain circumstances. I will say this, it's a little bit confusing, this rule, because it's in contracts, even if there is not contemplated CUI in the contract. If you look at when contracting officers are supposed to put this clause in, it's pretty broad as far as when it goes in. It's not just limited to circumstances where the contracting officer thinks there will be CUI. So you may have this clause and not have a requirement under it if you don't have CUI. That, you know, if you're not sure, it's really good to reach out to the contracting agency to find that out. Of course, if you don't have a system capable of handling CUI, you may get an answer you don't wanna hear, So you kinda wanna get that all buttoned up before maybe you reach out to the Department of Defense to try to figure out what your obligations are. So, you know, the interesting thing about this rule when it came out in up until sometime last year, there are essentially four versions of NIST eight hundred-one hundred seventy one. There's the original revision one, revision two and revision three. And the rule, as it previously said, is that contractors had to abide by the version of NIST eight hundred-one hundred seventy one that was in effect at the time that the solicitation was issued. That's almost an exact quote because I've said it so many times now. And, you know, that makes things very difficult. So revision three came out last late spring, early summer, I think it was May of last year, and that would mean that the next day, if a solicitation was issued, companies would have to comply with NIST eight hundred one hundred seventy one revision three that next day, which is very difficult. It's quite a bit different than revision two. So they issued what's called a class deviation to kinda hold the clause in place as it was and say, okay, until we change this class deviation, it's revision two. They will eventually lift that class deviation and make a revision three requirement, but they're going to probably keep it consistent with when CMMC does the same thing. Next slide. So then talking about seven seventy nineteen, seven thousand twenty, it has the same it it it's gonna be in a broad range of of solicitations, but it's only applicable if you have controlled and classified information. And as I mentioned, it requires companies to go into the supplier performance risk system and state what their score is. If you have this clause in your contract and you have CUI and you put in a proposal and you don't have a SPRQ score, you're not gonna be eligible for awards. So it's really important to have those scores in and have them be accurate. Now, you'll see why in a minute. You really wanna ensure that those scores are up to date. Next slide. So this is a perfect example as to why you want those scores to be accurate. So when you think about kind of the seven thousand twelve clause, government is trust, Department of Defense is trusting you. That is a high risk for the False Claims Act because you are essentially telling the government by performing the contract and accept and signing the contract that you will protect the CY in accordance with the clause. And you don't have anybody to verify it, so you're relying on yourself, essentially, unless you have a third party come in involuntarily and and check on on your work. And when we move from this to the seventy nineteen, seventy twenty clause, where you're kind of going to the supplier performance risk system and telling the government what your score is, that takes a little bit of the risk off so long as your score is accurate. If you're telling the government your score is fifty, And then two weeks later, the government gives you a contract, Be very difficult, not that they won't try, but it'd be very difficult for the government to establish that that is a False Claims Act violation, because you have disclosed to the government what your actual score is. So it's really important if you have a score that it's accurate. And this is a perfect example of why. Here's a small business, Morse Corp, that agreed to pay four point six million dollars to settle fraud allocations. This just happened a little bit earlier this year. Next slide. And there were four points that were made in the press release, and these are all allegations. That's why I have allegations on the top. Two are very ones I think that a lot of folks, or even three can relate to, and one is a little bit more nuanced. But the first one here is that the hosting company that Morse Corp used to host its CUI did not comply with, was not FedRAMP Moderator or equivalent. We haven't touched on this yet, but if you are using a cloud service provider host your controlled unclassified information, they must be FedRAMP moderate or equivalent. There are plenty of providers who do that. So if you're not in an environment right now with your CUI, you could see this company got dinged for not fulfilling their responsibilities to host it in a FedRAMP moderate or equivalent environment. Look to the seven thousand twelve clause for more information on that. Let's go to the next slide. So I mean, this one I thought was really interesting. And I thought of this analogy a week or two ago, I've used it a couple times since, because I think it's really, I think it's a good one. You be the judge though. One of the things that got clipped for is failure to comply with NIST eight hundred one hundred seventy one. If you go across the defense industrial base, NIST one and seventy one compliance is probably under fifty percent, right? I would say it's probably pretty far under fifty percent right now still. That's just a guess based on everything I'm seeing out there. But this company got in trouble for not complying with this state hunter one hundred seventy one. And you could argue like, look, everyone else is doing it, but that's not gonna be good enough. Right? Because because you, the company that's being investigated, are the ones who signed the contract. And I'm not saying you personally, people who are watching and listening, but the general you. And I kinda liken it to this. You you're on a highway. The speed limit's fifty five. You're going sixty, and you're keeping up with traffic. Maybe even some people are passing you, and you get pulled over for going sixty into fifty five, and police officer said, you're speeding, you're going five miles per hour over the speed limit. You say, but so is everyone else. Police officer says, I don't care. I pulled you over and you're the one going over the speed limit, right? All of us have gone, I would say just about all of us, if not all of us, have gone more than fifty five on the highway where the speed limit is fifty five. And it feels kind of silly to get pulled over for going sixteen to fifty five, but technically it's possible, right? And that's what's happened here really, where you have compliance with NIST eight hundred-one hundred seventy one as a requirement, even though most companies aren't doing it, doesn't mean that the obligation doesn't exist, and doesn't mean that DOJ can't come in and do an investigation and false claim to that case. So it's really important to have those controls in place, and if they're not in place, have plans of actions and milestones to resolve those controls that are not in place. There's no deadline that's needed, but it makes the attorney's argument much easier, not perfect, but much easier if there are poems in place to show that the company is working towards compliance with NIST eight hundred-one hundred seventy one. Next slide. Then also from Morse Corp, this one's a little bit nitpicky of the four. I think this is probably the least interesting, but it's still important to understand. Apparently, they had their system security plan on multiple documents, and the government really likes to see it in one document. I would guess if this was the only issue the company had, there would not be a false claims act case at all or a settlement. But while they're there, they may as well, you know, while you get pulled over for going sixteen to fifty five, they're gonna get you for not wearing a seatbelt also, That kind of thing. And then finally, I think this is the most interesting one and really the most perilous one for companies. They had the wrong score in the supplier performance risk system, and they apparently, this is the allegation that they knew they had the wrong score in the supplier performance risk system. I don't have a slide on this, but also Georgia Tech recently reached a settlement with the Department of Justice, and the main allocation, or one of the main allocations in that case also was having a misleading or wrong score in the supplier performance risk system. And, you know, an honest mistake, you take a consultant's word for it, probably not as actionable as as what happened here, or at least alleged to happen here. But Moore submitted a score in January twenty twenty one of one zero four. They had a consultant come in after that to verify their score and found out, in fact, the score is not one zero four, was negative one hundred and forty two, which is quite a bit different. And it sat for a long time where they had the score of a hundred and four, you know, as they were being awarded contracts, and did not, and never changed the score, and in fact, only changed the score as the allegation goes after they received a subpoena from the Department of Justice about this issue, and it was just, it was three months after actually they received the subpoena. So really, in matter how bad the score is, I tell clients this all the time, put the true score in the system. It may prevent you from getting contract awards, right? If the government looks at your score and says this is too high a risk, potentially, But you also will not be on the wrong side of a false claims that case, because the score is wrong. Obviously, if the company has a poor score, you wanna work really quickly towards getting it up to speed, so you're not in that position anymore of not getting contract awards. Each situation is quite a bit different, but to the extent possible, always wanna have the most accurate score. The score that is as most accurate as you can and document how you got to that score. Next slide. So it's really interesting. So here we are in a third stage, CMMC two point zero where now companies in certain circumstances will have to get a third party verification. Even if there's not a third party verification, they're going to have to do self assessments and let the government know how those self assessments went. So it's a lot more, even for non third party verification requirements, it's a lot more stringent than it used to be. So if you'll kind of look at this, this is kind of a laundry list of what the CMMC program is. But, you know, I think that second to last bullet is important, that CMMC is going, you'll see in a minute, is going to roll out over time, but the government Department of Defense has not has not told us which programs are going to be impacted first. So with CMMC one point zero, they established a Pathfinder program and identified ten, fifteen contracts that they envisioned being part of that program, which meant those were the contracts that companies would expect to have CMMC first, and so be prepared if you're in that supply chain for those contracts. For, you know, I'm not sure of their reasoning, but they decided not to do that this time. So we don't know which contracts when things start next month. We'll have CMMC in it. But this in case you're unfamiliar with it, the whole setup is, you know, there's a third party accreditation body that sits in between the contractor and the Department of Defense. That accreditation body essentially credits the organizations that can go out and do these assessments called C3PAOs. There are approximately eighty to eighty five now C3PAOs in the marketplace. Some of them have multiple assessment teams. Some of them don't. Some of them are not actively doing assessments right now. So, you know, there's obviously a scarcity with respect to the C-3POs doing these assessments. So I do say, if you feel like you're ready to be assessed or will be in the next six months, get on somebody's calendar. A lot of these folks are not booking out till next spring and next summer already. So do that. And later in this presentation, there's some contact information to figure out who those C3POs are. We go next slide. So the c three p o's are going to be doing the third party certifications when a certification happens. Let me just step back for one second also. Do you, will you need a third party certification? What level will you need? And that's going to be determined by the program office, at least initially in the program. And it's going to be dependent on the kind of information the Department of Defense anticipates is going to be part of the contract performance. If there's gonna be no CUI as part of the contract performance and only a level one, and I'll show you the different levels in a minute, if you're not familiar with them, will need to be fulfilled, which is a self assessment based off of that FR clause I showed you earlier with the fifteen to seventeen controls. If there is CUI involved, it's going to require at least a level two self assessment, which is the one hundred and ten controls and NIST eight hundred-one hundred seventy one revision two, or a third party assessment under the same regime. If it's really high, high value CUI, which is CUI that can impact the entire DOD or emerging programs, things like that, then a level three will be necessary. For levels one and level two, it's a verification of existing requirements. Level three is the only level that has some new requirements in it. But when getting assessed, let's just say, you know, we're gonna have CUI, so we're gonna go ahead and get a a C3PO assessment, a third party assessment. The contractor is the one who defines the scope of that assessment, because a lot of scopes are smaller than the organization itself. A lot of organizations just use enclaves. So, that c three p o will assess the enclave that has been kind of figured out by the company seeking assessment. And the c three p o comes in and and uses using the assessment objectives in NIST eight hundred one seventy one a, figures out which of the hundred and ten controls have been met and not met. And there are three options Then approval, you get a CMMC certification that's good for three years. Conditional approval, where if some of the controls are not met, but at least eighty eight are met, and you know, there are some controls that are allowed to be POAMed and some that are not. So of all the controls that are not not met are allowed to be POAMed. You get that conditional approval, and that's just as good as approval for the time being. You could still go out and bid and win work, but those POEMs have to be resolved within one hundred and eighty days if they're not met. If they're not resolved within one hundred and eighty days, that conditional approval lapses. And you do need to use a c three p o to kind of figure out to verify that those poems have been resolved. You don't have to use your original c three p o, but it's probably the wisest thing to do unless you have a reason not to go back to them or not approved, right? The vast majority, at least anecdotally, of companies that have gone through assessments have been approved or gotten conditional approvals, I'd say it's eighty five, ninety percent plus right now. But these are the early movers, of course. So there are folks who have been kind of motivated to do this, and are doing it for at least a financial or other reason why, and wanting to be a first mover. I imagine as we go further along, that approval rate will decline as companies that are coming kicking and screaming through the process getting C3PO assessments. Next slide. So, the contracting officer will determined, will determine the kind of information that's involved in the contract and assign a level. I did see some language when I was looking at the rule recently that it could be the program office that assigns a level. So, we'll just say DoD assigns a level, somebody within DoD assigns a level, depending on the kind of information that's going to be used in the contract, and that is dependent on whether there's CUI in the contract or not, right? If no CUI level one, if there is CUI level two or three, This is the information, this is the Definition of what COI is, pretty broad, but you need to look to the COI registry to see what kinds of information are CUI? I will say the CUI registry is very broad. So if you're looking for comfort in the CUI registry, you won't find it. But, and depending on the kind of information that it is, it would require a third party assessment versus a self assessment. We go to the next slide. So these are examples of categories in the COI registry. I just thought this would be interesting. This is not comprehensive. But I thought for this crowd, this this would be the most kind of interesting things that that there are. I can see proprietary information, export control, All export control is CUI, right? If if the export control information is part of a contract, but not all CUI is export controlled. So think of it like that with export control. Then you have control technical information. That's always gonna require a third party assessment, and then there's source selection information, general procurement and acquisition information. So a lot of categories that you're well familiar with push information into the CUI category. Next slide. This is just I thought an interesting article came out a few months ago on Katie Arrington. She had said at the time, going through the final stages of CMMC, and that she's fairly certain that Army is going to be the first one, the first mover. So if you have contracts with the army, be on the lookout for that. Also, they're talking about the last point federalizing CMMC. That means that this will be a requirement across the government, not just with the Department of Defense. To do that, they're gonna have to issue the FRQI rule because there's nothing you want to assess everyone against the level one standard. So you can't put the cart before the horse. They got to get that COI rule out there, then they could put a CMMC requirement to verify compliance with the COI rule. Next slide. So it's important to kind of think of this rulemaking. I know it's a little confusing because a bunch of different proposed rules and rules were issued. There's two sections of CFR that had rulemaking in it. The first one under CFR Part thirty two established the entire program, talked about the responsibilities of all the parties, established the cyber AB, talked about what C-3POs do, put the ethics and compliance requirements in, talked to kind of the timeframes, all that kind of stuff. All the meat of the CMMC program was in part thirty two. That rule was effective almost a year ago, December sixteenth, twenty twenty four. And certifications happened starting after that effective day of the rule, even though there were no requirements in contracts. What we were waiting for until just now was the CFR Part forty eight rule, which are the rules that actually go into contracts. The program existed, but there was no way for contracting officers to put in the program. They needed the CFR Part forty eight rule to do that. That rule came out and is effective November tenth, twenty twenty five, and now establishes the clauses that will go into contracts. Next slide. So what's the process now that we're here? So a company will see whether they have federal contract information or CUI. Depending on the kind of information they have, they'll have to self assess or get a third party assessment of some kind. They'll whether they're self assessing or getting a third party assessment, they establish their own scope of the assessment. So if you have an enclave, you establish that as your scope, for instance. And once the assessment is complete, if it is successful, whether you're doing it yourself or have a third party doing it, the The system is given a unique identification number. And then when the contract starts, it's up to the contracting officer to receive, or it's up to the contractor to provide that unique identification number for that system to the contracting officer. If there is no UID and it's, and there's a CMMC requirement in the contract, that means that you as the parent awardee won't be awarded the contract, because it would require a successful assessment, and that only occurs after, you know, or require a UID, which only occurs after receiving a successful or conditional assessment. So very important. I call this kind of the no way out strategy. Right? The contracting officer knows exactly which system is going to house the information, and, that prohibits kind of any kind of ambiguity in the process. Of course, you could change the system as long as it's a certified system. You just have to let the contracting officer know that. Next slide. So let's talk about timing a little bit. And there I do have a whole chart on the timing, but in the final rule, they talked about the program. The program management office kind of dictating or allowing certain contracts to have CMMC in it versus all contracts coming out having CMMC in it. So during the first three years, the program management office PMO will determine whether CMMC will be applicable for the solicitations. After the three years, the default is it's going to be in contracts. No PMO determination is required. But the interesting thing is let's talk about option years. Let's say you have a contract that's going on right now. It's coming up for option in February, Right? Option is coming up in February. And if the contracting officer wants to put CMMC in, they can create a bilateral modification of your contract in order to do so. They kind of view that as contract administration. Now you as a company could say, no, we don't want it that. We don't agree to that. Or yes, we agree, but it's gonna cost you. In those circumstances, that's fine. You negotiate with the government. Of course, if the government's unhappy with how those negotiations are going, let's say they really need to have CMMC in it, They could just not pick up the option and find someone else to do the work, right? So it's really important to kind of think about this where new, funny enough, new contract awards require PMO approval, at least based on the text that was released, maybe in practice, it'll be different. It looks to me that the contracting officer is the only one required to put in the CMMC requirement once the contract starts. And that contract could have already started, It could be an existing contract you have right now. Next slide. And I thought this was a good quote too, because there was a comment where CMMC should only be put into existing contracts if there is a national security need, and this was DOD's response to that. DOD did not incorporate the recommendation to limit inclusion of CMMC in existing contracts unless the risk warrants inclusion, as contracting officers already have the decision to bilaterally incorporate the clause in existing contracts based on DOD's needs. That determination is up to the contracting officer consistent with other contractual requirements. So they make clear here, at least in my opinion, that the contracting officer can unilaterally determine whether CMMC should go in it and then has to have a bilateral negotiation with the contractor. And then what happens after that is dependent on how those negotiations go. Next slide. Of course, if your competitors, if you don't have CMMC and your competitors don't either, then not really anywhere the contracting officer can go, but if you have competitors that have already been certified successfully, then contracting officer may have options. This is a graphic from the Department of Defense on the timing. I'm gonna ignore the the top part because I have a graphic, I think, that is is a little bit better. But this bottom part here, think is really important, that's my red arrow there. In some procurements, DoD may implement CMMC requirements in advance of the planned phase. So they have this four phase approach that lasts the next few years, but DOD has specifically reserved the right to accelerate implementation in certain circumstances. Next slide. So kind of thinking about what is CMMC, these are the three levels. This is the existing requirement they're verifying, and what those controls are, and the information type that is part of it. This is just good information. We've talked through this already, but level three is the only level that is not based off of an existing requirement. Next slide. Level three is only attainable after a C3PO has assessed that same environment. So once a C3PO has successfully assessed that same environment, given a certification, then you could go and get a level three through the Department of Defense, the Defense Industrial Base Cybersecurity Assessment Center, also known as DIPCAK, does those assessments. And they probably don't do it just based off requests. They probably do it based off of companies they think will need it, based on the information that they're gonna have in their contracts. So this is the timing rollout. You could see starting November tenth, level one and level two self assessments will be required as a condition of award. That's when the PMO decides to put the CMMC clause in the contract. That will apply all the way down the supply chain. At least a level one self assessment will be needed and level two Part you know, based on the kind of information that contractor is going to have. So optional, this is written into the rule. Level one and level two self assessments can happen at the option period for previously awarded contracts. We talked a little bit about that, and level two C3PO conditional or actual assessments as a condition of rewards. So they have that option in the rulemaking itself. A year from now, essentially, the default will be a C3PO assessment when the kind of information in the contract requires it, and they have the option of bringing forward those DIPCAK assessments, level three DIPCAK assessments as a condition of award. And also the contracting officer does have the option of delaying the C3PO assessment next November until an option period. Maybe there's not enough contractors in the community that have gotten a CMMC assessment done, So they're going to wait in that circumstance. And then a year later, twenty twenty seven, C3PO assessments for all option period for previously awarded contracts and level three assessments can delay level three assessments until the option period if need be. And then on the last, the third anniversary, I guess you could say of the requirement, all contracts and options will have to have the CMMC requirements in it. So there's no more discretion. There's no more leaving it out. It'll be interesting to see the cadence of when how often CMMC is put into contracts, or I should say initially solicitations, and and what that looks like, and whether that disrupts the defense industrial base right now. Next slide. So, it's a fairly startling figure to see kind of how many, what the view is how many assessments are going to need to be done in the next few years. So there are three thirty seven, almost three hundred and thirty eight thousand companies in the defense industrial base. Their estimate is that about two hundred thousand are going to go the route of a level one self assessment, that one hundred and twenty thousand are going to need a level two C3PO assessment. And you can see the self assessment under level two is just six thousand seven hundred and fifty nine, a very small subset of level twos. They really Anticipate the vast majority of companies seeking a level two assessment will need a C3PO assessment. And then just one percent essentially of companies will need a DIPCAK assessment. So a very small subset of the three hundred and thirty eight thousand or so contractors in the defense industrial base. But you can see one hundred and eighteen thousand is a fairly big number when you think about it. Eighty thousand of those are small businesses, and right now there are eighty something companies that are capable of doing these assessments. You know, the math is very difficult if you don't act soon, because a lot of these folks are booking up. I don't have a personal stake in this. I'm just giving you the advice I give to clients on kind of getting on somebody's calendar. Next slide. So some last things on CMMC, some strategies and challenges to think about. So right now, you know, I kind of gave the example of you put a score of fifty in a supplier performance risk system, you get a contract after that, then all well and good. Everything though changes on the effective date. If a company has CMMC in a solicitation, they need to have at least eighty percent compliance of those controls. A fifty score is not gonna cut it anymore. It's gotta be at least eighty control, I'm sorry, eighty eight controls in place, which is eighty percent, and certain controls can't be poamed. So that changes drastically what companies are able to do. Foreign companies, you know, have a difficult time because there are fewer C-3POs willing to do assessments overseas, although there are some, and, you know, there's been some conflicts with some foreign governments about C-3POs that are US based coming in and doing assessments of information. So they may have to cordon off certain information a little bit more than others do. Of course, subcontractors and suppliers must comply all the way down to the COTS providers. So COTS providers are exempt from these requirements. COTS contracts are exempt from these requirements. But the prime contractor is responsible for flowing down the requirement down to its next tier supplier, and flowing down, you know, the level that is appropriate for the kind of information that they have. This obviously is going to be the supply chain is really kind of the gonna be the thorn on the side of this entire program, because it's one thing for a prime contractor to have control over what they're gonna do and when. It's It's another thing to require companies in the supply chain to do the same thing, and especially if there's not a profit motivation for those suppliers to do it. So, and we could do a whole hour just on those issues, but I wanted to kind of point them out. And I think I saw some questions dealing with subcontractors and suppliers, so if we have time, we'll deal with those as well here. I already mentioned why how CMMC may come sooner than expected, so we could Just wanna add one thing to that, is that, you know, this is a government driven, Department of Defense driven requirement, but also large prime contractors are driving compliance as well. They don't want to be stuck losing on on a multi billion dollar contract, because an important supplier has not gotten assessed under CMMC. So a lot of suppliers are sending out surveys, they're sending out other memos and stuff like that requiring to get C3PO's calendar requiring compliance. So really, you know, having that clear eyed communication with your prime contractor, if you're a sub, in some circumstances, it's important to do. New assessments may be triggered early, right? So the environment is assessed. All well and fine. Assessment's good for three years, what happens if the environment changes, right? Significant upgrades and M and A activity that merges systems together, whatever it is, that would trigger a new assessment. And that means that the system, you know, that is has been assessed needs to stay in place until that new system with the new assessment is live and ready to go. So that way you could just sub in the new unique identification number and move over all the information to that new system that's in place. Otherwise, there'll be a system that has not been properly assessed that's housing that information, and that can present contract issues or even False Claims Act issues. So I want to be very careful about that. Then this other point here, I think is really important, these frequent affirmations. So I haven't mentioned this yet, but as part of the program, companies will have to to essentially file affirmations on a regular basis. So affirmation is required after a successful assessment. An affirmation is required after poems are closed out, and then affirmations are required on the anniversary of the assessment. So year two and year three, or the first anniversary and the second year anniversary as it is. And it's required to be signed by a company official with knowledge that says we are still complying, we intend to comply in the future, everything is in place, etcetera, etcetera. That creates a false claims act risk, because the company is certifying something to the government. So really wanna have that buttoned up once you know, when those affirmations are filed, because that can create a tremendous risk for a company. External service providers, in the previous iteration of the rule, the proposed rule, they were required to get a level two assessment. Now that's no longer a requirement companies can use MSPs, for instance, that are not level two certified. But then they are part of your environment when an assessment is being done. So they do have to have those controls in place. So long story short, the best thing to do is just to find providers that are already certified under level two or will be certified, you know, they anticipate being certified under level two in short order. And that way, when an assessment's done, that part of the assessment's much easier, not kind of, you're not relying on them to have those controls in place. They're already, already have done it. And then ensuring the correct level, if you have a contract that comes out as level two, and you think it should be a level one, that could be part of a Q and A, could be a pre award protest. So kind of want to make sure that the right level for the kind of information that's being provided is in the contract. And even if you see level two and you think it's level one, you ask the government why is this level two versus level one, and they point out certain CUI that's gonna be part of the contract, maybe it's something that they're correct about, and you did not realize that preferably you you, not you personally. So it's really good to kind of ask those questions if the expectations don't meet what's going on. Next slide. So Les, I did promise this earlier, the cyber accreditation body, if you go to their website, I think it's cyberab dot org, go to the marketplace section, you'll find all the different providers that have been licensed by the Cyber AB. You wanna choose C through PO if you're looking for a third party assessor. So that's a good resource. Of course, I'm open to providing recommendations as well. Next slide. Alright. Switching gears for the last number of minutes here, and we'll try to leave a little bit of time for questions because I do see some went through. We have a rewrite of the FR happening. The FR, depending on who you ask, is between seventeen hundred and two thousand pages long. There was a belief that that is way too long. There was a Section eight zero nine panel that happened, I don't know, seven, eight years ago at this point in time, and they were tasked with with kind of revolutionizing, revolutionizing, I don't think that's a word, but changing how procurement is done in the federal government. And they went, they met as a committee, they had professional staffers, They actually proposed statutory changes, line items, but unfortunately, it didn't go very far. Some very few changes are made as a result of the Section eight zero nine panel. So we're trying again here, probably trying to take less of a bite with an executive order issued President Trump on April fifteenth, twenty twenty five, that's going to require, or does require the FR to be rewritten to take out essentially extraneous clauses, clauses that don't help federal procurement and clauses that are not statutorily required. Their deadline for doing so was six months, essentially from April fifteenth, which was a few days ago. They have almost finished. They haven't quite gotten there. We're still waiting for the rest of FAR part fifty two, and we're still waiting for FAR part two. FAR part two are the definitions, which are critical. FAR part fifty two are the clauses that go into contracts. Next slide. So, this is how the process is gonna go. So, we have the traditional FR clauses, are in a lot of your contracts right now. Then we have these newer clauses that are being written right now and released. They are only being inserted into contracts as class deviations, so they're just here temporarily. And then they're gonna put these clauses out for formal comments, and once their comments are incorporated and the clauses are made, there'll be a final version essentially of the contract, of the clause, excuse me. So there'll be three versions essentially of each far clause kind of floating around at the same time. Important to know though, existing contracts are not impacted by this unless the contracting officer makes a modification to the contract. If that modification will cost you money, you have the right to go and ask the contracting officer for a difference in that. So, most of our parts, as I mentioned, have been done. So, of course, it's an open question What will remain? I could tell you what's primarily happening is that information is being deleted from the FAR, and is being placed into guidance documents. So it's no longer the certainty of certain things happening at certain times, it's more like this is the best practice, but it doesn't have to be done this way. You know, depending on how your view of things are, like, flexibility is really good, but it's going to create a lot more uncertainty in the marketplace overall. Next slide. So here are some highlights I think that are important and I think this is our last substantive slide. So primarily what's happening are deletions from the clauses, entire clauses being deleted and all that stuff being moved into guidance. Before this all happened, the FRQ council established new FRQ Part forty, which was empty at the time, focused on cybersecurity and supply chain. And part of this overhaul, a bunch of clauses were removed into FAR part forty. So you wanna do, wanna take a look at that, because I think that's highly relevant. Also, what happened is there are a lot of clauses in other parts of the FAR that had to do with commercial contracting. They've all been consolidated into FAR part twelve, which could be very helpful. So you have to go multiple places to find the same thing. Some interesting kind of things, and there's a ton of more things like this, but I just wanted to point out two things that I thought cause they're particularly interesting. So right now the rule is with discussions, if you're having discussions with one party, Before the contract award, you have to have equal discussions with everyone else. So if if you find there's some something in somebody's proposal that is warrants discussions as contracting officer. You have to go to the company and have those discussions. And if something else and somebody else's proposal also warrants discussions, those discussions have to take place. Arguably, I'm not going to commit to this, the way the new FAR clause is written, you don't have to go to that second party and initiate discussions with them. You could just have discussions with the initial party. Not sure how, from a personal perspective, I feel about this, because it can lead to some accusations of bias and things like that, but we'll see how it nets out. This is obviously a fairly substantial change on the discussion side of things. And then FR part sixteen has been rewritten, at least the strat form of it, and that rewrite is giving contracting agencies a lot more flexibility in how they want to purchase goods and services from contractors. So a lot more in this at some point in time as we kind of thumb through the new version of the FAR. Next slide. Alright. That's all I have for this presentation, but I'm happy. I'll I'm gonna I saw some questions coming in. I'm gonna scroll through these questions and feel free to ask any questions with the remainder of the time. I don't know if you wanna ask me the questions, or I could just run through and talk to them right now. Up to you. I mean, I'm happy to Alright. I can ask the question, and then you could answer, I So I think the first question is, are subcontractors also required to have met CUI eight hundred? Oh, cool. Dash one seven one control supporting primes. Yes. If they have controlled unclassified information flow down to them, then they're required to have compliance with the state eight hundred-one hundred seventy one currently. And with CMMC, depending on the prime status and the status of that CUI, they'll at least be required to have a self certification under a level two, possibly a C3PO certification. Great question. The next one is, are there additional federal regulations on the calendar? There's a bunch of stuff out there connected with last year's NDAA. The biggest one, I think unrelated to all this stuff is the organizational conflicts of interest regulations. Proposed rules released, I think, about a year ago now. And so we're looking for a final rule on that. There's a bunch of Other ones that just have more minor require, I think the biggest one though is that FRQ rule that we talked about. That's gonna have the biggest impact in this, in the OCI rule, I think will have a big impact as well. That's if you're looking for something to really bite your teeth into that OCI rule is very substantive. There's also a rule It's been put off, but it's going to still happen. That would require cyber incident reporting for companies in the defense industrial base, like separate and apart through CISA. That was a proposed rule that was issued, I think, of twenty twenty four or twenty twenty three. And that's subject sup it's pursuant to a mandate issued by congress. There was a statute that was issued that said Certain kinds of companies would have to report incidents and payments of ransomware. If there are certain kinds of companies that cover a lot of the folks in the dib. So we'll keep a lookout for that, of course, as well. Yep. My next one oh, no. Where'd it go? How applicable are these to the manufacturer of that is provided to DoD through an FSI who receives the contract? So luckily, if you only manufacture COTS products, you shouldn't be subject to these requirements. The only exception I could think of is if you have information like drawings and stuff passed off to you to but you shouldn't need that information. That information shouldn't be necessary if you're just selling COTS products. For instance, I think one thing that we've seen a lot of is oversharing of of information. So companies are just flowing down information that they think could help with performance that see why whether it's helpful or not, or whether it's needed or not. So I think a lot of heartache can be saved by restricting the information that's flowed down to companies. Another solution is like a virtual desktop option. So if you have a supply chain that's not ready, but you need them to be ready and but it's not feasible for them to be ready. It doesn't always work depending on how thing, what is needed and what's not needed, but you can store the information in your system through a virtual desktop and give them access to view that information, your subcontractors access to view that information that may allow for compliance even though your subcontractors may not be compliant with the requirements. Okay. And then I last question was that I hear it said just now that a contracting officer could add CMMC to an existing contract. You heard that correctly. I mean, so the rules are not specific about that, but if you look at the preamble, kind of the quotes that were in the slides, at least I read that to be that contracting officers can add CMMC to existing contracts. It's part of a bilateral modification. So they have to negotiate that with the company, and the company could say no, we refuse to include that clause in our contract. And depending on the marketplace, DOD may just say, okay, you know, that's, it is what it is, or they may say, we're not going to exercise this option, instead we'll just go with another company that actually has CMMC in place, you know, so it's really important to kind of understand the marketplace that you're in and say, do my competitors have this requirement in their contract? Do the, to my competitors, are they, you may not know this offhand, but people talk. Are my competitors in a position where they have gotten a CMMC assessment? And if my competitors have gotten a CMMC assessment, I have not, then the contracting officer has choices, you know, and they can exercise those choices at that time. Yeah, and actually, it's pretty interesting. I was doing a search for the FRQ clause. And I saw a whole bunch of modifications for just adding that specific clause to DOD contract. So that that's that's interesting. I had a couple of other questions. I know there's so many FR rulings, and it's open for public comments and things like that. And I'm always telling companies that if it does not affect, If if it affects them, they should comment, and I think that's just my. Yeah. Yeah. And comments are easy to file. It's just essentially a web form. You could write up a few lines, right? If you think something needs to be said, Obviously, they'll pay attention more to submissions that are more detailed and give some reasoning, but there's no, there's, don't have to have a lawyer to do it, you could do it yourself, you could do it anonymously. I think you could do it anonymously anyway. Have had some clients actually Okay. Actually hire us like to file comments anonymously for them. Yeah. And where we draft them and stuff. And I think I have one more question. It's like for a company that's dealing with commercial kitchen equipment bid projects, are we likely only dealing with FCI or CUI? It depend great answer. Right? It depends. And that that dependent is, like, are you getting plans from the Department of Defense that show the layout and stuff of a, of a base, for instance, where to put that information, where to put that equipment. If if you are, then I probably not, but you just, it's it's impossible to say without more information, but that that's how I'd look at that. Interesting. That sort of makes sense actually because I was sort of wondering Why a lot of the construction contract also having CMMC and things like that. And it's You don't want your enemies to know, like, the layout of a building on a base or something like that. Right? Right. Right. Right. Right. Yeah. It's not something that comes to mind right away. But Yeah. No. I don't think we have any other questions. This has been super informative. This is Eric's contact information, and he is on LinkedIn. So please reach out. Yeah. But thank you so much for for this wonderful webinar, and talk to you soon. Thank you. Appreciate it. Thank you.
2025 has seen a slew of new changes to the federal contracting space, including the launch of the Cybersecurity Maturity Model Certification program and the launch of the new Federal Acquisition Regulation. In the webinar, government contracts attorney Eric Crusius will tackle two of the biggest issues facing government contracts today and break down the practical impacts of both.
Please register to view our webinar library
We partner with industry leaders to deliver actionable webinars that give you new insight into government procurement.