Federal contractors face a major test over the next five years as the Department of Defense (DoD) and then likely the rest of the federal government institute sweeping cybersecurity requirements for its contractors.

The Cybersecurity Maturity Model Certification, or CMMC, is what the DoD is calling its certification process that all DoD contractors must submit to by 2025. A recent solicitation issued by the General Services Administration also suggests that other agencies across the federal government could decide to adopt the CMMC standard.

Alex Gorelik, an associate at the Washington, DC, office of Smith, Currie & Hancock, is tracking the consequences for contractors and for surety bond producers.

Gorelik said that under the current timeline the DoD expects to issue 10 to 15 contracts in fiscal year 2021 (that is, beginning in the Fall 2020) that require compliance with the CMMC. CMMC-mandatory contracts will then accelerate quickly until all DoD contracts in FY 2026 will be issued to CMMC-qualified contractors. Requirements for CMMC compliance at the General Services Administration (or other agencies) could well kick in during the middle of that timeframe, Gorelik said.

“As a company you need to be prepared to apply as soon as you can so you can be one of the first to get certified,” Gorelik said. “If you are interested in getting into the DoD space, that could certainly help you get your foot in the door.”

“The expectation is that you should apply at least six months before you need the certification in place. Start getting your ducks in a row. Make sure subcontractors and training partners are aware, sub and teaming agreements include the CMMC requirements, and internally you are compliant with everything or you know what you need to do to be ready for the certification.”

The classification requirements will run broad and deep through the contracting community. Compliance Forge, a federal compliance solutions firm, estimates that 300,000 contractors will be affected by CMMC, with compliance rules reaching even to the behavior of janitorial staff.

As a prime contractor, part of getting ready for the new CMMC world will mean including those requirements in subcontracting agreements. On the other hand, Gorelik said, not everyone in the supply chain will need the same level of certification or any certification at all. “The DoD has pointed out that subcontractors will not necessarily require the same CMMC level as the prime contractor on the project – it depends on what tasks the subcontractor actually handles.”

For example, companies that solely produce commercial off-the-shelf (COTS) items, such as some material suppliers, would not require this certification. “But if there are any companies providing service on the job or installation, they will need CMMC certification.”

The plan calls for several certified Third Party Assessment Organizations (C3PAOs), which will likely vary by the region, to be responsible for assessing the compliance of individual contractors. But currently, Gorelik warns, there is no company that can perform the certification function, despite some misleading advertising to the contrary.

He said the costs of certification will be allowed in DoD contracts, but it is unclear what this means in practice. Can a company bill for the steps taken or consultants paid to attain certification? Or can it bill for processing fees only?

Meanwhile, the complexity of navigating the requirements will vary greatly, depending on the contractor’s work and responsibilities.

“If you’re a company that doesn’t have a person who concentrates on cybersecurity already, then you may well need a consultant to manage this process,” he said. “It’s going to vary depending on just how prepared your company currently is for this next step.”

For more on this topic, read Gorelik’s article in the spring issue of Surety Bond Quarterly titled “DoD Will Require New Cybersecurity Standards in 2020: Could Other Agencies Be Next?”

Alexander Gorelik is an Associate at the Washington, DC office of the law firm of Smith, Currie & Hancock LLP. He advises construction companies on various government contracting issues and regulations, often using his prior experience as a Contracting Officer for the Department of Defense. Gorelik is a member of the bars of Maryland and the District of Columbia. He can be reached at AGorelik@smithcurrie.com or 202.735.2446.