2023 promises to be a pivotal year for cybersecurity in government contracts. In addition to implementing the Cybersecurity Maturity Model Certification (CMMC) program, new regulations for private contractors are being introduced, including new cybersecurity regulations from the U.S. Department of Homeland Security (DHS). In addition, an update to the major standard, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is due for his 2023. Regulatory Supplement (DFARS) 252.204-7012, 252.204-7019, and 252.204-7020.
Central to all of this is the definition of controlled unclassified information (CUI). The CUI definition provides for contractor and government obligations under CMMC and various DoD regulations, as well as upcoming civilian requirements. The 2022 National Defense Authorization Act (NDAA) should have clarified the definition of CUI, which we should see in 2023.
The 2023 NDAA also includes updates to cybersecurity requirements and priorities. We will discuss this at a later date. With that in mind, let’s take a look at what to expect next year.
new civil requirements
Department of Defense contractors that process, store, create, or transmit CUI have long had to comply with the standards outlined in NIST SP 800-171. Private contractors, on the other hand, had to comply with the less stringent standards outlined in FAR 52.204-21. A new draft rule, not yet published, could adjust the standard and require private contractors to comply with his NIST 800-171. The proposed rule is already under review by the Office of Information and Regulatory Affairs (OIRA) in August 2022, the final stage of many regulatory requirements. Due to issues identified by OIRA, the regulator is further revising the proposed rule. The FAR case is 2017-016 and the latest status is available online.
New DHS requirements
DHS published its proposed cybersecurity regulations in January 2017, and those regulations have since been revised. OIRA received the final rules for review and publication on August 15, 2022, so you can publish at any time. As a refresher, the proposed convention is:
- Expand the scope to include contractor-owned and contractor-operated systems, or any situation in which contractor and/or subcontractor employees may have access to CUI. The current version of the regulation “applies only to all or part of a contract involving information technology resources or services that require the contractor to have physical or electronic access to confidential information contained in DHS’ unclassified systems.” increase.”
- Provides new requirements for handling CUI. The proposed provision links to DHS standards, which DHS may change at any time.
- We request a new authority to operate standards for operators of the DHS system.
- Develop security reporting requirements for new incidents: This includes the requirement to report incidents within 8 hours or 1 hour, depending on the type of information involved. In addition, contractors must grant DHS (and third-party contractors) access to systems of related contractors affected by the incident. Incidents should be reported to the DHS Component Security Operations Center as well as the Contracting Officer and Contracting Officer representatives. If personally identifiable information is involved, there are other requirements, such as credit monitoring of affected individuals.
Cybersecurity updates are not complete without verifying CMMC status. A Pentagon official has long said the CMMC program he expects to be beefed up by summer 2023. Yet, for contractors dealing with CUI, the requirement to implement controls under NIST SP 800-171 has existed for many years, and even with significant changes to the CMMC program, These requirements are not expected to change. Either way, we should expect the following soon.
- Rulemaking (Q1 or Q2) from DOD that can initiate a CMMC program.It is still unclear whether it will be a proposed rule or a final interim rule
- CMMC Assessment Process (CAP) Updated for Q1 2023 by Matt Travis, President, Cyber Accreditation Body
- Defense Industrial Base Cybersecurity Evaluation Center Continues Initial CMMC Certification Review in Partnership with Third-Party Cybersecurity Evaluation Institute
Updated NIST SP 800-171
As mentioned above, a revised version of NIST SP 800-171 will be published soon. In Fall 2022, NIST released an update stating that the first public draft of SP 800-171, Revision 3, is scheduled for late Spring 2023.
- Updates security requirements for alignment and alignment with SP 800-53, Revision 5 (includes comprehensive language updates), and SP 800-53B moderate impact baseline.
- Create CUI overlays (supplemental appendices to existing security requirements catalogs) to link CUI security requirements to SP 800-53 controls and get feedback from stakeholders
- Review options and make suggestions on how best to address stakeholder feedback on [Non-Federal Organization] Adjusting NFO Control
When DOD migrated from CMMC 1.0 to CMMC 2.0, the custom DOD controls were removed. It is not yet known if these controls will be added to future versions of NIST SP 800-171.
Additional Cybersecurity Information Sharing
The Department of Defense is currently running a Cyber Incident Information Sharing Program limited to classified programs. In a proposed rule set to be released in May 2023, the DOD proposes expanding the scope of the program to contractors who “process, store, develop, or transfer” his CUI from the DOD.
Risk of continuation of false claims
The U.S. Department of Justice released a new Civil Cyberfraud Initiative around the same time CMMC 2.0 was released, announcing that non-CUI contractors would be allowed to self-certify compliance with cybersecurity standards. It wasn’t a coincidence. In case you missed it, the initiative targets contractors who do not meet contract standards or report cybersecurity standards. ie:
A press release about the initiative touted the following benefits of the program:
- Building broad resilience to cybersecurity intrusions across government, public sector and key industry partners
- Imposing promises on contractors and grantees to protect government information and infrastructure
- Support the efforts of government experts to identify, create and publish timely patches for vulnerabilities in commonly used information technology products and services
- Ensure that companies that invest in meeting cybersecurity requirements are not at a competitive disadvantage in accordance with regulations
- Reimburse governments and taxpayers for losses incurred when companies fail to meet their cybersecurity obligations
- Improving overall cybersecurity practices to benefit governments, private users, and the American people
Additionally, as currently structured, CMMC’s basic self-certification level (Level 1) requires contractors to undergo extensive verification procedures.
All of the above lead to increased risk for parties or contractors in civil fraud cases brought by the federal government.
We will provide updates as the above cybersecurity developments (and other developments not listed here) become available.