Mandatory Cyber Standards - part two
by Simon Enoch, Consultant Solicitor
Implementation of Mandatory Cyber Security standards by the US Department of Defense could adversely impact UK businesses ability to trade with them.
Back In August this year I warned about the impending implementation of the Cybersecurity Maturity Model Certification (CMMC) version 1.1 which is a unified standard for implementing minimum cybersecurity standards for non-classified data across the entire US Department of Defense (“DoD’) supply chain of some 300,000 companies.
On the 29th September, The DoD announced the interim rule implementing the CMMC program, and set out an interim certification process before contractors undergo a full CMMC review.
The interim rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) and brings in as law the phased implementation of both a newly required assessment methodology and the CMMC framework. It becomes effective on the 30th November 2020, although full implementation of CMMC will not be achieved until 2025.
So what does this mean?
With effect from 30th November 2020, a Prime Contractor will need to have submitted their own self – assessment of their compliance with NIST SP 800-171 using the DoD’s own 36 page Assessment Methodology. For more detail of the methodology go to:
To do this they will also need to have reviewed etc. both their own and their sub-contractors compliance with NIST SP 800-171.
If the Prime Contractor fails to submit the self-assessment they will not be eligible to win any DoD contracts, or even work on modifications to existing contracts.
The worrying issue is that this means self-assessment of the compliance with, or not of, the 110 controls in the NIST program which goes greatly beyond the UK Cyber Essentials programme, at best is only equivalent to the lowest level of the CMMC accreditation.
Potential Historic Liability
For over 3 years the DoD contracts have had a provision in them that all contractors (and therefore their sub-contractors) must comply with NIST, and that is highly unlikely especially in Europe, where legally enforceable Cyber Security standards are much lower.
In addition there are concerns about sharing sensitive defence data, even between Allies, with concerns being raised about the DoD’s ability to insist that a contractor gives them access to their facilities, systems and personnel to conduct their own assessments.
If, as is likely, the self-assessment reveals shortfalls in compliance with NIST, then this could lead to claims under the US False Claims Act, against contractors including sub-contractors for failing to comply with the NIST requirements, and the awarding of substantial damages under the Act, as well as potential shareholder actions.
Next steps
Some had hoped the US Presidential election process would delay this move, but that hasn’t happened.
It makes it even more important that anyone who is a supplier to Defence related companies reviews and details their cyber security policies and procedures, including checking their own supply chains policies, to the required level.
More widely be aware that the move to higher enforceable cyber security standards in the US has only just begun. Other Federal agencies with big budgets are also making noises about following the DoD’s lead on Cyber Security.
For more information on this, or if you need any assistance or further information, please contact a member of our Technology and Innovation Team.
Please note this paper is intended to provide general information and knowledge about legal developments and topics which may be of interest to readers. It is not a comprehensive analysis of law nor does it provide specific legal advice. Advice on the specific circumstances of a matter should be sought.
