Tag: Subcontractors

The Cybersecurity Maturity Model Certification (CMMC) Program – Defense Contractors Must Rapidly Prepare and Implement

The Department of Defense (DoD) has officially launched the Cybersecurity Maturity Model Certification (CMMC) Program, which requires federal contractors and subcontractors across the Defense Industrial Base (DIB) to comply with strict cybersecurity standards. The CMMC program aims to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD contracts from evolving cyber threats by requiring defense contractors to implement comprehensive cybersecurity controls. The CMMC Program, which must be confirmed by contracting officers, moves beyond the prior self-assessment model for many contractors to a certification-based approach verified by DoD-approved third-party assessors known as CMMC Third Party Assessor Organizations (C3PAOs).

This client alert outlines the key elements of the CMMC program, providing a detailed analysis of the new certification requirements, timelines for implementation, and practical steps contractors can take to prepare for compliance.

CMMC Overview and Purpose

The CMMC Program represents the DoD’s commitment to ensuring that companies handling FCI and CUI meet stringent cybersecurity standards. The program was developed in response to increasing cyber threats targeting the defense supply chain and is designed to verify that defense contractors and subcontractors have implemented the necessary security measures to safeguard sensitive information.

The CMMC Program consists of three levels of certification, with each level representing an increasing set of cybersecurity controls. The certification levels correspond to the type of information handled by the contractor, with higher levels required for contractors handling more sensitive information, such as CUI.

The DoD officially published the CMMC final rule on October 15, 2024, establishing the CMMC Program within federal regulations. The rule will be effective 60 days after publication, marking a significant milestone in the program’s rollout. DoD expects to publish the final rule amending the DFARS to add CMMC requirements to DoD contracts in early 2025. Contractors that fail to meet CMMC requirements will be ineligible for DoD contracts that involve FCI or CUI and could face significant penalties if they inappropriately attest to compliance.

The overall scope of the CMMC rule is relatively clear; however, some key elements are ambiguous and, in some cases, may require careful consideration. Particularly at the outset of any assessment process, a pre-risk gap assessment internal review, ideally conducted under legal privilege, is recommended to permit sufficient time to address shortfalls in technical controls or governance. The typical timeline for implementing a CMMC-type program may take many months, and we strongly recommend that clients begin this process soon if they have not already started—it is now unquestionably a requirement to do business with the DoD.

CMMC Certification Levels

The CMMC Program features three certification levels that contractors must achieve depending on the nature and sensitivity of the information they handle:

Level 1 (Self-Assessment)

Contractors at this level must meet 15 basic safeguarding requirements outlined in Federal Acquisition Regulation (FAR) 52.204-21. These requirements focus on protecting FCI, which refers to information not intended for public release but necessary for performing the contracted services. A self-assessment is sufficient to achieve certification at this level.

Level 2 (Self-Assessment or Third-Party Assessment)

Contractors handling CUI must meet 110 security controls specified in NIST Special Publication (SP) 800-171. CUI includes unclassified information that requires safeguarding or dissemination controls according to federal regulations. To achieve certification, contractors at this level can conduct a self-assessment or engage a C3PAO. Most defense contracts involving CUI will require third-party assessments to verify compliance.

Level 3 (Third-Party Assessment by DIBCAC)

Contractors supporting critical national security programs or handling highly sensitive CUI must achieve Level 3 certification. This level adds 24 security controls from NIST SP 800-172 to protect CUI from advanced persistent threats. The Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessments for Level 3 contractors. This is the most stringent level of certification and is reserved for contractors working on the most sensitive programs.

Each certification level builds upon the previous one, with Level 3 being the most comprehensive. Certification is valid for three years, after which, contractors must be reassessed.

Certification Process and Assessment Requirements

Contractors seeking certification must undergo an assessment process that varies depending on the level of certification they are targeting. For Levels 1 and 2, contractors may conduct self-assessments. However, third-party assessments are required for most contracts at Level 2 and all contracts at Level 3. The assessment process includes several key steps:

Self-Assessment (Level 1 and Level 2 (Self))

Contractors at Level 1 or Level 2 (Self) must perform an internal assessment of their cybersecurity practices and submit their results to the Supplier Performance Risk System (SPRS). This system is the DoD’s centralized repository for contractor cybersecurity assessments. Contractors must affirm their compliance annually to maintain their certification status.

Third-Party Assessment (Level 2 (C3PAO) and Level 3 (DIBCAC))

For higher-level certifications, contractors must engage a certified C3PAO to conduct an independent assessment of their compliance with the applicable security controls. For Level 3 certifications, assessments will be performed by the DIBCAC. These assessments will involve reviewing the contractor’s cybersecurity practices, examining documentation, and conducting interviews to verify that the contractor has implemented the necessary controls.

Plan of Action and Milestones (POA&M)

Contractors that do not meet all of the required security controls during their assessment may develop a POA&M. This document outlines the steps the contractor will take to address any deficiencies. Contractors have 180 days to close out their POA&M, after which they must undergo a follow-up assessment to verify that all deficiencies have been addressed. If the contractor fails to meet the requirements within the 180-day window, their conditional certification will expire, and they will be ineligible for future contract awards.

Affirmation

After completing an assessment and addressing any deficiencies, contractors must submit an affirmation of compliance to SPRS. This affirmation must be submitted annually to maintain certification, even if a third-party assessment is only required once every three years.

Integration of CMMC in DoD Contracts

The CMMC Program will be integrated into DoD contracts through a phased implementation process. The program will initially apply to a limited number of contracts, but it will eventually become a requirement for all contracts involving FCI and CUI. The implementation will occur in four phases:

Phase 1 (Early 2025)

Following the publication of the final DFARS rule, CMMC requirements will be introduced in select solicitations. Contractors bidding on these contracts must meet the required CMMC level to be eligible for contract awards.

Phase 2

One year after the start of Phase 1, additional contracts requiring CMMC certification will be released. Contractors at this stage must meet Level 2 certification if handling CUI.

Phase 3

A year after the start of Phase 2, more contracts, including those requiring Level 3 certification, will include CMMC requirements.

Phase 4 (Full Implementation)

The final phase, expected to occur by 2028, will fully implement CMMC requirements across all applicable DoD contracts. From this point forward, contractors must meet the required CMMC level as a condition of contract award, exercise of option periods, and contract extensions.

Flow-Down Requirements for Subcontractors

CMMC requirements will apply to prime contractors and their subcontractors. Prime contractors must ensure that their subcontractors meet the appropriate CMMC level. This flow-down requirement will impact the entire defense supply chain, as subcontractors handling FCI must achieve at least Level 1 certification, and those handling CUI must achieve Level 2.

Subcontractors must be certified before the prime contractor can award them subcontracts. Prime contractors will be responsible for verifying that their subcontractors hold the necessary CMMC certification.

Temporary Deficiencies and Enduring Exceptions

The CMMC Program allows for limited flexibility in cases where contractors cannot meet all of the required security controls. Two key mechanisms provide this flexibility:

Temporary Deficiencies

Contractors may temporarily fall short of compliance with specific security controls, provided they document the deficiency in a POA&M and work toward remediation. These temporary deficiencies must be addressed within 180 days to maintain certification. Failure to close out POA&Ms within the required timeframe will result in the expiration of the contractor’s conditional certification status.

Enduring Exceptions

In some cases, contractors may be granted an enduring exception for specific security controls that are not feasible to implement due to the nature of the system or equipment being used. For example, medical devices or specialized test equipment may not support all cybersecurity controls required by the CMMC Program. In these cases, contractors can document the exception in their System Security Plan (SSP) and work with the DoD to determine appropriate mitigations.

Compliance Obligations and Contractual Penalties

The DoD has made it clear that failure to comply with CMMC requirements will have serious consequences for contractors. Noncompliant contractors will be ineligible for contract awards. Moreover, the Department of Justice’s Civil Cyber-Fraud Initiative looms menacingly in the background, as it actively pursues False Claims Act actions against defense contractors for alleged failures to comply with cybersecurity requirements in the DFARS. In addition, the DoD reserves the right to investigate contractors that have achieved CMMC certification to verify their continued compliance. If an investigation reveals that a contractor has not adequately implemented the required controls, the contractor may face contract termination and other contractual remedies.

Preparing for CMMC Certification

Given the far-reaching implications of the CMMC Program, contractors and subcontractors should begin preparing for certification as soon as possible. As an initial step, an internal, confidential gap assessment is highly advisable, preferably done under legal privilege, to fully understand both past and current shortfalls in compliance with existing cybersecurity requirements that will now be more fully examined in the CMMC process. Key steps include:

Assess Current Cybersecurity Posture

Contractors should conduct an internal assessment of their current cybersecurity practices against the CMMC requirements. This will help identify any gaps and areas that need improvement before seeking certification.

Develop an SSP

Contractors handling CUI must develop and maintain an SSP that outlines how they will meet the security controls specified in NIST SP 800-171. This document will serve as the foundation for both internal and third-party assessments.

Engage a C3PAO

Contractors at Level 2 (C3PAO) and Level 3 must identify and engage a certified C3PAO to conduct their assessments. Given the anticipated demand for assessments, contractors should begin this process early to avoid delays.

Prepare a POA&M

For contractors that do not meet all required controls at the time of assessment, developing a POA&M will be crucial to addressing deficiencies within the required 180-day window.

Review Subcontractor Compliance

Prime contractors must review their subcontractors’ compliance with CMMC requirements and ensure they hold the appropriate certification level. This flow-down requirement will impact the entire defense supply chain.

Conclusion

The CMMC Program marks a significant shift in the oversight of how the DoD manages cybersecurity risks within its defense supply chain. While DoD contractors that handle CUI have had contractual obligations to comply with the NIST SP 800-171 requirements since January 1, 2018, the addition of third-party assessments and more stringent security controls for Level 3 contracts aim to improve the overall cybersecurity posture of contractors handling FCI and CUI. Contractors that fail to comply with CMMC requirements risk losing eligibility for DoD contracts, which could result in substantial business losses.

Given the phased implementation of the program, contractors must act now to assess their cybersecurity practices, engage with certified third-party assessors, and ensure compliance with the new requirements. Proactive planning and preparation will be key to maintaining eligibility for future DoD contracts.

Copyright 2024 K & L Gates
For more on Defense Contractors, visit the NLR Government Contracts Maritime Military section

Federal Contractors Beware – More Data Disclosures Coming!

On October 29, 2024, the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) published a Freedom of Information Act (FOIA) notice, inviting federal contractors to respond to FOIA requests that the OFCCP received related to federal contractors’ 2021 Type 2 EEO-1 Consolidated Reports. These reports, required of federal contractors and subcontractors with at least 50 employees, contain data critical to the government’s diversity efforts consistent with anti-discrimination mandates under Title VII and Executive Order 11246. Contractors have previously relied on FOIA Exemption 4 to protect against disclosing sensitive commercial information that could impact competitive positioning, but in late December 2023 as previously reported here, a federal court ruling concluded that certain demographic data did not qualify as confidential under FOIA Exemption 4. That court decision may spur an increase in FOIA requests for EEO-1 reporting information.

Contractors who wish to object to the disclosure of their EEO-1 reporting information must do so via OFCCP’s online portal, email, or mail on or before December 9, 2024. Per the OFCCP’s notice, contractors can object to releasing their 2021 EEO-1 Type 2 data by providing evidence showing the data satisfies FOIA Exemption 4. To do this, contractors should:

  • Specifically identify the objectionable data;
  • Explain why this data is commercial or competitive to render it confidential;
  • Outline the processes the contractor has in place to safeguard the data;
  • Identify any prior assurances or expectations that the data would remain confidential; and
  • Detail the damage that would occur if the data were disclosed by conducting assessments to see how disclosure would impact business operations.

In addition to raising timely objections to disclosure of data, contractors should also implement clear policies to maintain a consistent approach to data confidentiality. Specifically, contractors should be thoughtful and consistent as to how they define confidential information and the protection measures they take related to such information.

FOIA requests and court decisions in this space will likely continue to make striking a balance between government transparency and protecting contractors’ confidential business information more difficult. To navigate these changes, federal contractors should remain vigilant by staying informed, preparing objections to FOIA requests, and consulting with legal counsel to ensure compliance with this evolving area of law.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.
For more on Federal Contractors, visit the NLR Government Contracts Maritime Military section.

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model Assessment
Level 3 134 requirements based on NIST SP 800-171 and 800-172 Triennial government-led assessment and annual affirmation
Level 2 110 requirements aligned with NIST SP 800-171 Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1 15 requirements Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

  • Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
  • Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

    APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

    The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

    CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

    DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

    TEMPORARY AND ENDURING EXCEPTIONS

    DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

    A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

    An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

    The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

    DEFINITION OF SECURITY PROTECTION DATA

    In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

    Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

    In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

    DIBCAC ASSESSMENTS

    For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

    CSPS AND ESPS

    Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

    First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

    Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

    Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

    APPLICABILITY TO SUBCONTRACTORS

    The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

    MISREPRESENTATION AND FALSE CLAIMS ACT RISK

    Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

    Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

    THE ELEPHANT (STILL) IN THE ROOM

    The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

    CONCLUSION

    The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

    But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

    © 2024 McDermott Will & Emery
    For more on the CMMC Program, visit the NLR Consumer Protection section

Pay-When-Paid Provisions Still Unenforceable in New York State

While New York State’s Prompt Payment Act (“PPA”) provides a potential workaround for the invalid pay-when-paid provisions that appear in many construction contracts, a recent decision from the State’s Appellate Division narrows, if not closes, that loophole.

In the construction industry, it is common for a general contractor to include “pay-when- paid” or “pay-if-paid”1 clauses in its contracts with subcontractors, essentially allowing the general contractor to avoid paying its subcontractors for their work until it receives payment from the owner and forcing subcontractors to assume the risk that the owner will fail to pay the general contractor. In 1995, New York State’s highest court in West- Fair Electric Contractors v. Aetna Casualty & Surety Co. invalidated such practice, declaring that pay-when-paid provisions are void and unenforceable as contrary to public policy. 87 N.Y.2d 148, 159 (1995). The Court found that pay-when-paid provisions prevent a subcontractor from enforcing its rights under New York State’s Lien Law because if the owner failed to pay the general contractor, then payment to the subcontractor would never be due, which is a “necessary element of the subcontractor’s cause of action to enforce its lien against the owner.” Id.; see also N.Y. Lien Law § 34 (holding that “[n]otwithstanding the provisions of any other law, any contract, agreement or understanding whereby the right to file or enforce any lien created under article two is waived, shall be void as against public policy and wholly unenforceable”).

Despite the holding in West-Fair, contractors continue to include pay-when-paid in contracts, and until recently the PPA offered a workaround to validate these seemingly invalid provisions.

In 2002, the New York State Legislature passed the PPA in order to facilitate the prompt payment to contractors and subcontractors. N.Y. Gen. Bus. Law § 756-a. The PPA contains a provision, however, that seems to provide an alternative to the disallowed pay-when-paid provision in construction contracts. Section 756-a(3)(b)(i) states:

Unless the provisions of this article provide otherwise, the contractor or subcontractor shall pay the subcontractor strictly in accordance with the terms of the construction contract. Performance by a subcontractor in accordance with the provisions of its contract shall entitle it to payment from the party with which it contracts. Notwithstanding this article, where a contractor enters into a construction contract with a subcontractor as agent for a disclosed owner, the payment obligation shall flow directly from the disclosed owner as principal to the subcontractor and through the agent.

N.Y. Gen. Bus. Law § 756-a(3)(b)(i) (emphasis added).

While the provision does clearly state in its second sentence that a subcontractor is entitled to payment “from the party with which it contracts,” the third sentence concerning agency seems to provide a way around the West-Fair Court’s clear mandate that pay-when-paid provisions are void, as long as the contractor is acting as an “agent for a disclosed owner.” Id. In that situation, the PPA arguably mandates that the payment obligation to the subcontractor flows directly from the owner, and not the general contractor. This principal-agent relationship is merely a reflection of the common law rule that an agent for a disclosed principal “will not be personally bound unless there is clear and explicit evidence of the agent’s intention to substitute or superadd his personal liability for, or to, that of his principal.” Mencher v. Weiss, 306 N.Y. 1, 4 (1953). Theoretically, the agency exception should not impair a subcontractor’s Lien Law rights because it can still file and enforce a mechanic’s lien, but it shifts the responsibility for payment from the general contractor to the owner, giving the general contractor a defense to the subcontractor’s nonpayment claims.

Until recently, not much has been said about the PPA’s agency provision. In March 2022, however, New York’s Appellate Division in Bank of America, N.A. v. ASD Gem Realty LLC rejected a general contractor’s claim that it was acting as an “agent for a disclosed owner” pursuant to § 756-a(3)(b)(i), holding that the general contractor was liable to the subcontractor regardless of whether or not the owner had paid the general contractor. 205 A.D.3d 1, 8-12 (1st Dep’t 2022). In that case, an owner (ASD Gem Realty LLC and ASD Diamond Inc., together “ASD”) hired a general contractor (Sweet Construction Corp. or “Sweet”) to perform construction and renovation work at its property. Id. at 3. ASD solicited proposals for the installation of partitions for the project and selected plaintiff Arenson Office Furnishings, Inc. (“Arenson”), who then entered into a subcontract with Sweet. Id. The subcontract provided that “[a]ll work to be performed pursuant to the ATTACHED SCOPE LETTER . . . and ‘SCC General Requirements.’” Id. at 4 (alterations in original). The Scope Letter contained the following clause: “Subcontractor understands that Contractor is acting as an agent for the Owner, and agrees to look only to funds actually received by the Contractor (from the Owner) as payment for the work performed under this Subcontract.” Id.

As it so happened, ASD ran into financial difficulties and Arenson did not receive payment from either ASD or Sweet. Id. at 5. While Arenson filed a mechanic’s lien against the property and commenced a lien foreclosure action, there was no surplus available to pay either Sweet or Arenson after the construction lender obtained a judgment of foreclosure and conducted a foreclosure sale of the property. Id. Arenson then filed a complaint against Sweet for violation of the PPA, claiming Sweet failed to pay Arenson for the stated reason that Sweet had not been paid by ASD. Id.

In response, Sweet argued that it was not liable to Arenson because Sweet was acting as an agent for ASD; Sweet was merely complying with ASD’s directive to hire Arenson. Id. Sweet claimed ASD told Sweet that ASD would be responsible for paying Arenson and, citing the subcontract’s payment language, claimed that Arenson could only expect payment from ASD, not Sweet. Id. Sweet also relied on § 756-a(3)(b)(i) of the PPA, arguing that pursuant to the third sentence, Sweet was only an agent for a disclosed owner and therefore was exculpated from personal liability. Id. at 6. Sweet argued that the agency provision of this section negated the second sentence of the provision (entitling the subcontractor to payment from “the party with which it contracts”). Id. (quoting N.Y. Gen. Bus. Law § 756-a(3)(b)(i)).

The lower court rejected those arguments, holding that the subcontract language was an unenforceable pay-when-paid clause and that the exception in the PPA at § 756- a(3)(b)(i) clearly provides (in its second sentence) that a subcontractor is entitled to payment “from the party with which it contracts” (and Sweet contracted with Arenson). Id. The lower court also explained that the PPA and related case law demonstrate that an unpaid subcontractor is entitled to multiple sources of payment, perhaps explaining any conflict between the second and third sentence of § 756-a(3)(b)(i). Id. at 6.

The Appellate Division in turn held that the lower court correctly determined that Sweet was not an agent for an undisclosed principal. Id. at 7. The Court relied on the fact that the signature line in the subcontract did not “indicate that Sweet signed the contract as agent on behalf of a disclosed principal or reflect any limitations,” and that the referenced SCC General Requirements included indemnifying Sweet, obtaining liability insurance in Sweet’s favor, and recognizing Sweet’s authority to issue safety violations and correct unsafe conditions. Id. at 7-8. The Court “reject[ed] Sweet’s attempt to divide a single contract into one that creates an agency for purposes of payment but not for any other purpose,” reaffirming “that the ‘dual roles’ of general contractor and agent are inconsistent.” Id. at 8 (quoting Blandford Land Clearing Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, Pa., 260 A.D.2d 86, 95 (1st Dep’t 1999)).

As for the PPA, the Court also held that § 756-a(3)(b)(i) was inapplicable because, as explained, Sweet was not ASD’s agent and its interpretation of that provision “overlooks the entire purpose of the PPA and turns the statute on its head.” Id. at 11. The Court explained that the provision is actually designed to provide the subcontractor “with the panoply of statutory benefits and remedies that ordinarily would have inured to the contractor had the contractor acted on its own behalf, instead of as the owner’s agent,” and therefore, the “subcontractor is entitled to all of the article’s benefits and remedies that would have ordinarily flowed to the contractor.” Id. at 11-12. The Court pointed out that the principles of West-Fair applied to this case as well, even if West-Fair did not involve an agent relationship, because the central issue in both cases was forcing a subcontractor to assume the risk of an owner’s failure to pay its contractor. Id. at 12.

Therefore, despite clear language that Sweet was acting as an agent for the Owner, and despite Arenson’s agreement “to look only to funds actually received by the Contractor (from the Owner) as payment for the work performed under this Subcontract,” id. at 4, the Court found that this PPA exception to otherwise invalid pay- when-paid clauses did not apply.

In sum, contractors should be wary when attempting to use § 756-a(3)(b)(i) in conditioning payment to a subcontractor on payment from an owner, especially if the contractor is really just trying to separate its payment obligations from its general contracting responsibilities. Thus far, it appears New York State courts will not be sympathetic to such an arrangement, despite any potential carve out in the PPA.

For more Construction Industry Legal News, click here to visit the National Law Review.

© 2022 Phillips Lytle LLP

FOOTNOTES

1 While there is a difference between “pay-when-paid” and “pay-if-paid,” for purposes of this article, the two phrases are used interchangeably to mean a condition in a contract in which payment by the contractor to the subcontractor is contingent on the owner first paying the contractor. See Bank of Am., N.A. v. ASD Gem Realty LLC, 205 A.D.3d 1, 6 n.3 (1st Dep’t 2022).

The Intersection of the Bipartisan Infrastructure Law and Davis-Bacon Act Requirements for Federal Contractors and Subcontractors

On November 15, 2021, President Joe Biden signed the $1.2 trillion Infrastructure Investment and Jobs Act into law, which is popularly known as the Bipartisan Infrastructure Law (“BIL”).

The BIL is estimated to create an additional 800,000 jobs.  The United States Department of Labor (“DOL”) contends that such new jobs will “expand the middle class, revitalize our nation’s transportation, communications and utility systems and build a more resilient, reliable, and environmentally sound future.”  The White House asserts that the BIL will provide protection to “critical labor standards on construction projects,” as a substantial portion of the construction projects included in the BIL will be subject to requirements of the Davis-Bacon Act (“DBA” or the “Act”).

While the BIL provides new revenue sources and opportunities for construction projects, federal contractors and subcontractors should ensure that their businesses comply with the DBA’s prevailing wage rates and labor standards requirements.

Scope and Coverage of DBA

In its simplest form, the DBA, enacted in 1931, requires federal contractors and subcontractors to pay prevailing wage rates and fringe benefits to certain construction workers employed on certain federal contracts.  The DOL’s Wage and Hour Division (“WHD”) administers and enforces the Act’s requirements on federally funded and assisted construction projects.  The DBA applies to contracts:

  1. Which the Federal Government or the District of Columbia is a party;

  2. For the construction, alteration, or repair, such as painting and decorating, of public buildings and public works to which the Federal Government or the District of Columbia is a party;

  3. Involving the employment of mechanics, laborers, and other workers that engage in manual or physical labor (except for individuals performing administrative, clerical, professional, or management work such as superintendents, project managers, engineers, or office staff); and

  4. Which are in excess of $2,000.

With respect to the DBA applying to federal contracts above $2,000, this value threshold only applies to the initial federal contract.  If the threshold is met, however, then the DBA applies to any lower-tier subcontracts even if the value of the subcontract is less than $2,000.

Requirements for Contractors and Subcontractors

There are various requirements for federal contractors and subcontractors under the DBA, which the United States Supreme Court has described as “a minimum wage law designed for the benefit of construction workers.”  The Act was designed to protect construction workers’ wage standards from federal contractors who may base their contract bids on wage rates that are lower than the local wage level.  Under the DBA, federal contractors and subcontractors are required, among other things, to do the following:

  1. Pay covered workers who work on the work site the prevailing wage rates and fringe benefits that are listed in the applicable wage determinations, which are provided by the WHD (the prevailing wage rate consists of both the basic hourly rate of pay and any fringe benefits to bona fide third-party plans, which may include medical insurance; life and disability insurance; pensions on retirement or death; compensation for injuries or illness resulting from occupational activity; or other bona fide fringe benefits – bona fide fringe benefits, however, do not include payments made by employer contractors or subcontractors that are required by other federal, state, or local laws such as required contributions to unemployment insurance);

  2. Maintain accurate payroll records for employees that must be submitted to the contracting agency on a weekly basis (within seven days following the regular pay date for the particular workweek), which must include the following for covered employees: (i) name; (ii) classification; (iii) daily and weekly hours worked; and (iv) deductions made and actual wages paid (there are additional recordkeeping requirements for federal contractors who employ apprentices or trainees under approved DOL programs);

    • Federal contractors and subcontractors are also required to preserve the payroll records for three years following the completion of the covered work, provide accessibility to the records upon request by the DOL or its representatives, and allow the DOL or its representatives to interview employees during work hours.

    • Federal contractors and subcontractors can use the WHD’s Form WH-347 to satisfy the weekly reporting requirements.

  3. With respect to prime or general contractors, they must ensure that specific contract clauses and the applicable wage determinations are inserted into any lower-tier subcontracts (the contract clauses cover the following: (i) construction wage rate requirements; (ii) withholding of funds; (iii) payrolls and basic records; (iv) apprentices and trainees; (v) compliance with requirements under the Copeland Act; (vi) requirements for subcontracts; (vii) contract termination – debarment; (viii) compliance with construction wage rate requirements and related regulations; (ix) disputes concerning labor standards; and (x) certification of eligibility); and

  4. Post a notice of the prevailing wages as to every classification of worker and an “Employee Rights under the DBA” poster in a prominent location that is easily accessible to the covered workers at the work site.

Practical Consideration in Compliance with DBA

Federal contractors and subcontractors should ensure that covered workers are properly classified for the work such individuals perform and paid in accordance with the prevailing wage rate for their classification.

Employers will often face recordkeeping challenges when they have nonexempt employees who perform covered (manual) work and non-covered (administrative) work in the same workweek.

In such instances, the employer must determine whether the employee is salaried or paid hourly.  If the employee is salaried, the employer must determine whether the employee’s salary is greater than or equal to the prevailing wage rate for the employee’s classification.  If not, the employer contractor is required to increase the employee’s pay for the week the covered work is performed.

Likewise, if the employee is paid hourly, then the employer must ensure the employee’s hourly rate is greater than or equal to the prevailing wage rate for the employee’s classification.

Federal contractors and subcontractors could face various consequences due to their failure to comply with the DBA, ranging from termination of the federal contract and debarment to a contracting agency withholding money due to the contractor to cover back wages due to employees as well as criminal prosecution.  Accordingly, federal contractors and subcontractors should consult with legal counsel to ensure they comply with the various DBA requirements for any covered contracts.

Article By Xavier D. Lightfoot and Devon D. Williams of Ward and Smith, P.A.

For more government contracts legal news, click here to visit the National Law Review.

© 2022 Ward and Smith, P.A.. All Rights Reserved.

If You Can’t Stand the Heat, Don’t Build the Kitchen: Construction Company Settles Allegations of Small Business Subcontracting Fraud for $2.8 Million

For knowingly hiring a company that was not a service-disabled, veteran-owned small business to fulfill a set aside contract, a construction contractor settled allegations of small business subcontracting fraud for $2.8 million.  A corporate whistleblower, Fox Unlimited Enterprises, brought this misconduct to light.  We previously reported on the record-setting small business fraud settlement with TriMark USA LLC, to which this settlement is related.  For reporting government contracts fraud, the whistleblower will receive $630,925 of the settlement.

According to the allegations, the general contractor and construction company Hensel Phelps was awarded a General Services Administration (GSA) contract to build the Armed Forces Retirement Home’s New Commons/Health Care Building in Washington, D.C.  Part of the contract entailed sharing the work with small businesses, including service-disabled, veteran-owned small businesses (SDVOSB).  The construction contractor negotiated all aspects of the contract with an unidentified subcontractor and then hired an SDVOSB, which, according to the settlement agreement, Hensel Phelps knew was “merely a passthrough” for the larger subcontractor, thus creating the appearance of an SDVOSB performing the work on the contract to meet the set-aside requirements.  The supposedly SDVOSB subcontractor was hired to provide food service equipment for the Armed Forces Retirement Home building.

“Set aside” contracts are government contracts intended to provide opportunities to SDVOSB, women-owned small businesses, and other economically disadvantaged companies to do work they might not otherwise access.  Large businesses performing work on government contracts are often required to subcontract part of their work to these types of small businesses.  “Taking advantage of contracts intended for companies owned and operated by service-disabled veterans demonstrates a shocking disregard for fair competition and integrity in government contracting,” said the United States Attorney for the Eastern District of Washington, as well as a shocking disregard for proper stewardship of taxpayer funds.

Whistleblowers can help fight fraud and protect taxpayers by reporting government contracts fraud.  A whistleblower can report government contracts fraud under the False Claims Act and become a relator in a qui tam lawsuit, from which they may be entitled to a share of the funds the government recovers from fraudsters.

Article By Eva Gunasekera and Renée Brooker at Tycko & Zavareei LLP

For more whistleblower legal news, click here to visit the National Law Review.

© 2022 by Tycko & Zavareei LLP

Making a Claim against a Payment Bond Posted by a General Contractor or Sub-Contractor

In construction projects that are performed either on behalf of a municipality or a state agency, a general contractor and potentially a sub-contractor are typically required to post payment and/or performance bonds with the county or municipality. A general contractor or sub-contractor is required to post a payment and/or performance bond, because this ensures that sub-contractors or suppliers are paid, and enables the Township or state agency to have the work completed should the contractor fail to do so in a timely fashion. As a supplier or sub-contractor on such a municipal or state project, it is important to know your rights with regard to making a claim against a payment bond.

The most important thing that any sub-contractor or supplier must do prior to providing materials or services for a public contract is to provide the proper notice as required by N.J.S.A. 2A.44-145. This strict notice requirement specifies that the sub-contractor or supplier notify the party who posted the payment bond for the project in writing via certified mail of their intent to provide materials or services for the project. This is a prerequisite to being able to make a claim against the bond, or to receive a payment for materials and services with regard to the project if they are not paid by the sub-contractor or general contractor. As such, it is very important that any sub-contractor or supplier provide the appropriate notice to the party that posted the bond prior to performing any work or providing any materials.

If proper notification has been sent and a sub-contractor or supplier did not receive payment for materials or services provided, they may make a claim against the bond posted by the general contractor or the sub-contractor. It is always suggested that a sub-contractor or supplier obtain a copy of the bond posted by the general contractor or sub-contractor before providing materials or services. This is to ensure that any claim against the bond is made in a timely manner and is not forfeited by failing to comply with the terms of the bond, which require that a claim be made within a certain specified period of time.

Assuming that you have complied with the time requirements of the bond, a sub-contractor or supplier would first send a Notice of Demand for Payment to the bonding company with a copy to the contractor who posted the bond. Typically, the bonding company will require the production of any and all documents which justify the payment sought by the claimant that was not tendered by the sub-contractor or general contractor. Upon receipt of this information, the bonding company will make a determination whether payment is due for the materials and services which were provided.

Article By Paul W. Norris of Stark & Stark

COPYRIGHT © 2015, STARK & STARK