CMMC Interim Final Rule change and more

Two important updates to share regarding (1) CMMC timing being imminent and (2) Section 889 compliance, the often overlooked “foreign technology” rule. While CMMC is top of mind for many, our focus is always on the total potential exposure for our clients and we don’t want to forget about other current compliance requirements.

First some quick notes on CMMC-

CMMC Is Imminent – Earlier today we received confirmation, as anticipated, that CMMC will be effective in 2020. The DoD will be issuing an Interim Final Rule change this year that will update the Defense Federal Acquisition Regulation Supplement 252.204-7012. Once issued, that rule change will be effective immediately. Public comments may be considered after the Interim Final Rule. The rationale for the timing and approach is that the Defense Industrial Base is looking for certainty for planning and budgetary purposes. Given that CMMC preparation takes several months, we are all officially “on the clock” as the rule will be effective soon.

Regarding CMMC assessments, the first CMMC level 1 certifications are anticipated to be available from the provisional assessors within the next few weeks. CMMC Level 3 certifications are anticipated in the Fourth Quarter.

For those organizations that are struggling with evaluating what CMMC level they will need to achieve, and if they have CUI, we are putting together a tool to help identify CUI and provide some guidance.

Section 889 – “Foreign Technology”

As we have more and more discussions with members of the Defense Industrial Base (DIB) it has become apparent that while CMMC is absolutely a foundational element of DoD procurement, it is not the only consideration that members of the DIB should be looking at in the last few months of 2020. Many companies are overlooking the important and broadly applicable requirements of Section 889.

Effective August 13, 2020, Section 889 (a)(1)(B) of the John McCain National Defense Authorization Act. Section 889 prohibits the federal government from directly procuring “any equipment, system or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as a part of any system” or “entering into a contract with any entity that uses such covered telecommunications equipment or services.”

Specifically, Section 889 creates a general prohibition on telecommunications or video surveillance equipment or services produced or provided by the following companies (and associated subsidiaries or affiliates): (1) Huawei Technologies Company; or (2) ZTE Corporation.

It also prohibits equipment or services used specifically for national security purposes, such as public safety or security of government facilities, provided by the following companies (and associated subsidiaries or affiliates): (1) Hytera Communications Corporation; (2) Hangzhou Hikvision Digital Technology Company; or (3) Dahua Technology Company. Use is “regardless of whether that use is in performance of a Federal contract”.

The reason that this is an important consideration is that a large percentage of the devices in the market are made and sold by these companies and their subsidiaries. If no steps have been taken to be in compliance; it is highly likely that you are not. 

What if I don’t comply? – Our sources tell us that the Government intends to actively enforce the Section 889 requirements. The active enforcement is part of a broader initiative to enforce contract provisions in government contracts, including existing NIST cybersecurity compliance and self-attestation (even before CMMC becomes officially effective). As a reminder, the risks include contract cancellation and loss of business in addition to False Claims Act (FCA) exposure.

The Government can hit a company with treble damages AND $23,000 in penalties per FCA violation. When you lump in the cost of defending a FCA violation and the subsequent loss of reputation; these can be a true company killer. As a reminder, the Department of Justice racked up over $6 Billion in FCA fines last year. Everything we are hearing is that they expect to eclipse that in 2021.

As always, if you have any questions on this topic or any other cyber related issue, feel free to reach out.  

Michael Irving

Sr. Vice President of Sales

Tier 1 Cyber

909 N Washington St, Suite 200

Alexandria, VA 22314

301-974-1260

[email protected]

www.Tier1cyber.com