When CMMC Meets Contracts

Sit down with Daniel Akridge, CMMC CCP, Summit 7, while he talks with Dawn Stern, Global Co-Chair, Government Contracts Practice at DLA Piper. In episode 16 of That CMMC Show Daniel & Dawn discuss SPRS scores, CMMC & DFARS risks, supply chain flowdown, and more, be sure to listen in!

---

Transcript

Daniel: Hello everybody, and welcome back to the CMMC show. Today we have another follow-up to people’s favorite topic — contracts and legal as it relates to CMMC. I have somebody who’s been in the CMMC space even before it was CMMC; it was the DFARS space, the DFARS 7012 space. Dawn Stern is with me today, and Dawn, I’m so excited to get into some very pointed questions that I get asked all the time. I slept at a Holiday Inn Express, but I am sadly not a lawyer — so I’m going to pass things over to you to see if we can get some clarity around the contractual obligations of CMMC, both as the prime receiving it and what kind of flowdown stuff we have to work with today. So, Dawn, first tell us a little about yourself.

Dawn: Thanks so much for having me. I think it’s super important to have the dialogue between the technical side and the legal side, so I really appreciate you having me today. I co-chair the government contracts practice at DLA Piper. DLA Piper is a large global law firm — we have 90 offices in over 40 countries around the world — and our government contracts team is also global. Our US government contracts team advises companies that do business with federal, state, and local governments across all aspects of that relationship, whether it’s negotiating contracts, negotiating teaming agreements, thinking about your compliance obligations, all the way through government-facing litigation and supply chain litigation. So we really look at things from all aspects and help clients throughout the industry think about what they need to do to be successful in their government contracts work.

Me personally, I’ve been at the firm about 15 years now, and prior to that I was a trial attorney at the Department of Justice, where I handled government contracts cases on behalf of the government. So I tell folks I’ve been on the dark side — you can pick which one that is — but I’ve advised companies and advised the government on all legal issues involving government contracts. My practice now is a lot of litigation against the government, and also investigations, supply chain issues, and then a real personal interest and niche in advising clients on CMMC and cybersecurity. So, hence our connection, and I really look forward to the discussion today.

Daniel: You say “the dark side” jokingly — I tell people all the time, I was in IT for 17 years, I did the thing, and then I switched to sales. They already know what the dark side is there, right? Sales is obviously the dark side. But what’s interesting is that you’ve seen it from every aspect — you’re on both sides of the fence when it comes to contracts, and because you’ve been in the CMMC and DFARS space for so long, you’ve seen just about everything. Which leads me to some very pointed questions.

Preface: I am not a lawyer, and Dawn’s not representing you. These are just a conversation and questions we’re going to answer to the best of our ability. So first up — this is a fun one that somebody posed to me a few weeks ago, and I think you and I briefly talked about it before. If I’m an organization and I meet all 110 controls and I have a perfect 110 in SPRS based on the DoD Assessment Methodology, but I don’t meet the FedRAMP requirements as required by CMMC, and I go to SPRS to enter my score for my CMMC Level 2 self-assessment — what score do I put in? Can I put a perfect 110, because I’m technically meeting the control framework but I’m not meeting the cloud requirement, and there’s no checkbox in SPRS saying “I have CUI only in FedRAMP Moderate or moderate-equivalent clouds”? I’ve had people wrestle with this, because they’re like, “We don’t want to lie, but we’re not lying — we’re submitting all the options we have in the system.” So, first question — I know it’s a hard one in my opinion, but you can probably cut through this immediately. I’ll turn the mic over to you.

Dawn: Yeah, I agree with you — I think it’s a hard question. Interestingly, we’d never heard this, and then, maybe like you, in the last six months or so we’ve gotten this question in a few different iterations from different companies of different sizes. Some of it I think I can attribute to some of the FedRAMP cloud providers changing what they’re providing, or how they deem their cloud. And I think folks are just now realizing, as they get closer to their CMMC assessments, that this is kind of a separate requirement. So I don’t really know what to attribute that uptick to, but I find it interesting that you’re hearing it, and we’ve heard it a couple of times as well.

The best I can say is, I think there’s not a one-size-fits-all answer — and I hate to give that lawyer answer, but I think that’s true. What’s important is that you are transparent with whatever representation it is. The problem comes in if you tell the government you have 110 and you’re submitting proposals that represent you’re fully compliant with 7012 — that’s where the misrepresentation can come in. So I’ve had some clients say, “While not necessarily covered by one of the 110 controls, we’re going to give ourselves a 109, simply to give the government a heads-up that there’s something, and if the government has questions, they can ask.” I’ve had other companies take the 110 but put some type of representation in proposals when they think that makes sense — caveat language that an attorney can help draft, to put the government on notice that this is something you’re aware of. You’re not misrepresenting it; you’re working to fix it, whatever steps you’re taking. I’ve had others do POA&Ms, so it’s internally documented that they’re not meeting it and what they plan to do to fix it. So again, I don’t think there’s a one-size-fits-all answer as to how you deal with it. But burying your head in the sand and pretending everything is okay, even if you know you’re not meeting the FedRAMP requirements, is where the problems can happen.

Daniel: Yeah. I know Microsoft, back in — I think it was October of 2024 — ripped their FedRAMP authorization off their M365 commercial cloud. And I can’t tell you the number of people who were like, “Wait, we were compliant.” Well, for FedRAMP, sure. There’s also an incident response requirement in DFARS 7012 that doesn’t actually carry over to CMMC certifications, which is fascinating — that’s the one part of 7012 that didn’t make the jump over. I asked the Cyber AB, and they said, “Yeah, that was intentional.” Okay, interesting. But people are like, “Oh, I’ve been in commercial.” I talked to a company not too long ago that was like, “We’re ready, we just want a gap assessment to make sure we’re good to go — we have all 110 controls.” It’s like, “Oh, what cloud did you do it in?” “M365 commercial.” And I was like, “I’m so sorry, I’ve got to be the bearer of bad news, because they ripped that away about a year and a half ago.” And they’re like, “Oh no.” One of the companies I talked to was about a 60,000-person defense contractor, and it was just insane — tens of thousands of people, and they were like, “We’ve got to fix this immediately.”

It’s so interesting when people bring this up, because it’s not like Microsoft or any cloud vendor sends you a text saying, “Oh, by the way, no more FedRAMP.” So people get caught off guard, which leads to, “Oh, I don’t want to misrepresent myself.” Now there’s the other side of this — my next question that we get all the time — which is the penalty for posting an incorrect SPRS score, even if you didn’t know. And the “didn’t know” part is the interesting part. When we’re talking to organizations, a couple of things happen. One, the IT guy who submitted the SPRS score is no longer there, and they’re wrestling to figure out how to update it. Outside of that, it’s, “Oh, I just put a score because I went down to 110 and checked yes, no, yes, no, yes, no, and that’s how I got my score.” Because when you look at scoring, it doesn’t do a good job of showing the assessment objectives. So unless you know something is happening, you don’t really know if you’re scoring yourself correctly. That’s where the confusion comes for a lot of people. They’re like, “Oh, I went down the 110.” It’s like, “Yeah, but there’s this thing called 171A, and you actually got four out of the five assessment objectives — but you fail the whole thing if you don’t get all of them right.” So I think that’s the interesting part: people just, out of ignorance, didn’t do the research on how to score. And then you have people who submitted an incorrect score, maybe intentionally — we’ve seen that in other cases previously, where they were basically strong-armed into posting a perfect score even though they knew it wasn’t.

So, now that I’m done explaining the question in more detail, Dawn — what happens if my organization submits an SPRS score that’s incorrect, either by me not knowing how to score myself appropriately, or by someone intentionally doing it wrong?

Dawn: Yeah, those are two really different standards. At the end of the day, what we’re seeing is the government has made no secret of the fact that they’re using the False Claims Act to review cybersecurity compliance, and as a potential enforcement mechanism for failure to comply with the cybersecurity requirements. That’s a shift. Because when this all started — if we all remember when Katie Arrington first rolled out the idea of CMMC, and we sat in conference rooms talking about what it was going to look like — it was a very kumbaya feeling. It was the government and us working together to protect the government’s information and the stuff that really needs to be out of the hands of our adversaries. And I think that’s right; I think that goal is still there, everybody’s still pulling in the same direction and recognizes why we need to do this. I don’t think anybody’s going to dispute that we don’t want this information in the hands of the wrong people. But that kumbaya feeling isn’t there anymore, because now the government is using the False Claims Act as an enforcement mechanism, and that comes with significant monetary penalties. It can get into the criminal side. So it’s something companies are now more focused on: “Where is that line?”

The False Claims Act standard is a “knowing” standard, so you do have to knowingly misrepresent. However, that “knowingly” category includes reckless disregard and deliberate ignorance. So, “I buried my head in the sand, I didn’t think about what the standard really was, I spent five minutes and went down the 110 and went check, check, check, I meet them all, and didn’t actually take my time — as either the legal side, the business side, or the IT side — to really think about what this is, what the scope is, and what I’m doing.” Generally, that’s where maybe there’s plausible deniability — maybe you could say, “I did it and I didn’t know it was wrong.” But that doesn’t really work if you’re not doing sufficient diligence to be able to say, “Here’s why I didn’t know it was wrong,” or “Here’s why I had a good-faith reason for making the representation I did.” That’s where the risk can come.

So if you are diligent, if you document the basis for your decision, if you go through and spend time and do it from the standard of somebody who is reasonable with your knowledge, your IT expertise, and the support you have — that’s generally an okay defense. “I said we complied with this, but when I brought in Summit or somebody else to do a gap assessment, we realized we’d just missed the mark a little bit, because of X, Y, and Z.” That story makes a whole lot more sense than “I spent five minutes and checked the box, and then I quote-unquote didn’t know.” Obviously, if you’re deliberately misrepresenting a score, that certainly comes with False Claims Act risk, breach of contract risk — you name it. But the closer-to-the-line case is, “I tried to do my job and I just messed up on a control or whatever.” That’s usually something where, with the help of counsel, you can figure out what happened.

The one thing I’ll say about the narrative you gave that’s really important to highlight is the documentation part. As we all know, it’s not uncommon for your IT person to do the assessment, and then you’re looking at it two years later saying, “Oh goodness, Jim left, and we don’t know why Jim marked us as compliant or not, and we have no idea.” So what’s critical is making sure whoever is doing it is fully documenting why and what the rationale is, so that whether it’s one year or two years later — somebody leaves, somebody gets sick, whatever — they can figure out what happened.

Daniel: Now I have a follow-up, because you just sparked something in my brain. DFARS 7012 and 7019 don’t really call out a senior official or who should submit the SPRS score, but CMMC has this “senior official” language in it, where it’s like, “Hey, we actually want somebody who has responsibility in the organization at a higher level to post and validate that yes, this is a real score.” From your experience, is that a specific type of role you typically see — is this a C-suite, is this a VP? What’s a good line to walk in terms of how you’d deem what a senior official is?

Dawn: It depends on the company structure, and I think companies are handling it differently. Smaller companies, we’ve seen, are going up to the president level, because that’s who makes the most sense. Other companies are your CISO type, or perhaps somebody directly below the CISO, depending on the size of the company, who would have oversight and personal knowledge of the assessment that was done. So I really think it depends, but it does generally need to not be the person who was responsible for the assessment. It really helps to have that additional day-to-day management one person removed, who can say, “This isn’t my baby, so I was able to look at it objectively, meet with them, understand what was done and why, and so I feel really comfortable making that representation.” That additional layer of objectivity is just helpful if any of the things we talked about go south. It gives you a little more of a story. But that’s not a one-size-fits-all “you must do that” — it’s just good practice if it’s possible.

Daniel: Okay, now that we’ve isolated the company level of SPRS scores — this is a question people didn’t really pay attention to in the DFARS 7012 days, at least didn’t pay attention to well — and that is our good friend Mr. Flowdown. One of the things CMMC has really agitated is a lot of primes right now, and a lot of them are taking good steps. We just had Elbit on one of our other podcasts with Jacob and Jason, and basically the interview was, “Hey, if you guys aren’t certified, we’re not going to use you at some point in time.” I just got off a phone call with a 50-person small subcontractor who said Leidos told them, “If you’re not certified by October, we’re taking you off our list.”

So we’re starting to see this narrative come out where it’s like, “Not only do I have to be compliant, but I’ve got to look downstream — potentially multiple tiers of suppliers — and figure out how I manage and enforce CMMC there. Or do I even have to do that?” So the two questions I get all the time are: Daniel, what exactly is my requirement for CMMC and flowing it down — how far am I responsible for? And the other: is there a world in which I don’t have to flow this down to them? First being, what’s my level of responsibility and for how deep in the supply chain; second being, is there any way to get around it? So what’s your take on the CMMC contractual flowdown language as it applies to both?

Dawn: Yeah, this is certainly an area where we hear the same thing on the legal side. It’s tough. CMMC, in a lot of instances, has taken a little bit of the risk away from contractors, because now you’ve got the C3PAO doing your assessment, and there’s a little bit of that issue we were talking about — “What if I put in a 110 and I didn’t know?” That risk goes down now, because somebody else is going to tell you whether you have a 110, provided you give them the right information to put into the assessment. But the supply chain risk is there, and it’s big and significant, and the reason is the dynamic down the supply chain.

CMMC puts in the prime’s ambit of responsibility the need for the prime to say — it’s like Oprah: “You get a car, and you get a car.” “You’re going to get CUI, and you’re going to get CUI, and you’re going to get CUI. And so all of you need to be Level 2.” And then you have that tension between the prime and the sub, because the sub over here says, “Wait a minute, all I make is widgets. It doesn’t matter what you’re putting it on. I don’t need CUI. I’m going to give you my widget, and you’re going to put it in your little whatever you’re building, and I don’t need CUI. So why am I Level 2?” That tension starts, and the government wants to look at you and say, “Not my problem — that is your prime problem.”

Daniel: Yep.

Dawn: That’s further complicated by the fact that, as we’ve all experienced, the government doesn’t really want to tell you what CUI you’re going to get. So it’s a little bit of a whack-a-mole. At the very beginning of a contract, oftentimes companies don’t know where contract performance is going to lead or what kind of information they’re going to get, and they’re in a position then to decide who gets the CUI — it becomes very complicated. So I think you’re right: what we’re seeing more and more are companies taking the position that they just want to get everybody in their supply chain to a Level 2. And if you’re not willing to spend the money, effort, and time needed, then perhaps they’re going to look elsewhere.

In other instances, there are primes that realize they have a mom-and-pop widget maker, and nobody else in the country makes this widget, so they have to figure out a workaround with that company — whether that’s finding a way to keep that company at a Level 1, or finding a way to share CUI with that company only on the prime’s Level 2 system. You’ve probably seen people — probably not the best practice — moving toward paper documents. I’ve heard all kinds of stories of people trying to find a way when that sub is indispensable. But as a business, if you’re a smaller business down the supply chain, the best thing you can do is start moving toward your Level 2. If you’re doing that and making reasonable efforts and moving the needle, a lot of the primes still have patience for that. They understand the line to get a certification is long and the wait is long, so they’re able to work with you to find workarounds until you can get certified. But if your answer is “I’m not doing it, that’s not for me, I don’t want the Oprah car,” then those primes are starting, more and more, to say, “Then we’re going to find somebody else.”

Daniel: And that’s what’s interesting — people are always like, “Daniel, but I’m a small business, I’m a set-aside, I’m veteran-owned, I’m disabled, I’m minority, I’m woman-owned” — you name the set-aside list. And they’re like, “Surely CMMC is not going to impact that, because the DoD is obligated to fund a certain amount” — or that’s their goal, to fund a certain amount of SBA-related work. And it’s like, no — CMMC trumps set-asides. Even as a flowdown requirement: if the data goes, the clause goes. It’s one of those things where it’s agnostic of size, and that’s hard, because the burden of implementation and paying for a certification — some organizations could be looking, even on the small side, at hundreds of thousands of dollars over a multi-year implementation and certification process.

So it’s always interesting to see that tension, like, “Oh, can I get away with getting it on my system, or giving them a paper copy?” — because everyone’s trying to crack that code. I personally think we’re looking at a pretty large consolidation of the supply chain in the defense space, if it holds true the way it’s written. I could imagine somewhere north of 40% deciding to exit — maybe a little lower — just because of the cost to do it. They’re like, “We’d rather go do our commercial work” — until, of course, FAR CUI comes out and then they can’t do any federal work at all. We’ll talk about that on another podcast episode, because that’s an emerging thing all on its own. But it’s coming.

So we’ve hit a few definitely hot topics. I’m going to throw a more generic one out at you. We talked a little about the False Claims Act — are there any other contract risks people should be aware of as it relates to DFARS 7012 and 7019/7020 and CMMC? Or is FCA really the big one in the room?

Dawn: Look, I think the threshold one is losing your contracts — either because your primes don’t want you if you’re not Level 2, or you’re not eligible for contracts if they’re issued at a certain level. So that’s the biggest risk, and the one we all want to avoid. Hopefully, if we’re listening to this, that’s not where we are. Other than that, certainly the False Claims Act, like we’ve talked about, and supply chain, like we’ve talked about. And then, more granular — when you’re actually talking about the assessment, be really thinking about your scoping issues. Like I said before, that assessment is only as good as the information you provide. So if you’re not scoping your system correctly for your CMMC assessment, if you’re not thinking about what CUI you get or how it flows through your system, all of those are risks. And we see a lot in the M&A context: how do I identify risk if I’m looking to acquire a new company, or what do I need to do if I’m looking to sell my company in the near future? So all of those are things to be thinking about as you work through your cyber compliance.

Daniel: I’ve got one follow-up, related to the M&A stuff. One of the most loosely defined terms in CMMC is “significant change.” The DoD threw out this “significant change” language — significant architectural or boundary changes, expansions of networks, and mergers and acquisitions — and that’s the entirety of it. They’re like, “Hey, one of these things happens as a significant change, you’ve got to go get recertified.” What have you seen on the interpretation of “significant change”? Or is it maybe too early in the process to have really seen that come to light? I think we’re over 800 certifications now. But what’s your take on that from an M&A approach?

Dawn: Yeah, it’s a tough one. In the near term, where we’ve seen clients going is thinking about when your closing date is going to be vis-à-vis your assessment. So, if you know — and this is yet another reason I get on my soap box and say CMMC is not an IT problem, CMMC is a company problem, or a company initiative — we really need to be thinking about it with business folks in the room, legal in the room, management in the room, IT in the room. Everybody’s got to be on the same page. Because your IT folks may not know that your leadership is contemplating an acquisition of another company, and your IT folks are now scheduling your CMMC assessment a month before the closing of that new acquisition. Well, maybe now we want to push that assessment out three months to allow the integration, so we don’t have the “significant change” question pop up within two months after we get our Level 2. So I think that all needs to be thought of together.

It’s yet to be seen. It seems a bit unmanageable for the AB to take the position that anytime there’s an acquisition you need a new CMMC certification or assessment — particularly with the waiting list they’ve got now, that’s going to not be manageable in the long term. But I just don’t think we know yet.

Daniel: Yeah, it’s going to be interesting to see what shakes out, because you have to have a C3PAO tie the CAGE code in eMASS in the background. So if you have a new CAGE code, do you just wait? What happens to performance of those contracts? What happens to imminent contract awards in between? There are so many question marks that people are like, “What do we do?” And honestly, we don’t quite have the playbook yet. DoD has been issuing a lot of FAQ updates — I really hope they clarify “significant change” a little more, to give a bit more flexibility there. I have a feeling they’ll probably over-rotate and be more prescriptive, in maybe a more negative light, causing more harm than good — but we’ll wait and see.

All right, I’ve got my last one, and I ask everybody this.

Dawn: Yeah, I think we’re going to have to really — and that’s what our second episode will be about, Don—

Daniel: So, closing remarks. I ask everybody this question — it’s the fun thing. This is the “what’s your favorite food” all the way up to “how do I stay out of jail.” Anything you’d like to share with the audience and the thousands of viewers we get?

Dawn: Yeah — stay out of jail. No — [laughs] — or have wine and dark chocolate until we figure this all out. I think those are all fair. And I’d say the last thing, and we touched on this: document, document, document. Really make sure you’re writing down and accounting for the decisions you make, the representations you make, the assessment scope you do. That documentation becomes critical if there are ever questions from the government. What we really look to are those contemporaneous documentations, not some post hoc thing you develop once you talk to a lawyer and you’re under investigation. So make sure to document now, and make sure to read your contract now, because there are still agency-specific requirements, command-specific requirements, varying reporting requirements. Make sure you’re looking at those and know what they are. And that’ll hopefully keep everybody on the right track.

Daniel: I love it. Well, Dawn, thank you so much for your time — this was an incredible episode. You answered a lot of the burning questions I get asked all the time. I just say: go talk to Dawn. We’ll put your contact and LinkedIn in the YouTube video here so people can reach out if they have any actual contract questions and you can have conversations and move forward from there. But thank you so much for joining — this was such a pleasure. I’m so happy to bring the IT/cyber world back in with legal. I wish they would talk to each other more — I’ve been on so many calls where I feel like just a mediator, trying to build a bridge between those two teams, because they don’t understand where the corporate risk is. But you’ve been such a breath of fresh air. Thank you for joining, and we’ll look forward to the next episode.

Dawn: Thanks, Daniel. Appreciate you and the whole team. Look forward to it. Absolutely.

Daniel: All right, everybody. Thanks for watching, and make sure to tune in to the next one.