Cybersecurity in 2023: What Government Contractors Should Expect … – Holland & Knight

2023 promises to be a pivotal year for cybersecurity in government contracts. Besides the implementation of the Cybersecurity Maturity Model Certification (CMMC) program, new regulations are coming for civilian contractors, including new cybersecurity regulations from the U.S. Department of Homeland Security (DHS). Further, an update to a key standard, the National Institute Standards and Technology (NIST) Special Publication (SP) 800-171, is expected in 2023. This will impact CMMC and current U.S. Department of Defense (DOD) regulations including Defense Federal Acquisition Regulatory Supplement (DFARS) 252.204-7012, 252.204-7019 and 252.204-7020.
The center of all of this is the definition of Controlled Unclassified Information (CUI). The definition of CUI dictates contractor and government obligations under CMMC and various DOD regulations and forthcoming civilian requirements. The 2022 National Defense Authorization Act (NDAA) required the clarification of the definition of CUI, which we should also see in 2023.
The 2023 NDAA also contains updates to cybersecurity requirements and priorities, which we will cover at a later date. With that, let’s take a look at what to expect in the coming year.
DOD contractors that process, store, create or transmit CUI have long had to comply with the standards outlined in NIST SP 800-171. On the other hand, civilian contractors have had to comply with a much looser standard outlined in FAR 52.204-21. A new proposed rule that has not yet been published will likely align standards and also require civilian contractors to be compliant with NIST 800-171. This proposed rule already underwent a review by the Office of Information and Regulatory Affairs (OIRA) – the last stop for many regulatory requirements – in August 2022. Because of issues identified by OIRA, regulators are making further revisions to the proposed rule. The FAR case is 2017-016, and the latest status is available online.
DHS released proposed cybersecurity regulations in January 2017, and those regulations have been undergoing revisions since that time. OIRA received the final rule for review and publication on Aug. 15, 2022, so its release is possible at any time. As a refresher, the proposed rules:
No cybersecurity update would be complete without reviewing the status of CMMC. DOD officials have long said that they expect the CMMC program to ramp up by summer 2023. Because it is unknown which contracts are being covered by CMMC, contractors (whether prime contractors or subcontractors) should prepare for implementation of the program. Even so, for contractors handling CUI, the requirements to institute the controls under NIST SP 800-171 have been in place for a number of years now and, even if there are material changes to the CMMC program, these requirements are not expected to change. In any event, we should expect the following soon:
As noted above, a revision of NIST SP 800-171 is forthcoming. In the fall of 2022, NIST released an update that an initial public draft of SP 800-171, Revision 3, is expected in late spring 2023. Further, based on feedback NIST leaders received, they plan on the following for the upcoming revision:
When DOD moved from CMMC 1.0 to CMMC 2.0, it removed bespoke DOD controls. It remains to be seen whether those controls will be added to the upcoming version of NIST SP 800-171.
DOD currently runs a cyber-incident information sharing program that is limited to classified programs. In a proposed rule due to be released in May 2023, DOD will propose expanding the scope of the program to contractors that “process, store, develop, or transit” CUI from DOD.
It is not a coincidence that the U.S. Department of Justice released its new Civil Cyber-Fraud Initiative around the same time that CMMC 2.0 was released announcing that contractors not handling CUI will be permitted to self-certify compliance with cybersecurity standards. In case you missed it, the initiative will target contractors that do not meet contractual standards or fail to report cybersecurity standards. More specifically:
The press release about the initiative touts the following benefits of the program:
Further, as currently constituted, the base self-certification level for CMMC (Level 1) requires contractors to undergo extensive validation procedures.
All of the above translates to increased risk for contractors of civil fraud cases brought by relators or the federal government.
As the above cybersecurity developments come to fruition (and others not mentioned here), we will provide updates. In the meantime, please feel free to reach out to us with any questions.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click “accept” below to confirm that you have read and understand this notice.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page