D. Lessons Learned in the Implementation of Section 889
1.
Interviewees Identified the Best Practices and Common Trends in the Implementation of Section 889
From the contractor’s perspective, interviewees generally identified that the most important practice with regard to Section 889 is to push their certification requirements down the supply chain. In other words, contractors must ensure that they require their suppliers to certify their own compliance with the Supply Prohibition and to provide the information needed for the contractors themselves to make the Use Prohibition certification. This Supply Chain prohibition is required by law to be included in subcontracts, but diligence in obtaining subcontractor certification was nevertheless a key recommendation by interviewees. Critically, in this regard, Section 889 covers many products that are embedded as components in other products at a level that will not be apparent except to the manufacturer. This creates a risk that contractors will have to make certifications with an imperfect ability to assure accuracy, which risk contractors can best mitigate by ensuring that another party farther down the supply chain and with better information makes the certification.
This risk arises from the breadth of coverage of Section 889. The FAR’s Use Prohibition certification is quite broad as, unlike the statute, it is not limited to “substantial or essential” components or “critical technology,” and it is not limited by the nature of the contracted performance or the even the contractor’s industry. More generally, the sheer breadth of covered services and goods creates such risk, where the covered Chinese firms are major global sources of not only cellular phone network infrastructure, but also radios, virtual reality, cameras, and display screens. Indeed, two interviewees noted that firms were required to replace the thermal cameras that they used to screen for COVID as coming from a covered source.
As a result, when certifying, contractors must protect themselves from the risk of “black boxes” in the component supply chain—articles the subcomponents of which the contractor likely has no ability to identify. As a hypothetical example, two interviewees proposed a contractor providing laundry services for a federal agency whose delivery vans had backup cameras containing covered equipment. It is easy to imagine such a contractor failing even to identify the issue, much less to obtain adequate certification; yet such failure would violate the certification required by the FAR’s implementation of the Use Prohibition.
Contractors can protect themselves from the risk of “black boxes” by ensuring that they obtain the proper certification from their own subcontractors and suppliers. Diligence in this regard ensures that those with visibility at the correct component level are the parties certifying a component’s provenance. For contractors with limited resources, one interviewee recommended as a resource for standard subcontract terms the subcontractor, vendor, or supplier terms publicly available on the websites of the biggest defense contractors. Government contract professionals also rely on contractors to ensure that the certification is pushed down to the right level, as they face the risk of scandal in the event an incorrect certification leads to noncompliant procurement, and they face the risk with even less insight into the supply chain than the prime contractor.
Pushing the certification requirement down, however, is an imperfect solution for the practical problem of correctly identifying banned equipment and services in the supply chain. Ideally, and in general, it provides an efficient allocation of risk because, for any given component, the party with actual knowledge will have certified or provided the information needed to do so. However, this practice also creates the risk that inquiry will merely flow down the supply chain to a party who cannot or will not effectively comply. Suppliers far enough down the supply chain, all things being equal, tend to have fewer resources, less sophistication, or less experience with federal contracting. As a result, pushing the certification requirement down the chain will sometimes result in the requirement being passed to the first party that fails either to recognize what is being asked or to answer correctly rather than to the party best situated to answer.
Another important lesson learned, in tension with the importance of pushing the certification down the supply chain, is that contractors should carefully scope their “reasonable inquiry” conducted under the Use Prohibition. This inquiry is broader than the prohibition that it covers, as noted above, and this breadth was intentional. When the Section 889 interim rule first came out, then, contractors generally expected to take an expansive view of implementation, including flowing down the Use Prohibition to suppliers.
Those contractors, however, received pushback from suppliers who were unwilling to provide that information and could not get it from their own unwilling suppliers. A subset of those suppliers were those who used covered services through the cellular phone infrastructure in their home market. This subset and their concerns were significant because Huawei provides a large fraction of cellular phone network infrastructure used worldwide, particularly 5G, including in nations that are likely locations of contract performance and that are potential sources of technology for U.S. procurement.
Moreover, when contractors could get the information and provide it, they found that the FAR requirement exposed them to unintended consequences. One interviewee reported that a “does use” certification can negatively impact a contractor, even though the certification does not necessarily mean that the contractor is out of compliance with Section 889 or requires a waiver. Contracting officers have reportedly refused to award to contractors that certify “does use,” even if the equipment or services in question are not covered. In the interviewee’s opinion, this denial was either the result of the contracting officer’s not understanding the certification or of the contracting officer’s preference to avoid the risk of awarding to a contractor that used covered equipment or services in the event of a cybersecurity incident. Such risk aversion is common as agencies face increasing vigilance of their cybersecurity and pressure to avoid being seen as “soft on China.” One interviewee noted, as an obvious avenue to inform these risk-averse contracting officers, that SAM.gov allows contractors certifying use to provide a narrative explanation or a separate certification for geographically based use; but such an ability does not exist.
In addition, the rules and guidance provided so far have not helped contractors manage or circumscribe this burden. The breadth of the FAR certification requirement prevents contractors from determining for themselves whether a given piece of technology is a “substantial or essential” component of their systems or “critical technology.” Agencies have not provided helpful clarification about what constitutes “use,” leaving contractors to rely on the literal meaning, which is impractical in application.
These circumstances have led contractors to take a more tailored and nuanced approach to the scope of their reasonable inquiry than they had initially planned. In the absence of guidance but faced with serious consequences for over-reporting, it has proven better for contractors to rely on a reasonable interpretation of what constitutes “use” and what is required for a “reasonable inquiry” to avoid creating unreasonable obstacles for themselves. For example, contractors with suppliers operating outside of the United States where Huawei may be the source of telecommunications equipment have adopted a more judicious reasonable inquiry, in which they rely on the definition of “reasonable inquiry” to limit that inquiry to the identity of the actual manufacturers of supplies and leave it at that.
Section 889 theoretically provides two mechanisms to reduce the burdens and risks of certification: the waiver, and the exceptions under the Supply Chain Prohibition for backhaul and other services that connect to third-party facilities and equipment that do not connect. The use of waivers is essential, given the global importance of covered firms in providing telecommunications infrastructure. In this regard, Huawei provides a large fraction of cellular phone network infrastructure used worldwide, particularly 5G, including in nations that are likely locations of contract performance and that are potential sources of technology for U.S. procurement. In fact, the U.S. Embassy in London has indicated that all its suppliers must indicate “does use” in its Use Prohibition representation. Three interviewees reported cases in which Section 889 was implicated by the performance of a contract overseas where Huawei provided the components for the cellular infrastructure, and two verified that the procurements required a waiver.
However, the waivers have not proven to offer meaningful relief in practice. They are not only infrequently granted, but also difficult to request due to the rarity of the requests and the level of approval required. Three interviewees reported awareness of a waiver having been granted for contractors operating overseas, and one familiar with the waiver process reported that it took almost two years because the agency was both unaccustomed to that process and concerned about the repercussions for having invoked the waiver in the event of a cybersecurity breach. This delay is consistent with the prospective statement that waivers would be granted only as a “last resort.” It does, however, pose a significant concern for contractors whose contracts implicate the geographic range of Huawei’s 5G technology. Moreover, a waiver under one contract will prove of limited value if other contracting officers refuse to pursue one under a different solicitation based on the “does use” certification in the SAM.gov database.
The exceptions, in turn, offer limited relief that will probably be undermined by the significant risks facing any party seeking to take advantage of them. The Section 889 program, as implemented through the FAR, is a tool wielded and gate guarded by contracting professionals rather than IT professionals. Anecdotally, contracting officers do not always understand what contracts or technologies carry a high risk of data breach via Chinese telecommunications equipment. More specifically, they are not comfortable invoking the exceptions in the face of their uncertainty as to its application. In this current environment of mistrust in Chinese firms, contracting officers also face a high downside risk for invoking the exception to contract with a firm using Chinese-sourced telecommunications or video surveillance equipment. As a result, the exceptions will likely not be underutilized even when they would appear to offer necessary and appropriate relief. The provision for waivers and exceptions, then, does little to reduce the impact of the ban.
Finally, one interviewee observed that Section 889 has been more of a “compliance” regime than a cybersecurity one. The interviewee who identified this concern explained that, with Section 889, contracting officers focused more on the contractors’ certification of compliance rather than the avoidance of certain risks of data breaches from insecure technology. This focus follows in part from the structure of the statute itself, inasmuch as the ban applies to all contracts without reference to specific risks.
It also, however, follows from the decision to make this cybersecurity measure a question for contracting officers. Contracting officers do not tend to have meaningful cybersecurity experience and so will not be able to identify which procurements, contracts, and contractors involve higher levels of risk from the particular concerns that motivated Section 889. They will not often have the tools to identify when a closer look at a contractor certification is warranted or to evaluate the sufficiency of the inquiry on which the certification is based. This may push agencies to treat Section 889 as a compliance regime in which the risk is that the contractor fails to certify compliance rather than that any particular threat to cybersecurity is incurred or mitigated. The interviewee who raised this matter expressed reservations about the effectiveness of such an approach in the realm of cybersecurity, as it led to a disconnection between the IT professionals, the contracting offices, and the industry. As another interviewee put it, the regime consisted in large part of “[taking] the contractor at its word, which seems counterintuitive.” Together, these factors ensure that the focus lies on compliance rather than the reduction of identifiable risks.
This interpretation was not unanimous, however. A different interviewee identified as costs—and indeed benefits—of Section 889’s implementation the additional scrutiny applied by agencies themselves to the sourcing of the components of procured supplies, as well as a general sense of heightened caution in procurement generally. According to either assessment, however, the effectiveness of the regime actually to achieve cybersecurity goals depends on the capacities of the implementing procurement teams.
2. Interviewees Identified the Impact of Section 889 on Technology Procurement
The interviewees generally agreed that Section 889 has impaired, to some extent, the ability of procuring agencies to access emerging technology. Covered firms are critical sources for technology used in radios, virtual reality, cameras, and display screens. At the time of implementation, one firm that overwhelmingly dominated the market for commercial drones used covered Chinese technology and so was no longer available, leaving contractors unable to substitute. Likewise, in a procurement for equipment requiring virtual reality technology, the supplier was unable to find any substitute after Section 889 ruled out the initial solution. These affected areas of technology will continue to increase in importance, as virtual reality is becoming a more important tool for training and because, as one interviewee put it, “networking makes 889 into a rule for everything.”
As a result, Section 889 poses the risk of limiting the sources of critical technology, even to the point of limiting entire classes of critical technology, at least for a time. Some vendors experienced initial delays in sourcing alternatives, while others were initially unwilling to certify in the face of opaque supply chains. Indeed, some commercial technology companies continued to refuse to tell government contractors whether they used covered equipment and services in response to Use Prohibition “reasonable inquiries.” Nevertheless, the interviewees agreed that, with time, DIB firms have generally been able to find substitutes quickly and effectively.
Certain areas of difficulty have persisted however. As was noted above, the covered firms are effectively the only source for certain classes of technology: cellular phone network infrastructure used worldwide, particularly 5G, components for radios, virtual reality, cameras, and display screens, commercial drone technology, and virtual-reality technology. In addition, one interviewee pointed out that the market’s adaptation to a broader pressure to exclude Chinese-associated firms has created a risk out of the participation by Chinese firms in Silicon Valley. Silicon Valley is a significant source of innovation, and much of the investment in Silicon Valley firms is from Chinese banks. The interviewee postulated that actions tending to exclude Chinese firms from U.S. infrastructure might interfere with the U.S. Government’s ability to access this source of innovation.
Other downsides in the contracting process have persisted as well. Procurements have faced continuing delays as both prime contractors and agency industrial security processes have increased their scrutiny of components’ provenance. In addition, the loss of access to lower-cost options has meant higher prices overall. Finally, Section 889 has added compliance costs and delays for government agencies, where agencies expend labor in certification checks. One interviewee cited the so-called “procurement trilemma”—the common understanding that, of the three desirable characteristics in a procurement (good, fast, or cheap), procuring agencies must choose two—and opined that Section 889 has altered the balance by moving agencies away from both fast and cheap.
The foregoing comments applied with particular salience to Other Transactions (OT). OTs are instruments for the purchase of goods or services that are neither “procurement contract[s], cooperative agreement[s], [n]or grant[s];” several federal agencies, including DoD, are authorized to enter into these OTs. Because OTs are not procurement contracts, cooperative agreements, or grants, they are “not subject to the law, regulations, and other requirements applicable to such contracts, agreements, and grants,” which permits flexibility in the procurement process. This flexibility, in turn, allows agencies to obtain goods and services from leading technology firms that did not have experience doing business with the federal government or sufficient appetite to navigate the suite of laws, regulations, and other requirements. As a result, agencies commonly use OTs to purchase cutting-edge commercial technology, which projects often use commercial parts for which it was more difficult to certify the source down to the sub-component level. Moreover, OT suppliers previously faced no comparable limitations in sourcing, whereas, at least for traditional DoD contracts, the DFARS already required sourcing from qualified countries for a significant portion of procurements. Likewise, the non-traditional firms who participate in OTs were not generally accustomed to using the FAR or working with the U.S. government, and many were not even aware of the Section 889 list at the time of implementation.
Section 889’s implementation also reflects a significant shift in the realm of OTs because agencies usually took advantage of the OT’s flexibility to craft the cybersecurity requirements based on a case-by-case analysis. In such cases, cybersecurity, including sourcing of components, was one of several competing concerns for source selection. Section 889, however, has converted these concerns as they relate to covered components into a ban and thus left them outside the realm of tradeoffs.
According to interviews, a key solution to these challenges has been education of the DIB. Traditional contractors initially experienced delays and required contract modifications to substitute banned equipment, but such instances have been increasingly rare as firms adapted. In the OT sphere, procuring officials have avoided delays and design changes by ensuring that potential offerors are aware at the outset that the Section 889 requirements apply and are, in practice, non-negotiable. Agencies have also worked with the consortia that manage many groups of OT participants to introduce Section 889 in the requests for white papers, agency- and consortia-provided trainings, and the basic information otherwise provided to potential OT participants.
3.
Interviewees Identified the Effects of Section 889 on the Defense Industrial Base
The adaptations to Section 889 in the DIB reflect an interesting outcome of its implementation: the displacement of Chinese firms more generally from the DIB. Interviewees familiar with OT consortia and traditional procurement alike have noted that agencies have tended to eschew Chinese-sourced technology, even from firms not covered by Section 889. Partly because of a lack of contractor sophistication, the ban may also have generally contributed to an environment in which government suppliers simply avoid Chinese telecommunications and video-surveillance technology entirely. One interviewee reported cases in which contracting officers instructed contractors that they could not use components or articles manufactured by Chinese firms unrelated to the covered equipment and services. In addition, the implementation of Section 889 has created a general reluctance to use not only the banned Chinese vendor, but also foreign vendors generally, for fear that those other suppliers may utilize banned components. In addition, potential contractors from countries other than China have often been unable to flow down the certification as their subcontractors simply cannot or will not comply. With less confidence, some have suggested that the demand for substitutes may have stimulated domestic firms to fill in where no acceptable substitute for Chinese technology is currently available. To the extent Section 889 has these effects, it would only be one part of a larger trend of pushback against Chinese technology in domestic markets, as well as the markets of U.S. allies.
The removal of covered technology from the market has led to other, less desirable outcomes. Chiefly, Section 889 has removed access to some low-cost options. In certain areas, implementation of Section 889 will effectively rule out the lowest price technically acceptable (LPTA) competition because, as a matter of course, the putative LPTA technology is covered by Section 889. Elimination of the actual low-price option levels the playing field between the other competitors, thereby removing downward pressure on cost. As a result, one experienced contracting officer opined that, going forward, contracting officers would have to focus on negotiating to obtain suitable prices.
That cost will, of course, ultimately be borne by the government, but it will also likely alter the competitive landscape. Larger, traditional, defense contractors may be better situated to pass on these higher costs than smaller firms. Moreover, Section 889, as yet another rule applied to government procurement but not the private sector, may also serve as a barrier to entry for new, smaller entrants into the DIB. On the other hand, smaller contractors with a single legal entity and a smaller inventory will likely have less trouble identifying any problematic equipment or services either in use or in their smaller catalogs. Overall, however, this effect exacerbates a problem that the U.S. government has already spent much effort to ameliorate.
In sum, DIB contractors have adapted to Section 889 by finding substitutes for Chinese components in their own products and requiring their suppliers to certify compliance in their own right. Federal agencies generally achieved their procurement goals with these adaptations. They have, however, tended to focus on ensuring that suppliers make the requisite certifications and avoid supplies that may contain covered technology, rather than on identifying and addressing specific cybersecurity risks posed by such technology or services. Finally, these compliance practices have raised costs and tended to exclude Chinese goods from the U.S. procurement market to a degree even greater than the already broad statutory language of Section 889 already did.
IV. The Cyber-Security Model Maturity Certificate
The Department of Defense has developed its own cybersecurity initiative, CMMC, which, in October 2024, after several years of public deliberation and revision, DoD released in its second iteration, CMMC 2.0. With CMMC, DoD has taken a very different approach from that taken with Section 889. Where Section 889 relies on the broad exclusion of Chinese firms from the DIB to ensure protection of government information, CMMC relies on a regime of best practices and assessments graded to the sensitivity of the information at question.
Put simply, the CMMC is a suite of standard practices for the protection of federal information in the DIB and a framework for certifying contractors’ implementation of those practices. DoD created it as a response to an increased risk of the loss of federal information from the DIB. Recognizing the costs of malicious cyber activity to the U.S. economy and the related need to build the security and resiliency of the DIB, DoD designed CMMC as “the [DoD]’s metric to measure a company’s ability to secure its supply chain from cyber threats, protecting both the company and the department,” a “unified cybersecurity standard” for DoD’s acquisitions to “[p]erpetuate a collaborative culture of cybersecurity and cyber resilience.”
CMMC establishes minimum standards of cybersecurity for DoD contractors handling FCI, including CUI, except under contracts for COTS. There are three levels of required cybersecurity practices, most of which are already required by the FAR, with the level of requirements based on the sensitivity of the information being handled under the contract. Compliance, in turn, will be assured through the mandatory assessment performed by DoD contractors, third-party certification bodies, or the government, depending on the level of risk (the latter termed “certification assessments”). Finally, all defense contractors and subcontractors handling U.S. government information not intended for public release, including but not limited to CUI, as well as the vendors these contractors hire to handle that data, will be required to achieve some level of CMMC certification.
DoD introduced its first draft of the CMMC framework in September 2019 and released version 1.0 of CMMC in January 2020. Initially, CMMC imposed a series of requirements across five levels of stringency and required security audits of contractors by third-party assessment organizations. While CMMC 1.0 borrowed many of the requirements from standards promulgated by NIST in other contexts—NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations; and for certain programs, NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171—it did not mirror those standards so that CMMC represented new demands on contractors. Critics complained about this proposed approach, arguing that it imposed requirements on many firms that lacked the cybersecurity infrastructure to comply and created ambiguity concerning coverage. DoD nevertheless continued to implement the program. In September 2020, DoD published an interim DFARS rule implementing the program effective November 30, 2020, albeit with a five-year phase-in period during which compliance would only be required in select pilot contracts approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD (A&S)).
Congressional hearings followed, and DoD initiated an internal review of the program, with the result that, in November 2021, DoD announced a much-streamlined CMMC 2.0. CMMC 2.0 was designed to reduce costs, particularly for small businesses, to increase trust in the assessment program, and to clarify and align DoD’s cybersecurity requirements with other federal requirements and commonly accepted standards. In the same publication, DoD announced that it would suspend the CMMC piloting efforts until CMMC was codified through formal rulemaking.
Reflecting its history, CMMC 2.0 maintains the standardization, universal application, and tiered model appearing in version 1.0, while reducing the number of levels to three, setting cybersecurity standards consistent with the existing FAR and NIST standards, and imposing less onerous certification assessment requirements. The salient features of each level are discussed below, but, because the FAR already requires most DoD contracts to comply with these cybersecurity standards, the most important innovation is the certification assessment requirement.
CMMC will not take effect until the program requirements have been implemented in the DFARS. As noted earlier, in October 2024, DoD completed the review process announced in November 2021 and issued a final rule providing the complete contents of the regulations enacting the CMMC 2.0 program. In addition, on August 15, 2024, DoD issued a proposed rule that identifies how the CMMC requirements will be implemented in DoD contracts. The comment period on this proposed rule ran through October 15, 2024. Assuming the proposed rule amending the DFARS is finalized by the end of 2024, DoD contracts could begin requiring CMMC compliance in early 2025, though the program will have a staged implementation over a three-year period.
A.
CMMC Level 1 Imposes Fifteen Security Practices and a Self-Inspection Requirement on Contractors Handling Uncontrolled Federal Contract Information
Once in effect, CMMC will require solicitation documents to identify the applicable CMMC level. CMMC will apply to all contractors and subcontractors under all contracts above the micro-purchase threshold, except for COTS. CMMC Level 1, the least complex and onerous level of CMMC, will apply to all contracts under which the contractor will hold FCI. This is the CMMC level that DoD estimates will apply to the majority of contractors subject to CMMC. It imposes the fifteen security practices found in FAR 52.204-21 since 2016, discussed further below, and requires affirmation of compliance through annual self-assessment.
Substantively, Level 1 represents no significant change. Level 1 will require of contractors handling FCI the same cybersecurity activities that FAR 52.204-21 has required since November 2021. Accordingly, the differences anticipated under CMMC are formal rather than substantive: in addition to conducting these activities as a matter of contract performance, CMMC requires contractors to assess their own performance and affirm that they have performed.
The fifteen cybersecurity activities themselves—called “security controls”—provide general narrative descriptions of best practices. The security controls include the limitation of access to and authentication of users on the system in question, the control of connections to external and public information systems, the maintenance of physical and logical barriers to protect the system, and the control of physical access. An example of the first security control gives an idea of the form these standards take: “[l]imit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).” The others operate at a comparable level of generality, identifying the desired action without stipulating the hardware, systems, or procedural solutions that the contractor should adopt to undertake that action. As a result, accomplishment of each security control implies the implementation of some unidentified set of hardware, software, or procedural solutions to accomplish the desired end state.
B.
CMMC Level 2 Imposes 110 Security Practices and an Inspection Requirement on Contractors Handling CUI Other Than the Most Sensitive
Level 2, the “Advanced” level of CMMC, applies to companies with CUI on their information systems. It consists of the 110 practices that make up the whole of NIST SP 800-171 Rev. 2. Level 2 also requires triennial assessments conducted by a third party for contractors with critical national-security information, and self-assessments for other selected programs. DoD estimates that more than a third of contractors to which CMMC applies will be required to comply with Level 2.
NIST created NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, to further its statutory responsibilities under FISMA. Since 2015, DoD has required all contractors, except under contracts for COTS items, to comply with the requirements of NIST SP 800-171 and to submit the results of a self-assessment. It sets out recommendations for protecting the confidentiality of CUI through 110 practices across fourteen “facilities” of requirements, each of which represents a general category of activity. These fourteen facilities are the following: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
Each of the fourteen facilities contains requirements in the form of general narrative descriptions of the best practices. These best practices, in turn, consist of “basic” requirements, which provide broad instructions for safeguarding federal information and the systems containing it, and “derived” security requirements that supplement the basic security requirements. For example, the “Media Protection” family contains three basic requirements: “Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital”; “Limit access to CUI on system media to authorized users”; and “Sanitize or destroy system media containing CUI before disposal or release for reuse.” From these basic requirements are derived additional requirements that provide detail as to how the basic requirements are achieved:
• [[BL]]“Mark media with necessary CUI markings and distribution limitations”;
• “Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas”;
• “Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards”;
• “Control the use of removable media on system components”;
• “Prohibit the use of portable storage devices when such devises have no identifiable owner”; and
• “Protect the confidentiality of backup CUI at storage locations.”
[[BL]]The other families are similar in structure, though not all have derived requirements. Unlike the “Foundational” requirements for CMMC Level 1, NIST SP 800-171 provides further discussion paragraphs defining terms and explaining how the tasks may be accomplished.
For those contractors subject to Level 2 but without information critical to national security, Level 2 requires self-assessment, as with Level 1. For contractors on prioritized contracts—those with information critical to national security—Level 2 imposes the most salient feature of CMMC, outside certification assessment. Under CMMC Level 2, these contractors will have to obtain third-party certification on a triennial basis. In January 2020, to effectuate this requirement, DoD created a CMMC Accreditation Body, made up of members of the DIB, the cybersecurity community, and the academic community, which body will, in turn, accredit CMMC Third Party Assessment Organizations (C3PAOs) and the CMMC Assessors and Instructors Certification Organization (CAICO).
These C3PAOs will audit defense contractors to verify that they are meeting the certification assessment program’s requirements, which include “the most rigorous standards for protecting [CUI] and non-federal networks.” The responsibility will fall on the contractor to obtain the needed assessment certification, including coordinating and planning the CMMC assessment. DoD has provided guidance identifying the assessment objective for each of the requirements in NIST 800-171, and the anticipated physical examination, testing, and interviews of contractor personnel. This third-party certification assessment, for which there was no prior equivalent, represents the biggest change for Level 2 contractors from previous DoD cybersecurity requirements.
C.
CMMC Level 3 Imposes More Than 110 Security Practices and a Government-Inspection Requirement on Contractors Handling the Most Sensitive CUI
Level 3 applies to contracts, the performance of which requires handling the highest priority CUI. It will be used to provide additional protection for CUI when contractors handle information “associated with critical programs or high value assets.” This level will apply to the very small minority of CMMC-covered contractors holding the most sensitive information.
Following the tiered approach, Level 3’s requirements are stricter than Level 2’s, incorporating the 110 practices of Level 2 while adding 24 additional practices aligned with NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information. NIST SP 800-172 contains 35 of these enhanced requirements, organized and numbered so that NIST SP 800-171 and NIST SP 800-172 can be combined to provide a single “enhanced” list of 145 requirements across 14 families. The rule implementing CMMC identifies the specific 24 practices from NIST SP 800-172 that CMMC Level 3 will require.
As the title suggests, NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information, contains “enhanced requirements” intended to “supplement the basic and derived security requirements in NIST Special Publication 800-171.” NIST designed these enhancements to counter more sophisticated adversaries who seek to maintain their footholds within infrastructure over time, including by adapting to defensive measures. The requirements in SP 800-172, then, assist organizations not only to resist penetration but also to limit damage and to build resilience and survivability in the event of breach. As a result, while the SP 800-171 focuses primarily on the protection of confidentiality, SP 800-172 addresses “confidentiality, integrity, and availability protection.”
The substantive requirements of Level 3, however, differ in degree, rather than kind, from those of Level 2. Level 3’s additional requirements have a broader focus, as noted above, but the majority of the requirements are in common; and all, even the enhanced requirements adopted from SP 800-172, are similarly framed as general narrative descriptions of the best practice in question. For example, the first “Configuration Management” security requirement (CM.L3-3.4.1e) is to “[e]stablish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.” The requirements of Level 3 thus reflect simply that companies in the DIB with critical CUI will be required to provide additional protections to safeguard that information.
Also consistent with the tiered approach, Level 3 involves a higher level of scrutiny, as appropriate for contractors handling the most sensitive information. To begin, Level 3 certification requires receipt of a CMMC Final Level 2 Certification Assessment as a prerequisite. The U.S. government itself, rather than the contractor or a third party, will conduct the triennial assessment of the contractor’s implementation of the requirements from NIST SP 800-172 that are not required under Level 2.
In sum, then, CMMC represents an adjustment rather than a wholesale change to DoD contractor cybersecurity policy, with additional requirements chiefly for contracts with more sensitive information. At Level 1, CMMC will mandate only what is already required for many contractors under the FAR’s basic cybersecurity requirements, plus a self-assessment. At Level 2, CMMC will require contractors to comply with NIST SP 800-171, as they currently do, and require, for contracts with more important CUI, certification by a third party instead of the current self-certification. Finally, Level 3 will add a layer of “enhanced” security requirements to contracts handling the most critical unclassified information with certification requiring an audit by the government itself. Given this structure, the lessons learned from the implementation of Section 889 will prove of limited applicability.
V. Section 889 Lessons Learned Applied to CMMC
The implementation of Section 889 has created significant effects on both contracting agencies and the DIB, as described in the interviews of procurement professionals outlined above. These effects include limitation of access to cutting-edge technology, uncertainty concerning the scope of Section 889 and the attendant risk of over-application, and cybersecurity benefits that are more hypothetical than real and should interest cybersecurity regulators. A comparison of Section 889 and CMMC shows that these effects are unlikely to arise during CMMC’s implementation because they stem from Section 889’s friend-shoring nature, which CMMC does not share. By contrast, those effects that CMMC will likely share with Section 889 are those effects created by any new regime of requirements, whether cybersecurity or otherwise. The lesson of this comparison, then, is that the adoption of friend-shoring means to achieve cybersecurity brings appreciable downsides that an expert-crafted, best-practices approach like CMMC can avoid. Although the impulse toward friend-shoring will likely continue, policymakers considering future cybersecurity measures should consider this lesson.
To begin with, the areas of expected similarity, those effects that will likely arise in both the implementation of Section 889 and CMMC are those that would arise with the implementation of any new regulation regime. One of the few areas of similarity is the burden on contractors and the associated impact on price. Professionals familiar with Section 889 identified that its implementation might raise contractor costs and otherwise discourage smaller businesses from participating in government procurement. Likewise, commentators have argued that CMMC’s burden may bar smaller contractors from entering U.S. government contract competition, and, more generally, CMMC will require additional efforts by contractors that will likely be reflected in price. These concerns are those that accompany any additional burden on contractors, as the increased cost of performance is a generally observed outcome of adding regulations.
Additionally, it can be expected that education of the DIB will be important in both cases. Interviewees noted that early exposure, particularly among nontraditional firms, to the requirement eased the transition and sped quick adaptation. CMMC, in turn, imposes long lists of requirements and calls for compliance checks for some contractors, which suggests that DIB preparation will be useful. The preparation and education of the DIB, however, are an important process whenever the government imposes a complex set of contractor requirements not related to the details of either program.
By contrast, CMMC will likely diverge from Section 889 when it comes to those lessons learned that relate to the actual contents of the two regimes: the means selected to achieve cybersecurity. Where the key lessons learned under Section 889 were the importance of obtaining subcontractor and supplier certifications and correctly scoping the reasonable inquiry into supplier use of covered equipment and services, CMMC will not require such efforts. As will be discussed below, CMMC does not share those aspects of Section 889 that drove these lessons learned, beginning with the statutory language of Section 889 and including other features that have caused uncertainty under Section 889 in practice, all of which relate to Section 889’s basic friend-sharing approach.
First, of course, the requirements under CMMC are simply different from those under Section 889. Under CMMC the contract tells the contractor which standards it must meet, and these standards are specific, concrete, limited in number, and relate to activities chiefly in the contractor’s control. CMMC has nothing like Section 889’s requirement that contractors certify that they do not supply or use banned products or services.
CMMC also does not appear to share the practical problems that require contractors to obtain certifications from the supply chain. CMMC raises no challenges comparable to those that, under Section 889, face contractors with poor information about components embedded further down the supply chain. Just the same, where Section 889 leaves government agencies with little to do in many cases but rely on the contractors’ assurance, CMMC offers the solution of outside certification for contractors handling more sensitive information.
Likewise, CMMC does not pose the same risk of overbroad application, from which arises the importance of correctly scoping the reasonable inquiry. The risk of inappropriate or unnecessary application of Section 889 rests on its breadth and uncertainty of application; CMMC does not pose such risks. Decisions about its applicability and the appropriate level depend on the nature of the government information a particular contractor will maintain under a particular contract. Moreover, CMMC establishes standards for a comprehensive list of cybersecurity activities, which relate only to access to, and control of, information; and each standard provides a concrete set of required tasks. While each standard may impose a significant burden on contractors, it does not admit the possibility of cybersecurity noncompliance occurring in an area apparently unrelated to cybersecurity—as with the laundry service that uses banned rearview cameras.
Moreover, the consequences of misapplication differ greatly between the two regimes in a way that limits this set of risks for CMMC as compared to Section 889. The risk of misapplication of CMMC is that the agency mischaracterizes the federal information that a contractor will handle during performance, which appears to be a less likely outcome than a contracting officer misapplying the definitions, exceptions, and waivers under Section 889. Further, the misapplication of CMMC would result, most likely, in unnecessary scrutiny of a contractor’s cybersecurity practices. Incorrect application of Section 889, by contrast, can result in federal contractors losing access to sources of components that may be critical or difficult to replace. It can even result in a contractor who uses and certifies using covered equipment in a manner permitted by Section 889 in the performance of a U.S. government contract being then excluded from other opportunities as a result. CMMC does not apparently have such potential. As a result, the application of CMMC will more likely be correct, and the consequences of incorrect application will be less severe. For all these reasons, CMMC’s focus on contractor activities and practices appears to avoid both the causes and effects of Section 889’s uncertainty in application.
Likewise, the main practical effects of Section 889 noted by the interviewees are unlikely to recur under CMMC because of CMMC’s effective assignment of responsibilities for cybersecurity. For example, the structure of CMMC avoids the disconnect between IT professionals, contracting officers, and contractors concerning the adequacy of cybersecurity measures that observers have reported with regard to Section 889. To implement CMMC properly, the contracting officer needs only to identify the sensitivity of the information to be handled under the contract, which can be determined ex ante in the statement of work and the prime contractor’s proposal. The government agency with the requirement is well-situated to provide that information to the contracting officer. The evaluation of compliance, in turn, is left to the contractor, the appropriate third-party, or the government cybersecurity professionals who will do the substantive work of ensuring that the standards are met. No analytical burden falls on the contracting officer.
For the same reason, CMMC does not appear likely to operate as a “compliance” regime in the way that certain interviewees characterized Section 889’s operation. The requirements of CMMC are explicitly calibrated to the risk posed by the information to be secured, and CMMC directly assures a certain level of actual cybersecurity inasmuch as the subject matter experts at NIST have determined that its standards represented best practices to ensure cybersecurity for more sensitive data. Section 889, in contrast, rests on concerns that either lack comparable clarity—such as the legal obligation of Chinese firms to cooperate with Chinese security services—or have not been explicitly articulated—such as the risk posed by security cameras’ transferring intelligence to the Chinese security apparatus. Finally, for contracts with the most sensitive information, the CMMC’s evaluation process itself provides contracting agencies certain assurance that contractors have met those requirements, independent of their certification, at least for Level 2 and Level 3 contracts. This choice can be contrasted with Section 889, where contracting officers will often be unable to determine which components in a supply chain pose the greatest risk and would be forced to rely on contractor certification in any case.
In the matter of U.S. government access to technology, CMMC also raises fewer new obstacles than Section 889. While CMMC standards may favor U.S. contractors inasmuch as they impose standards promulgated by the FAR council and NIST, U.S. bodies both, they do not otherwise favor domestic suppliers. Also, CMMC does not promise to preclude access to particular classes of technology in any systematic sense, in contrast to Section 889, which has an outsized impact on certain technologies for which covered firms are the chief global suppliers.
Consequently, CMMC poses challenges that are fundamentally dissimilar to and likely more limited than those posed by Section 889. The former appears to cause a general burden applied widely, one that, at most, requires increased resources and impacts the ability of individual contractors or the class of small contractors to compete for federal contracts. Section 889, by contrast, not only occupies resources and possibly excludes smaller contractors, but it also has the overall tendency to limit the goods and services available to the government, beyond even the explicit requirements of Section 889.
These differences also highlight the extent to which Section 889’s friend-shoring nature has predominated in its implementation. The experiences of the contractors and agencies interviewed for this paper have confirmed this view, as the most important features the interviewees noted arise from Section 889’s basic concept of requiring the agency, at the contract level, to exclude high-tech components from a global supply chain. Where CMMC’s suite of best practices covers a wide range of contractor activities, applies as well to subcontractors, and requires an arguably intrusive certification process, it nevertheless is poised to avoid the issues encountered with Section 889. The comparison of these two cybersecurity measures, then, confirms that the pursuit of cybersecurity through friend-shoring brings significant downsides that an expert-crafted, best-practices approach like CMMC can avoid.
Cybersecurity will remain a key concern for U.S. agencies, regulators, and lawmakers as information technology continues to promise the U.S. government greater capabilities for action and defense, and to offer adversaries asymmetrical vulnerabilities to exploit. Agencies, regulators, and lawmakers considering future cybersecurity measures should consider the lessons of this comparison when deciding on the appropriate means to achieve their cybersecurity ends. This lesson is particularly important given the current popularity and likely continued adoption of security-of-supply or friend-shoring measures in the future in the wake of U.S. Government concerns about competition with China.
As the structure of Section 889 shows, cybersecurity and friend-shoring can be pursued in a single statute. Setting aside the wisdom of such friend-shoring measures for achieving security of supply itself, the lessons learned noted in this article clearly show that friend-shoring as a cybersecurity tool has unique downsides—including the loss of access to technology, burdens on industry, and a chilling effect on arguably permissible activity—that lack a clear relationship with desired cybersecurity outcomes. In a time when friend-shoring is popular and available, policymakers concerned about cybersecurity should consider very carefully these downsides and the availability of alternative schemes, like CMMC, that deliver security outcomes with less disruption, confusion, and loss of technological advantage.
VI. Conclusion
In short, this evaluation of the lessons learned from the implementation of Section 889 in light of CMMC demonstrates that CMMC and Section 889 will likely have in common only those effects that arise with the addition of any general requirement. By contrast, the most serious challenges resulting from Section 889 stem from specific features implementing its friend-shoring policy and will not be seen with CMMC. This evaluation, then, demonstrates that the pursuit of cybersecurity through friend-shoring means creates a set of challenges for both agencies and the DIB that a best-practices regime can avoid. The recent history of friend-shoring activity and the current geopolitical situation, moreover, shows that such security of supply measures will likely continue to be a significant feature of procurement. As a result, this conclusion will remain relevant for policymakers considering future cybersecurity measures.
