By Dr. Fabian Ibel
The Long Arm of U.S. Jurisdiction
U.S. jurisdiction has long arms. It is often overlooked, sometimes even by compliance officers, that U.S. law may apply to non-U.S.-residents or cases that occur outside the United States (“extraterritorial jurisdiction”).
Compliance officers of foreign corporations are therefore well advised to consider not only domestic law, but also the relevant U.S. rules and regulations by integrating them into their risk management.
For example, the US-Foreign Corrupt Practices Act (FCPA) may apply to non-U.S. corporations and individuals if the relevant activities involving corruption and bribery have a substantial US link, e.g. when the U.S. financial system is involved or the relevant activities are carried out within U.S. borders.
Furthermore, the provisions under ITAR (International Traffic in Arms Regulation) or Export Administration Regulations (EAR) may constitute jurisdiction over foreign entities. Hence, when an ITAR-controlled good being listed on the U.S. Munitions List (USML) is re-exported from one non-U.S. supplier to another non-U.S. customer, a prior approval by the responsible U.S. authority, the Directorate of Defense Trade Controls (DDTC), is required.
Thirdly, one may mention the Alien Tort Statute (ATS), 28 U.S.C. § 1350 which grants federal district courts original jurisdiction over any civil action where an alien is sued for a tort committed in violation of the law of nations or of a treaty of the United States. Many high profile cases involving human rights violation including those with political and historical significance have been decided by US courts based on the ATS. In a key decision in 2013 (Kiobel v. Royal Dutch Petroleum Co.), the U.S. Supreme Court limited the ATS’ scope holding that jurisdiction should only be granted for violations of international law occurring within the United States.
Finally, the long arm of U.S. law may also reach into the IT security architecture of foreign industrial companies as well.
When a medium sized company designs and supplies defense equipment or parts hereof while processing controlled and sensitive information, the U.S. IT security standards CMMC and NIST SP 800-171 have to be applied.
This article will provide an introduction into the legal background as well as practical tips for implementation.
Protecting Controlled Unclassified Information (CUI)
Usually, a managing director or an IT (compliance) officer in Germany is familiar with the Act on the Federal Office for Information Security (BSIG) and the international standard for information security management ISO 27001 and finally has heard of the NIS 2 Directive of the EU which is to be transformed into national law by October 2024.
However, under certain circumstances, he will be facing CMMC and NIST SP 800-171. The first “encounter” with these requirements may be provoked by a message from a customer which reads as follows: “Our next project involves CUI and FCI concerning the DIB, so DFARS require compliance with NIST SP 800-171 and CMMC. Please register at PIEE and SPRS…”
Being confronted with the abbreviations, our officer may feel like Asterix trying to obtain the permit A38 in the “place that sends you mad”.
One should be tempted to delegate this special task to another colleague – volunteers first!
As there is no way around it, let’s dive into it.
As the Department of Defense (DOD) states, the Defense Industrial Base (DIB) is the target of more frequent and complex cyberattacks. DIB refers to the worldwide industrial complex that enables research and development of military weapons systems, subsystems, and components or parts.
As part of its Cybersecurity strategy, DOD has developed a series of regulations and procedures in order to protect American ingenuity and national information, such as CMMC and NIST SP 800-171 that may apply – under certain circumstances – to companies worldwide.
CMMC stands for Cybersecurity Maturity Model Certification and is a framework that measures a company’s cybersecurity maturity. CMMC shall reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables US warfighters.
The CMMC model is designed, in particular to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is shared with contractors and subcontractors of the department through acquisition programs.
Federal Contract Information (FCI) includes information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government; no FCI is involved when information is provided by the government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.
Controlled Unclassified Information (CUI) is government created or owned unclassified information that allows for, or requires, safeguarding and dissemination controls pursuant to laws, regulations, or government-wide policies. DOD maintains a CUI Registry, which provides information on specific CUI categories and subcategories, divided into a group of subject areas, such as Defense, Export Control, Nuclear, Nato etc. In the field of Defense, one may find so called Controlled Technical Information (CTI), defined as technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
Along with CMMC, relevant companies need to comply with NIST SP 800-171. Whenever Controlled Unclassified Information (CUI) is processed, companies shall implement NIST SP 800-171, which stands for National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The publication provides federal agencies with recommended security requirements and guidelines for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations.
The publication outlines 110 security requirements clustered into 14 categories. These categories cover various aspects of information security, including access control, incident response, media protection, and more.
CMMC is based on NIST 800-171 as the CMMC maturity level depends on the implementation of the NIST requirements:
CMMC has been revised and CMMC 2.0 is expected to become effective at the beginning of 2025. CMMC 2.0. evolves the first version It streamlines requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards. Level 1 (Foundational) requires contractors and subcontractors to do self-assessments, level 2 (Advanced) may require evaluations by a third-party assessment organization (C3PAOs) (when critical CUI is involved) and level 3 (Expert) those by government evaluators.
Defense Federal Acquisition Supplement (DFARS) as Legal Basis
The requirements above arise from the Defense Federal Acquisition Regulation Supplement (DFARS).
DFARS is a set of regulations that supplement the Federal Acquisition Regulation (FAR) specifically for the DOD.
DFARS was initiated in 2016 as a requirement for contractors within the Defense Industrial Base (DIB) to increase their data education, physical security, cybersecurity measures, cyber-attack reports and alerts to the DOD. The set of regulation aims to protect sensitive information and ensure cyber security in the defense supply chain.
The key provision is Clause 252.2024-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” which prevents CUI from unauthorized access or disclosure.
The clause includes several requirements, such as
Cyber Incident Reporting (e.g. rapidly report to DOD);
Handling Malicious software (by submitting malicious software to the DoD Cyber Crime Center (DC3));
Media preservation and protection (by securing and documenting evidence);
Granting access to additional information or equipment necessary for forensic analysis of the counter-party.
Most important, clause 252.2024-7012 puts the requirements under NIST SP 800-171 into place. Clause 252.204-7012 lit (d) requires contractors to provide adequate security on all covered information systems and to implement NIST SP 8000-171. CMMC derives from clause 252.204-7021 which requires the contractor to have a “current” (i.e. not older than 3 years) CCMC certificate at the CMMC level required by the relevant contract.
These requirements do not only apply to direct contractors of DOD dealing with CUI, but as well to sub-contractors. This is due to the Subcontractor Flow Down mechanism under 252.204-7012 lit (m) NIST) or 252.2024-7021 (c) (CMMC). Prime contractors shall include the clause to all subcontracts for operationally critical support or those involving CUI, ensuring that subcontractors comply with these requirements.
CMMC derives from clause 252.204-7021 which requires the contractor to have a “current” (i.e. not older than 3 years) CCMC certificate at the CMMC level required by the relevant contract.
Security Procurement under German Law
German law also contains provisions relating to security procurement law governing the handling of sensitive data.
For example, § 7 VSVgV (German Defense and Security Procurement Ordinance) sets requirements for the protection of classified information (=”Verschlusssachen”) by companies.
Under § 7 VSVgV, applicants for public procurement contracts may be required to present safety notices (Sicherheitsbescheide) issued by the Federal Ministry for Economic Affairs or submit declarations of commitment (Verpflichtungserklärungen) on the protection of all entrusted classified information.
Similar like DFARS, § 38 (3) and § 40 VSVgV include flow-down-mechanisms, i.e. the prime contractor’s obligation to bind the sub-contractor to the requirements under the VSVgV.
VSVgV relates to the so called Verschlusssachen (VS) only. Those are governed by the Classified Information Directive (Verschlussachenanweisung, VSA) which is based on § 35 of the German Security Clearance Act (Sicherheitsüberprüfungsgesetz, SGÜ).
Pursuant to § 2 (2) VSA, classified information (=Verschlusssachen) refers to facts, objects, or knowledge that need to be kept confidential in the public interest, especially to protect the well-being of the federal government or a state, regardless of their form of presentation (for example, documents, drawings, maps, photocopies, photographic material, electronic files and data carriers, electrical signals, devices, technical equipment, or spoken words.
Under § 2 (1) VSA, four (4) levels of secrecy one has to distinguish:
No.1 Top Secret (highest level)
No 2 Secret
No 3 Classified Confidential
No 4 Classified For Official Use Only (lowest level)
The last group is given when unauthorized access could be detrimental to the interests of the Federal Republic of Germany or one of its states, § 2 (2) No. 4 VSA. A security clearance of persons who obtain access to this type of information is not required. Such a requirement applies to persons only, who obtain access to classified information at the level of confidential or higher.
The CUI being relevant in the context of CMMC and NIST SP 171 is, according to U.S. law, explicitly no classified information. Therefore only the lowest level of German VS could be compared to CUI.
Below the threshold of “Verschlusssachen” and beyond the requirements of special security procurement law, companies in Germany processing sensitive data will have to comply with the requirements of general IT legislation which is becoming more and more refined.
One has to mention the IT Security Act (IT-Sicherheitsgesetz) together with the relevant provisions of Act on the Federal Office for Information Security (BSIG) and Ordinance on the Determination of Critical Infrastructures according to the BSIG (BSI-KritisV). Those are aimed in particular at operators of critical infrastructures and contain provisions on the protection of sensitive data and the obligation to report IT security incidents, similar to the requirements in DFARS.
Furthermore, member states of the European Union are required to transform the NIS 2 Directive of the EU into national law. The NIS-2 Directive is expected to strengthen and expand the existing framework for cybersecurity across the European Union.
The Long Stairway to CMMC
If a company identifies CMMC as a possible obligation the following recommendations may be helpful.
Do not lose time
Implementing CMMC is not an easy task. It is rather a multi-stage process that will require some time to be properly implemented. Start the project immediately when the request to implement CMMC comes to your consideration for the first time.
Establish a project team
Establish a capable project team which includes employees from the IT-department, the sales department having detailed knowledge of the product and the business activity as well as the compliance officer.
Check thoroughly whether CMMC is necessary at all
Before getting started, figure out whether CUI is involved in the particular project or not. A thorough examination of the applicability of CUI (including double-check with your business partner) is especially recommended, if your business is no prime-contractor of DOD, but only a downstream contractor in the supply chain.
The reason is that all the requirements, registrations and assessments outlined above rely on whether CUI is processed or not. If you manage to exclude CUI it can save you a lot of work and money. In any case, make sure the examination is well documented.
Start the process
If CMMC compliance appears inevitable, start the process.
First, you need to register your company with the U.S. Government in the System for Award Management (SAM) under SAM.gov | Home. Here, you may provide information including the NCAGE-Code (Nato Commercial and Government Code) and may apply for a Unique Entity ID.
In the course of registering at SAM you need to complete a questionnaire based on the Federal Acquisition Regulation (FAR) and provide general and financial information as well. Lacking a taxpayer identification number (TIN) (U.S. entities only), non-US entities are required to provide an Employer identification number (EIN). In case a company does not have such a number, it must apply for the EIN at the Internal Revenue Service (IRS) whereby a phone call where one has to identify himself is obligatory part of the procedure.
Hence you need to register at PIEE (Procurement Integrated Enterprise Environment (PIEE) (eb.mil)). At PIEE one may perform the NIST SP 800-171 Basic Assessment (self assessment) via completing a questionnaire. The result, i.e. the assessment score is then stored at the SPRS (Supplier Performance Risk System). The SPRS is the authoritative source to retrieve supplier and product assessments for the DOD acquisition community to use in identifying, assessing, and monitoring unclassified performance.
If CMMC level 2 is required, self-assessment is no longer sufficient, the entitiy’s cybersecurity maturity is to be audited by a third-party Assessor Organization (C3PAO). Those are hard to find so far outside of the U.S., as people being responsible of such C3PAOs must be U.S. citizens. Relevant providers can be found here.
Effort and costs can become significant. However, they may be reduced if the number of systems on which CUI is processed is kept low and if those systems, if technically possible, are separated from the rest of the network.
The Author:
Dr. Fabian Ibel is Compliance Officer at Harmonic Drive SE and Co-Founder of Truveo Compliance. He advises his corporate and private clients on all compliance related matters. Fabian is the author of several academic articles in the corporate and compliance law fields.