For companies doing business with the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) has been a source of confusion for nearly five years. Originally, November 30, 2020, was the deadline for DoD to implement a standard methodology for assessing DoD contractor compliance with security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Concurrently, the DoD would roll out CMMC as a certification process designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. This certification, in turn, would be required for performance of DoD contracts.
Suzanne focuses her practice on government contracts law and commercial litigation. She assists prime contractors, subcontractors and public buyers with issues related to their government contracts, from the pre-solicitation phase to contract close out, and has advised clients on issues pertaining to multi-billion dollar contracts.
On Nov. 4, the U.S. Department of Defense (DoD) announced that it is suspending the current iteration of the Cybersecurity Maturity Model Certification program (CMMC) in order to streamline the size and scope of required administrative, technical, and physical controls for businesses contracting with DoD. Originally, CMMC was designed to take full effect in 2025 by requiring every defense contractor responsible for processing controlled unclassified information (CUI) to obtain certification from an approved third-party auditor indicating satisfaction of one of five levels of certification. Implementation of CMMC is now halted until DoD has completed a revision to the program intended to strategically meet the needs and capabilities of industries conducting business with the government. As the Office of Under Secretary of Defense described it, the goal is to make cybersecurity requirements “streamlined, flexible, and secure.”
In its place, DoD intends to promote CMMC 2.0, which will reduce the certification model from five levels to three. CMMC 2.0 will remove additional controls added under the initial program and rely primarily on those set forth in NIST 800-171. All contractors required to meet Level 1 (foundational, with 10 required cybersecurity practices and annual self-assessments) will be able to self-attest satisfaction of associated requirements. Level 2 (advanced, with 110 required practices aligned with NIST 800-171) will take a bi-furcated approach to certification with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors will be able to self-attest satisfaction. In the coming weeks, DoD will announce the approach for Level 3 (expert, with at least 110 required practices aligned with NIST 800-171), which will likely be subject to the audit process as well as heightened requirements.
Continue Reading See ya, CMMC. Hello, CMMC 2.0: DOD Announces Suspension of Current Information Security Certification Program
You may have heard news recently that federal government agencies were directed to stop using products made by the computer security vendor Kaspersky Lab because of potential security risks from links between Kaspersky officials and the Russian government. The directive was issued by the U.S. Department of Homeland Security (DHS) Secretary Elaine Duke on Sept. 13, 2017.
Kaspersky products have broad access to files and elevated privileges on the computers on which they are installed. As a result, the DHS…
Continue Reading DSS Directs Federal Government Contractors to Stop Using Products Made by AO Kaspersky Lab
In January, we wrote about the new training requirement for employees who handle personally identifiable information (“PII”) or who build systems containing PII. On the same day that rule went into effect, Jan. 19, 2017, three related Department of Homeland Security (“DHS”) proposed rules were published in the Federal Register covering mandatory privacy training, information technology (“IT”) security awareness training, and the safeguarding of controlled unclassified information (“CUI”). Comments on all three proposed rules are due on Monday, March 20,…
Continue Reading DHS Proposed Rules Cover Privacy Training, IT Security Awareness Training and the Safeguarding of CUI