January 24, 2022

Volume XII, Number 24

Advertisement
Advertisement

January 21, 2022

Subscribe to Latest Legal News and Analysis

Updates Announced to Department of Defense Cybersecurity Certification Program

The Department of Defense (DOD) recently announced several changes to its Cybersecurity Maturity Model Certification program. The program applies to those who serve as contractors and suppliers to the DOD. As described in our sister blog, the new version of the program – “CMMC 2.0” – has several important differences from the original program. CMMC 2.0 is anticipated to go into effect anywhere from nine to 24 months from now.

Key differences include:

  • Restructuring the program to allocate information systems into three levels (rather than five) depending on the type of information companies maintain within those systems. Depending on level, companies need to provide different levels of security for the information they handle.

  • Allowing Level 1 companies to self-assess (rather than having assessment and certification by a third-party). Also allowing self-assessment for certain acquisitions at Level 2.

  • Aligning the required practices with National Institute of Standards & Technology (NIST) cybersecurity standards.

  • Increasing oversight of third-party assessors.

  • Allowing companies who have not yet met compliance requirements to remediate under strict timelines. Also includes waivers in limited circumstances.

The new program aligns with current regulations regarding protection of Controlled Unclassified Information (CUI). These regulations already require NIST SP 800-171 as the minimum level of security for CUI. They also require a self-assessment or DOD assessment against the NIST SP 800-171 controls and an associated report to DOD.

Putting it into Practice: Companies who contract with the DOD (or are part of the DOD supply chain) will want to review their cybersecurity program and update their compliance plans to ensure that they are working towards the new streamlined CMMC 2.0.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 314
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm
Associate

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

202-469-4917
Nikole Snyder Associate DC Government Contracts, Investigations and International Trade
Associate

Nikole Snyder is an associate in the Government Contracts, Investigations and International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice

Nikole represents government contractors in various government contracts litigation and counseling matters, including in the following areas:

  • Civil False Claims Act litigation defense;

  • Cybersecurity counseling;

  • Internal investigations;

  • Small business issues under the Small Business Administration regulations, including...

202-747-3218
Advertisement
Advertisement
Advertisement