Attorneys Say Defense Dept. Must Provide More Transparency On Audit Results From CMMC Program
Government Contracts Partner Eric Crusius was quoted in an Inside Cybersecurity article about an interim rule released by the Pentagon that raises issues about the transparency around audit results from assessors and who will have access to the information under the U.S. Department of Defense's (DOD) cyber certification program. The rule sets up the implementation of the Cybersecurity Maturity Model Certification (CMMC) program and a new set of requirements for contractors who want to do business with the DOD, through the National Institute of Standards and Technology Special Publication 800-171 and the CMMC Framework.
Mr. Crusius said the self-assessment allowed under 800-171 requires contractors to “be especially careful…because now third-parties (be it the government or an assessor) can come in and verify compliance. While some DOD verification of compliance with 800-171 is to be expected, it will be interesting to see how voluminous these audits are and how they impact a CMMC assessment.”