Government Contracts Partner Eric Crusius was quoted in an Inside Cybersecurity article about an interim rule released by the Pentagon that raises issues about the transparency around audit results from assessors and who will have access to the information under the U.S. Department of Defense's (DOD) cyber certification program. The rule sets up the implementation of the Cybersecurity Maturity Model Certification (CMMC) program and a new set of requirements for contractors who want to do business with the DOD, through the National Institute of Standards and Technology Special Publication 800-171 and the CMMC Framework.
Mr. Crusius said the self-assessment allowed under 800-171 requires contractors to “be especially careful…because now third-parties (be it the government or an assessor) can come in and verify compliance. While some DOD verification of compliance with 800-171 is to be expected, it will be interesting to see how voluminous these audits are and how they impact a CMMC assessment.”
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.