Defense Department Certification Body Could Itself Conduct Audits Under Interim Rule

Government Contracts Partner Eric Crusius was cited in a Nextgov article discussing an interim rule implementing the Defense Department's Cybersecurity Maturity Model Certification (CMMC) program for contractors. Under the rule, prospective contractors handling sensitive information will have to be audited by an independent third party, and the rule lays out the need for a nonprofit accreditation body to handle this process. However, the rule also says the CMMC's own accreditation body may conduct the audits, leading to questions about how a contractor may dispute the outcome of an assessment as well as if there will be reciprocity agreements for other certification programs.

"There is a lot of gray about the legal responsibilities between the contractor, assessor, assessor's employer, and the CMMC Accreditation Board and what legal rights contractors have if they disagree with an assessment and that prevents the contractor from obtaining a contract," Mr. Crusius said. "The AB was requiring assessors to carry insurance and this may be one of the reasons why."

READ: Defense Department Certification Body Could Itself Conduct Audits Under Interim Rule