DOD's Interim Rule Adds A New Twist To Implementing Cyber Maturity Model
Government Contracts Partner Eric Crusius was cited in a Federal News Network article about the interim rule issued by the Pentagon under the Defense Federal Acquisition Regulations to add more clarity around the Cybersecurity Maturity Model Certification (CMMC) implementation timeline and the requirements contractors will have to adhere to over the next five years. One surprise is the new requirements for vendors working at medium or high security levels to undergo an assessment by the government of how they comply with the standards outlined in Special Publication 800-171 from the National Institute of Standards and Technology.
Mr. Crusius said the assessments seem redundant with CMMC, and may just be a stop gap until DOD can roll the standard out over the next five years. “It appears that there are additional steps contractors have to take as they have to score their compliance with 800-171, go through 110 controls and determine how many they are compliant with,” he said. “I thought the approximate costs of compliance with 800-171 and the number of companies seem to be underestimated. The burden on contractors to get these 800-171 reviews right will be much more than DOD thinks.”