CMMC 2.0 to Pare Down Cybersecurity Requirements for Contractors
Government Contracts attorney Eric Crusius was interviewed by FedScoop about proposed rule changes from the U.S. Department of Defense that will reduce some cybersecurity compliance requirements for contractors. Under the proposed changes, the Cybersecurity Maturity Model Certification (CMMC) will no longer require every contractor to obtain a third-party certification; instead, level three of the CMMC will be bifurcated, and only prioritized contracts will require third-party assessments. Mr. Crusius commented that the precise nature of the model remains unknown, but cautioned that allowing companies to self-certify could increase False Claims Act litigation.
"There would [likely] be a lot more room for whistleblowers under that regime," he said.