Pentagon Strips Down CMMC Program to Streamline Industry Cyber Assessments
Government Contracts attorney Eric Crusius spoke with the Federal News Network about the U.S. Department of Defense's plan to reduce cybersecurity compliance requirements for federal contractors. The proposed changes to the Cybersecurity Maturity Model Certification (CMMC) would greatly reduce the number of companies required to obtain third-party assessments and provide a new waiver process for certain requirements. Under the revamped program, coined "CMMC 2.0" by the Defense Department, contractors who do not handle controlled unclassified information will only have to perform annual self-assessments. Mr. Crusius cautioned that this aspect "makes it more dangerous for contractors because it sets up a False Claims Act litigation bonanza," as it gives whistleblowers more opportunities to second guess a company. He also commented that the Defense Department could move quickly in implementing the changes.
"Hackers aren't going to wait for us to get our ducks in a row," he said. "Rulemaking can go pretty quickly if they prioritize it. If they issue a rule later this year, I could certainly see the final rule coming out next year and ramping up pretty quickly."