Assessment Draft for DOD Cyber Program Lacks Key Details
Government contracts and cybersecurity attorney Eric Crusius spoke with Law360 about the U.S. Department of Defense's (DOD) pending Cybersecurity Maturity Model Certification (CMMC) program. As a precautionary measure to combat the increasing frequency and complexity of cyber attacks, this program would enable third-party assessors to review certain contractors' CMMC compliance. The extensive 33-page proposal is receiving criticism for being overly complicated in some areas while others are lacking important details. Mr. Crusius highlighted that the draft specifies that contractors will be able to get a conditional certification that will allow them 180 days to address processes that are not yet fully CMMC-compliant. However, it's not clear whether they will be eligible for DOD contracts with conditional certifications.
Mr. Crusius stated, "I suspect the answer is yes, because why would they have that program, if not? But what happens if a contractor fails to close out those open items? Will they lose their contract? If there's a disagreement on whether or not an item's been closed out, how does that disagreement get adjudicated?"
READ: Assessment Draft For DOD Cyber Program Lacks Key Details (Subscription required)