New Proposed Rule for CMMC 2.0 Lays Out Security Requirements, Raises Some Eyebrows
Government Contracts attorney Eric Crusius was quoted in a Breaking Defense article about the U.S. Department of Defense's (DoD) new proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program. The article delves into the details of the specific security requirements for defense contractors and subcontractors, highlighting concerns regarding the balance between enhanced cybersecurity and regulatory burden. Mr. Crusius addressed potential risks associated with the annual affirmations required by the proposed rule, emphasizing the need for contractors to navigate the evolving CMMC program carefully to mitigate issues involving the False Claims Act (FCA). He added that the DoD and U.S. Department of Justice will likely scrutinize these affirmations, making it all the more important for contractors to take a methodical approach to compliance.
"So as an organization, you may have three separate affirmations that can be filed at different times throughout the year depending on your ecosystem and what you're required to do," he explained. "Also, changes to the system could require a new certification. Who makes that judgment and how that judgment is made can also be subject to a False Claims Act risk. So, all that to be said, it points to the direction that the contractor has to be so careful when dealing with the CMMC program and ensuring that they've dotted all their i's, crossed all their t's and if they can afford it, bring in third parties who know this stuff really well and that can help them out."