Highlights

• For the third time in five years, the U.S. Department of Defense (DOD) announced new, comprehensive cybersecurity standards for government contractors and subcontractors to ensure the protection of sensitive unclassified information.
• The Cybersecurity Maturity Model Certification (CMMC) 2.0 improves upon its earlier version by reducing the model to three cybersecurity levels, removing bespoke CMMC requirements and permitting self-assessments affirmations for Level 1 and part of a bifurcated Level 2.
• Self-assessments affirmations create substantial risks of future False Claims Act (FCA) U.S. Department of Justice (DOJ) investigations and qui tam suits, and this alert explains steps that can be taken to reduce such risks.

With the announcement of a revamped Cybersecurity Maturity Model Certification (known as CMMC 2.0),¹ for the third time in five years, the U.S. Department of Defense (DOD) announced new, comprehensive cybersecurity standards for government contractors and subcontractors to ensure the protection of sensitive unclassified information, that is, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). By referring to the new cybersecurity standard as CMMC 2.0, the DOD implicitly recognizes the likelihood of future versions at an unknown cost to the Defense Industrial Base (DIB).

Nevertheless, version 2.0, which was released after a seven-month review by the Biden Administration, reflects the DOD's assessment of the DIB's...

Read Full Story: https://www.mondaq.com/unitedstates/government-contracts-procurement-ppp/1140...