By Payam Pourkhomami, President & CEO of OSIbeyond
The Department of Defense’s Dec. 16, 2024 final rule on the Cybersecurity Maturity Model Certification program marks a decisive shift in how defense contractors must approach cybersecurity compliance.
Under the CMMC clause (DFARS 252.204-7021), contractors must meet one of three certification levels based on the sensitivity of the information they handle. Level 1 requires annual self-assessments for basic Federal Contract Information, or FCI, while Level 2 demands either self-assessments or third-party certification for Controlled Unclassified Information, or CUI. The most stringent, Level 3, requires Department of Defense assessments for critical programs and high-value assets.
Any contractor that signs a contract with the DFARS 252.204-7021 clause is legally attesting to compliance with some or all of NIST SP 800-171, a set of requirements whose primary goal is to ensure that CUI is protected when it resides in nonfederal information systems and organizations. When contractors knowingly misrepresent their compliance with required security controls, they expose themselves to potential False Claims Act lawsuits, which can be initiated by employees who witness non-compliance.
The False Claims Act, originally enacted in 1863 to combat Civil War procurement fraud, remains the federal government’s primary tool for combating fraud against taxpayers. The Act imposes...
The Philippine Coast Guard (PCG) strongly denied unfounded allegations that the sacks of bones recovered by its divers from Taal Lake were planted in connection with the case of the long-lost cock...