Last Updated on June 28, 2022
The US Department of Defense (DoD) recently announced that contracts requiring CMMC 2.0 certification will be awarded starting in May 2023. DoD officials have also been emphasizing that “nothing has changed” with CMMC. The implication being that DIB orgs have been self-attesting to NIST 800-171 compliance for years, so there’s no excuse not to be ready.
John Verry, Pivot Point Security CISO and Managing Partner, offers an update on the DoD’s recent CMMC 2.0 announcements and related scuttlebutt on a recent episode of The Virtual CISO Podcast.
Nothing has changed… since 2017
Especially since CMMC V2 eliminates any additional control requirements and focuses the program squarely on NIST 800-171 compliance to protect controlled unclassified information (CUI), arguably “nothing has changed” since NIST 800-171 compliance was first mandated in DoD contracts back in December 2017. DIB orgs that have been attesting to compliance all this time are now just undergoing a third-party validation process to confirm the required controls are in place.
This has been John’s view all along, and he’s quick to point out that if your company has been handling CUI but isn’t in compliance with NIST 800-171, you need to move quickly to close that gap or face significant repercussions.
Beware the False Claims Act
The DoD is also reminding DIB orgs about the Civil Cyber-Fraud Initiative from the US Department of Justice (DoJ). This new ruling emphasizes that if your business fails to comply with cybersecurity requirements specified in your contracts, you could face hefty fines in addition to losing your contracts under the False Claims Act.
In other words, be warned that contract enforcement has been stepped up. The DoJ has already shown that it will not hesitate to prosecute even the largest enterprises for false claims, with billions of dollars being recovered in recent years.
What is the likelihood that your org would be singled out? It could be quite high, given that the new False Claims Act legislation offers monetary incentives to whistleblowers. Aerojet Rocketdyne recently found that out the hard way, to the tune of over $9 million.
Another way DIB orgs can end up in a review process leading to a false claims action is following a data breach. Per DFARS guidance, defense suppliers are required to report security incidents. So, how did that bad stuff happen if you were in compliance with NIST 800-171? Compliance doesn’t equal security—but it certainly makes a breach far less likely.
To listen to this CMMC update podcast with John Verry, click here.
Interested in CMMC 2.0 guidance? You’ll appreciate this recent podcast episode: EP#82 – Kyle Lai & Caleb Leidy – Ongoing Challenges in CMMC