Investigations, Enforcement, & Compliance Alerts

Cybersecurity requirements for contractors doing business with the U.S. federal government are nothing new. 

Last month, the U.S. Department of Defense (DOD) published a Proposed Rule setting out planned revisions to the Defense Federal Acquisition Regulations (DFARS) to implement the requirements of the Cybersecurity Maturity Model Certification program (CMMC 2.0) proposed in December 2023.[1] CMMC 2.0 is a framework for verifying a DOD contractor’s implementation of cybersecurity measures that the DOD requires to protect sensitive unclassified information including Controlled Unclassified Information (CUI), and Federal Contract Information (FCI). The Proposed Rule revises the DFARS to reference the CMMC 2.0 requirements that were proposed in December 2023. This includes changes to the existing CMMC clause at DFARS 252.204-7021, the creation of a new solicitation provision to accompany DFARS 252.204-7021 which will provide notice of the CMMC 2.0 requirement, the establishment of a plan for a phased rollout of the Proposed Rule, and the addition of certain new definitions. The Proposed Rule’s comment period ends on October 15, 2024.

The Department of Defense (DOD) is expected to finalize a new rule by the end of 2023 that will significantly enhance the Cybersecurity Maturity Model Certification (CMMC) framework and related cybersecurity requirements for defense contractors. 

The National Institute of Standards and Technology (NIST) continues to update its guidance, through Special Publication 800-171 (NIST SP 800-171) on how defense contractors and subcontractors of federal agencies should protect Controlled Unclassified Information (CUI). NIST SP 800-171 revision 3, which is expected to be published in early 2024, contains significant changes from the current version (revision 2). Among many modifications, the initial public draft of revision 3, released on May 10, 2023, introduces new security controls, incorporates more detailed security requirements, and provides mechanisms for agencies to tailor their security requirements to their specific needs. These changes may require contractors currently handling CUI to review and revise their information security controls to remain in compliance with their contracts.