Howard Roth to Speak at Upcoming Webinar on Department of Defense’s (DOD) New Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense’s (DoD) New Cybersecurity Maturity Model Certification (CMMC) released in early 2020, is a new tiered cybersecurity framework that all DoD contractors (both prime and subcontractors) will need to implement. The CMMC adds audits to assure compliance to one of 5 CMMC levels, depending on your contract […]
Cybersecurity is not a new concern, but its attention has grown significantly in recent years due to the increasing sophistication of persistent threats to the defense base from foreign and domestic actors alike. By some accounts, the USG loses approximately $600 billion each year to cyber-related thefts. These concerns have been the driver for DoD’s Cybersecurity Maturity Model Certification (CMMC) initiative as a necessary means for establishing a unified framework of systems, controls and standards to safeguard national security interests.
Cybersecurity compliance has become an increasingly trending and important area for government review, especially by the Department of Defense (DoD), placing an emphasis on defense contractors and the government alike in ensuring that sensitive government data residing on nongovernment systems are protected from third party intrusion and disclosure. Indeed, recent cases in False Claims Act litigation have demonstrated just how serious a contractor’s noncompliance with cybersecurity requirements can be. For example, in U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., the court, in denying the defendant’s motion to dismiss, allowed a non-intervened qui tam complaint to proceed, where the relator alleged that the defendant’s systemic noncompliance with contractual cybersecurity standards resulted in the submission of false claims that the relator claimed warranted the imposition of treble damages that could far exceed the value of the contracts themselves. 2019 WL 2024595 (E.D. Cal. May 8, 2019). Notably, the court held that the relator had sufficiently pled violations of the False Claims Act even though, as the defendant argued, the regulations in question had recently been issued, frequently amended, and some agency guidance could reasonably be construed as relaxing any requirements. Id.
Howard Roth will speak on cyber security at the NCMA Puget Sound Chapter meeting on Thursday, May 30th. The Q&A happy hour session will benefit both contractor and government contracts professionals as they navigate the latest in cyber security requirements. Due to space limitations, please reserve your spot by emailing […]
The DoD Is Watching Contractor Cyber Security Compliance: DoD Will Use the Defense Contract Management Agency to Audit Contractors’ Supply Chain Compliance with the DFARS Safeguarding Clause
2018 was another banner year for government contract cybersecurity requirements. Reports separately released by OMB and MITRE suggest that risks for cyber intrusions remain as prevalent as ever, if not more so. Accordingly, dozens of statutory, regulatory, and agency guidance memoranda on this critical subject were released in 2018 and more are expected to come in 2019, and beyond, as those measures are fleshed out for further development and implementation.
One of these more significant developments is the Department of Defense’s (DoD) increased emphasis on maintaining supply chain integrity for cybersecurity risks. In this regard, the DFARS Safeguarding Clause 252.204-7012, which applies in all DoD procurements, governs the protection of covered defense information provided to or generated by defense contractors. In particular, the Clause requires contractors that access covered defense information to take precautions to protect this information. It also requires that contractors who access this information report cyber incidents, submit malicious software to the Department of Defense Cyber Crime Center, and facilitate a damages assessment in the event of a cyber incident. The Clause also defines covered defense information to be unclassified controlled technical information or other information marked as such in the contract, or collected, developed, received, transmitted, used, or stored on behalf of the contractor in support of the performance of the contract.
Federal government contractors, grantees and those with cooperative agreements may find themselves in possession of (or handling) government information which the U.S. Department of Defense (DoD) considers to be sensitive or confidential but not considered “classified.” On Dec. 31, 2017, in accordance with DFARS 252.204-7012 the National Institute of Standards and […]