Georgia Tech Procurement Assistance Center

  • Home
  • About Us
  • Training
    • Class Registration
    • On-demand Training
  • Useful Links
  • Team Directory
    • Albany Counselor
    • Atlanta Counselors
    • Augusta Counselor
    • Carrollton Counselor
    • Columbus Counselor
    • Gainesville Counselor
    • Savannah Counselor
    • Warner Robins Counselor
  • Directions
    • Atlanta – Training Facility
    • Atlanta – Office
    • Albany
    • Augusta
    • Carrollton
    • Columbus
    • Gainesville
    • Savannah
    • Warner Robins
  • New Client Application
  • Contact Us

CMMC 2.0 simplifies requirements but raises risks for government contractors

December 14, 2021 By Nancy Cleveland

With the announcement of a revamped Cybersecurity Maturity Model Certification (known as CMMC 2.0), for the third time in five years, the U.S. Department of Defense (DOD) announced new, comprehensive cybersecurity standards for government contractors and subcontractors to ensure the protection of sensitive unclassified information, that is, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  By referring to the new cybersecurity standard as CMMC 2.0, the DOD implicitly recognizes the likelihood of future versions at an unknown cost to the Defense Industrial Base (DIB).

Nevertheless, version 2.0, which was released after a seven-month review by the Biden Administration, reflects the DOD’s assessment of the DIB’s concerns and reflects the DOD’s efforts to streamline and improve upon its earlier version after criticisms aimed at its cost and complexity.  Specifically, CMMC 2.0 collapses CMMC 1.0’s five tiers to three simplified tiers that are based on the cybersecurity framework implemented and that are devoid of additional CMMC-unique practices and processes.  CMMC 2.0 also will allow “annual self-assessment with an annual affirmation by DIB company leadership” for Level 1 and part of the new bifurcated Level 2 (formerly Level 3).  Otherwise, an independent third-party assessment or government-led assessment will be required.

Besides CMMC 2.0, contractors with CUI are also required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 252.204-7020.  Collectively, these clauses require contractors to enter their compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 into DOD’s Supplier Performance Risk System (SPRS).  DOD will identify medium- and high-risk contracts and perform independent assessments of contractor compliance with NIST SP 800-171 and whether a contractor’s compliance matches what it inputted into SPRS.  Contractors should also be mindful as to whether these disclosures match their prior acceptance of contracts with DFARS 252.204-7012, which required full compliance with NIST SP 800-171.

The return of self-assessment, which was the bedrock of the first DOD cybersecurity standards set out in DFARS 252.204-7012 and whose failure led to the development of CMMC 1.0., creates substantial risks to DIB companies and their leadership.  The U.S. Department of Justice (DOJ) recently announced a new Civil Cyber-Fraud Initiative that emphasized the use of the False Claims Act (FCA), 31 U.S.C. § 3729 et. seq., to bring civil action against government contractors who knowingly misrepresented their cybersecurity practices and protocols.  The FCA allows the government to recover treble damages and permits qui tam suits, which allow whistleblowers to receive a portion of the monies recovered by the government.  In addition, other regulatory agencies have brought enforcement actions for alleged false certifications concerning compliance with agency-required cybersecurity standards.  Thus, the risk of a DOJ investigation or a qui tam suit connected with a DIB company’s self-assessment affirmation is very real, and this announcement – coupled with self-certification options in CMMC 2.0 – should not been seen as a coincidence. Nevertheless, companies can reduce such risks with appropriate cybersecurity policies and a culture of compliance.

Continue reading at:  JD Supra

Filed Under: Contracting Tips Tagged With: CMMC, CMMC 2.0, cybersecurity, Cybersecurity Maturity Model Certification

Recent Posts

  • Contractors must update EEO poster
  • SBA scorecard shows federal government continues to prioritize small business contracting
  • The risk of organizational conflicts of interest
  • The gap widens between COFC and GAO on late is late rule
  • OMB releases guidance related to small business goals

Popular Topics

8(a) abuse Army bid protest budget budget cuts certification construction contract awards contracting opportunities cybersecurity DoD DOJ False Claims Act FAR federal contracting federal contracts fraud GAO Georgia Tech government contracting government contract training government trends GSA GSA Schedule GTPAC HUBZone innovation IT Justice Dept. marketing NDAA OMB SBA SDVOSB set-aside small business small business goals spending subcontracting technology VA veteran owned business VOSB wosb

Contracting News

SBA scorecard shows federal government continues to prioritize small business contracting

OMB releases guidance related to small business goals

OMB issues guidance on impact of injunction on government contractor vaccine mandate

Changes coming to DOD’s Cybersecurity Maturity Model Certification under CMMC 2.0

Judge issues nationwide injunction halting enforcement of COVID-19 vaccine mandate

Read More

Contracting Tips

Contractors must update EEO poster

The risk of organizational conflicts of interest

The gap widens between COFC and GAO on late is late rule

Are verbal agreements good enough for government contractors?

CMMC 2.0 simplifies requirements but raises risks for government contractors

Read More

GTPAC News

VA direct access program events in 2022

Sandia National Laboratories seeks small business suppliers

Navy OSBP hosting DCAA overview (part 2) event Jan. 12, 2022

Navy OSBP hosting cybersecurity “ask me anything” event Dec. 16th

State of Georgia hosting supplier systems training on January 26, 2022

Read More

Georgia Tech News

Undergraduate enrollment growth reflects inclusive excellence

Georgia Tech delivers $4 billion in economic impact to the State of Georgia

Georgia Tech awards first round of seed grants to support team-based research

Georgia Tech announces inaugural Associate Vice President of Corporate Engagement

DoD funds Georgia Tech to enhance U.S. hypersonics capabilities

Read More

  • SAM.gov registration is free, and help with SAM is free, too
APTAC RSS Twitter GTPAC - 30th Year of Service

Copyright © 2023 · Georgia Tech - Enterprise Innovation Institute