CMMC hot take: What stands out in the draft rule
This video conversation features Matt Travis, CEO of the Cyber AB, and Eric Crusius, partner with Holland & Knight, who give their first impressions on the draft CMMC rule and where things go from here.
Our newest CMMC video is out and features my conversation Matt Travis, CEO of the Cyber AB, and Eric Crusius, partner with Holland & Knight, about their impressions of the Cybersecurity Maturity Model Certification draft final rule now that it is released.
CMMC is the Defense Department’s effort to assure that confidential but unclassified information, so called CUI, is securely held in defense contractors’ systems.
Prime contractors and their subcontractors will go through third-party assessments certifying that they meet certain NIST standards. DOD released the draft CMMC final rule on Dec. 26.
Several things stand out in this conversation:
- Small businesses face the same security requirements as large businesses. There are no deferments or opt-out mechanisms.
- Prime contractors will be responsible for enforcing compliance of the subcontractors.
- DOD will put CMMC requirements on managed service providers and managed security service providers, but the details are TBD.
- Contractors also face False Claims Act risks because of the draft rule's requirements on affirmations, which say you have met the requirements. The government can seek financial penalties against companies if there are issues.
Watch the video for more. You can access it via this link.
Follow these links to watch our prior videos on CMMC: