Photo of Maida Oringher Lerner

Maida Oringher Lerner

Subscribe to Maida Oringher Lerner's Posts

Maida Lerner is senior counsel in Crowell & Moring's Washington, D.C. office and a part of the firm's Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Contact:Read more about Maida Oringher Lerner

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.Continue Reading An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels

On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors.  The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies.  The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:Continue Reading Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements

On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] Continue Reading Cybersecurity Matured:  DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program

On August 15, 2024, the Department of Defense (“DoD”) released the long-awaited proposed rule (“August 2024 Proposed Rule”), updating Defense Federal Acquisition Regulation Supplement (“DFARS”) Clause 252.204-7021 (the “7021 Clause”), which, when final, will initiate the phased implementation of Cybersecurity Maturity Model Certification 2.0 (“CMMC”) requirements into DoD contracts. Continue Reading DFARS 7021 Clause 2.0: DoD Releases Proposed Rule Updating CMMC Clause

On May 14, 2024, the National Institute of Standard and Technology (NIST) published the final versions of Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion assessment guide, NIST SP 800-171A, Revision 3 (collectively, “Rev. 3 Final Version”).  While the Department of Defense (DoD) is not requiring contractors who handle Controlled Unclassified Information (CUI) to implement Rev. 3 for now, it is expected that DoD will eventually incorporate Rev. 3 into both DFARS 252.204-7012,  Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program. Continue Reading NIST Releases Final Version of NIST SP 800-171, Revision 3

On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012,  Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012), specifying that contractors subject to the clause must comply with NIST SP 800-171, Revision 2.  The deviation (labeled Deviation 2024-O0013) will delay the incorporation of NIST

On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) published an updated Secure Software Development Attestation Form, meaning that producers of software and providers of products containing software used by the federal government may be required to submit their attestations in the very near future. The Attestation Form, first published in April 2023, is a key cog in CISA’s implementation of software supply chain security requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity and OMB Memoranda M-22-18 and M-23-16.Continue Reading Software Developments: CISA Finalizes Attestation Form, Triggering Secure Software Development Implementation

On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.Continue Reading DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule

On November 9, 2023, the National Institute of Standards and Technology (“NIST”) released the Final Public Draft (“FPD”) of Special Publication (“SP”) 800-171 Revision (“Rev.”) 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Initial Public Draft of NIST SP 800-171A Rev 3, “Assessing Security Requirements for Controlled Unclassified Information.”  The FPD of SP 800-171 Rev. 3 condenses several control requirements from the initial public draft while adding new requirements under existing controls.  The initial draft of SP 800-171A now aligns with SP 800-171 Rev. 3 and includes more detailed assessment procedures than its predecessor.  Changes in both documents forecast the evolving compliance requirements for organizations required to safeguard Controlled Unclassified Information (“CUI”).Continue Reading The Holidays Come Early: NIST Unwraps Final Draft Revision 3 to NIST SP 800-171

On June 21, 2023, the Department of Homeland Security (DHS) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) by updating an existing clause (HSAR 3052.204-71) and adding two new contract clauses (HSAR 3052.204-72 and 3052.204-73) to address safeguarding of Controlled Unclassified Information (CUI).  The final rule is effective July 21, 2023.

The new clauses aim to improve privacy and security measures around CUI by introducing: (1) general CUI handling requirements; (2) authority to operate (ATO) requirements for federal information systems; (3) incident reporting requirements and activities; and (4) sanitization of government related files and information. These new clauses move DHS away from the use of DHS-defined sensitive information and toward the government-wide CUI model. Continue Reading Homeland Cybersecurity: DHS Overhauls Its CUI Program, Releases New Contract Clauses