After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP). The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification. The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0. Continue Reading No Summer Break for Cyber: Newly Unveiled CMMC Assessment Process Provides Industry with Upcoming Assessment Insights
Maida Oringher Lerner
Maida Lerner is senior counsel in Crowell & Moring's Washington, D.C. office and a part of the firm's Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.
CMMC 2.0: DoD Unveils Sweeping Changes Streamlining CMMC Requirements
The Department of Defense (DoD) recently announced significant changes to its Cybersecurity Maturity Model Certification (CMMC) program intended to simplify the requirements and ease the compliance burden on contractors. Unlike its predecessor, the new CMMC 2.0 moves to three compliance levels rather than five; aligns the required security controls (known as practices) with National Institute…
NIST Finalizes Enhanced Security Requirements for Combating Advanced Cyber Threats
The National Institute of Standards and Technology (NIST) recently released the final version of NIST Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information. Designed to supplement the requirements in NIST SP 800-171—the applicable standard under DFARS 252.204-7012—800-172 provides 35 enhanced security requirements to protect controlled unclassified information (CUI) associated with…
The DoD’s Own Cyber Monday: Defense Department Releases CMMC Assessment Guides
Fresh off the heels of the DFARS Interim Rule, the Department of Defense (DoD) released Assessment Guides for Levels 1 – 3 of the Cybersecurity Maturity Model Certification (CMMC). These Guides will be used by Certified Assessors to determine whether contractors have satisfied the practices and processes required to attain CMMC certifications at…
NIST Enhances Final Draft of NIST SP 800-172, Enhanced Security Requirements
The National Institute of Standards and Technology (NIST) recently released the final public draft of NIST Special Publication (SP) 800-172, formerly known as Draft NIST SP 800-171B. Building on the security requirements in NIST SP 800-171, the applicable standard under DFARS 252.204-7012, 800-172 provides 34 enhanced requirements to protect Controlled Unclassified Information (CUI)…
Welcomed Guidance: DoD Issues Controlled Unclassified Information (CUI) Program Instructions
The Defense Department (DoD) recently released Department of Defense Instruction (DoDI) 5200.48, “Controlled Unclassified Information (CUI),” which provides the DoD’s long-anticipated guidance on how to mark and handle CUI in accordance with the Federal Government’s broader CUI Program and DFARS 252.204-7012. In doing so, it cancels legacy CUI guidance under DoD Manual 5200.01, Volume…
Just in Time for Spring: Revision 2 to NIST SP 800-171 Comes into Full Bloom
The National Institute of Standards and Technology (NIST) recently released its final version of Revision 2 to the cybersecurity standard NIST Special Publication (SP) 800-171. While the security controls remain unchanged, Revision 2 now incorporates implementation guidance into each control. Importantly though, such guidance remains non-binding and is not intended to extend the scope of…
No More “Wait & See” for CMMC: DoD Releases Final Cybersecurity Maturity Model Certification
The Department of Defense (DoD) has released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), Appendices A-F, and an Overview Briefing. While Version 1.0 largely mirrors the draft Version 0.7, the final version includes notable revisions, such as:
- Process and Practice Descriptions in Appendix B, which include discussions and clarifications
…
New Draft NIST Guidance on Systems Security Engineering
The National Institute of Standards and Technology (NIST) recently published a draft special publication titled Systems Security Engineering: Resiliency Considerations for the Engineering of Trustworthy Secure Systems (Volume 2), which provides guidance to professionals responsible for the activities and tasks related to the system life cycle processes in NIST’s flagship publication, NIST Special Publication 800-160…
Interim Rule Could Expand Already Onerous DFARS Cyber Requirements
Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors. Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in …