ARTICLE
5 September 2024

Latest Proposed CMMC Rule Would Expand Compliance Obligations And Potential FCA Exposure

AP
Arnold & Porter

Contributor

Arnold & Porter is a firm of more than 1,000 lawyers, providing sophisticated litigation and transactional capabilities, renowned regulatory experience and market-leading multidisciplinary practices in the life sciences and financial services industries. Our global reach, experience and deep knowledge allow us to work across geographic, cultural, technological and ideological borders.
Cybersecurity continues to be a significant compliance focus for government contractors and an enforcement focus for the government, as we have previously reported, for example in our September 2023 and March 2024 blog posts.
United States Technology

Cybersecurity continues to be a significant compliance focus for government contractors and an enforcement focus for the government, as we have previously reported, for example in our September 2023 and March 2024 blog posts. In a January 2024 blog post, we discussed how the December 2023 Department of Defense (DoD) proposed rule laying the foundation for the Cybersecurity Maturity Model Certification (CMMC) Program would bolster cybersecurity but could also present False Claims Act (FCA) risks.

On August 15, 2024, DoD issued another CMMC-focused proposed rule. This rule would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement CMMC through solicitation and contract provisions. The proposed rule confirms that CMMC will expand cybersecurity compliance obligations and liability risks, including under the FCA. If enacted as currently proposed, defense contractors would be required to make express certifications of compliance with CMMC requirements and continuously monitor information systems for any changes in security.

Defense contractors would also face new reporting obligations. The proposed rule would require defense contractors to report "any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract" to the contracting officer within 72 hours. The proposed rule does not define "lapses in information security," but DoD's decision to use that phrase rather than adhering to the existing cyber incident reporting obligations under DFARS 252.204-7012 suggests DoD intends to expand reporting requirements to potentially include any violation of a security policy relating to federal contract information or controlled unclassified information in a covered contractor information system.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More