Cybersecurity continues to be a significant compliance focus for
government contractors and an enforcement focus for the government,
as we have previously reported, for example in our September 2023 and March 2024 blog posts. In a January 2024 blog post, we discussed how the
December 2023 Department of Defense (DoD) proposed rule laying the
foundation for the Cybersecurity Maturity Model Certification
(CMMC) Program would bolster cybersecurity but could also present
False Claims Act (FCA) risks.
On August 15, 2024, DoD issued another CMMC-focused proposed rule.
This rule would amend the Defense Federal Acquisition Regulation
Supplement (DFARS) to implement CMMC through solicitation and
contract provisions. The proposed rule confirms that CMMC will
expand cybersecurity compliance obligations and liability risks,
including under the FCA. If enacted as currently proposed, defense
contractors would be required to make express certifications of
compliance with CMMC requirements and continuously monitor
information systems for any changes in security.
Defense contractors would also face new reporting obligations. The
proposed rule would require defense contractors to report "any
lapses in information security or changes in the status of CMMC
certificate or CMMC self-assessment levels during performance of
the contract" to the contracting officer within 72 hours. The
proposed rule does not define "lapses in information
security," but DoD's decision to use that phrase rather
than adhering to the existing cyber incident reporting obligations
under DFARS 252.204-7012 suggests DoD intends to expand reporting
requirements to potentially include any violation of a security
policy relating to federal contract information or controlled
unclassified information in a covered contractor information
system.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.