Bass, Berry & Sims attorneys Richard Arnholt and Todd Overman authored an article for Corporate Compliance Insights providing insight into the finalized cybersecurity maturity model certification (CMMC) rule that implements the program into the Defense Federal Acquisition Regulation Supplement (DFARS).
Richard and Todd explored how CMMC impacts cybersecurity regulation for defense contractors as a key compliance and legal requirement. “The new rule requires contractors and subcontractors to undergo cybersecurity self-assessments or third-party certifications, post results in the Supplier Performance Risk System (SPRS) and provide annual affirmations of continuous compliance.”
The Department of War, previously Department of Defense, has stressed the importance of contractors having the capacity to protect sensitive unclassified information, as it is essential to national security. The attorneys provided an outline of each level of CMMC and the protocols companies at each level must comply with.
“While the phased rollout offers contractors time to prepare, the scope of these requirements demands early attention,” said the authors. “Contractors that begin assessing their systems now, document their controls carefully and integrate CMMC into their governance will be better positioned to compete and to avoid the liability risks the rule introduces.”
The full article, “US Finalizes CMMC Rule: Cybersecurity Verification Now Determines Contract Eligibility for Defense Contractors,” was published by Corporate Compliance Insights on December 12 and is available online. Richard and Todd also wrote on this topic for the firm’s GovCon & Trade blog, available here.