On November 17, 2021, the Department of Defense published an advanced notice of proposed rulemaking in connection with announced changes to the CMMC for the defense industrial base, styled “CMMC 2.0.” Although these changes appear to lessen the burden on contractors (granting more time while reducing requirements), defense contractors are nonetheless well advised to proactively manage cybersecurity threats. Questions contractors are asking include:
- Which compliance levels must I meet, and what are the exact requirements?
- Will the Government provide financial assistance for small businesses that would be forced out of the defense industrial base if required to foot the entire assessment process bill?
- Will there be enough C3PAOs to conduct timely assessments for the tens of thousands of companies that may ultimately need them since the CMMC Accreditation Body’s website lists only 5 accredited C3PAOs so far?
- How will CMMC 2.0 affect non-US companies?
- What impact will the anticipated GAO report have on the program?
- Can the attestation required for self-certification be the basis for a False Claims Act prosecution?
Source:
