For defense industrial base companies that will provide annual self-assessment affirmations within the CMMC 2.0 framework, steps can be taken to reduce the risk of future DOJ investigations and qui tam suits:
- First, DIB companies should implement and maintain written cybersecurity policies that are consistent with the basic safeguarding requirements of the FAR clause 52.204-21 and, if applicable, DFARS 252.204-7012.
- Second, DIB companies should develop and foster a culture of compliance throughout the organization, including employee training, internal disclosure controls and/or board oversight on leadership’s management.
- Finally, contractors should consider a CMMC certification to give themselves a competitive advantage and minimize the risk of other DIB companies not wanting to do business with them because of the cybersecurity risks they pose.
Source:
