The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program and newly issued cybersecurity rule present contractors with a range of compliance issues as they prepare for expanded third-party and DoD assessments of their information systems that will be a condition of eligibility for nearly all defense contracts.

Among these issues is how to manage disputes and litigation related to DoD’s assessment and verification regime, as well as risks of False Claims Act (FCA) liability. DoD’s interim rule to implement CMMC released on September 30, 2020 confirms that the non-governmental CMMC Accreditation Body (CMMC-AB) will adjudicate assessment-related disputes, but details are pending. Key questions remain about how disagreements related to DoD’s cybersecurity assessment regime will be resolved, what remedies will exist, and what procedures will be available at different stages. There is also uncertainty about the roles of courts and the Government Accountability Office (GAO) given CMMC’s reliance on nongovernmental entities and third-party verification.

Click here to read the full article on Professional Services Council