The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) and emerging cybersecurity assessment regulations impose numerous obligations on defense contractors. As companies prepare for third-party assessments, conduct self-assessments of their compliance with NIST 800-171 security controls, and other requirements to safeguard unclassified government information in their systems, key implementation issues remain unresolved. This presentation will provide an overview of the latest developments related to CMMC and the DoD’s interim rule and anticipated final rule. It will also offer key considerations for companies to manage and reduce risks presented by CMMC, including those related to subcontractor requirements, identifying Controlled Unclassified Information, considerations for cloud-based systems, bid protests and disputes, and False Claims Act liability.