Cybersecurity Maturity Model Matures: DoD Adds New Requirements to Draft Cybersecurity Certification

Client Alert | 1 min read | 09.10.19

The Defense Department has released Revision 0.4 of its Cybersecurity Maturity Model Certification (CMMC) that, starting next year, independent auditors are to use to certify contractor compliance with DoD cybersecurity requirements. Revision 0.4 more than doubles the number of cybersecurity controls across the CMMC’s five maturity “Levels.” But the DoD emphasizes that it will further down-select these controls and that mature contractor processes may counteract gaps in the final controls’ implementation. In addition to NIST SP 800-171 (the default standard under DFARS 252.204-7012), Revision 0.4 now incorporates requirements from the NIST Cybersecurity Framework, ISO 27001, and CIS Critical Security Controls, as well as from “additional DIB inputs.” Notably missing is NIST SP 800-171B, which remains under review.

The DoD is requesting feedback on Revision 0.4 through September 25, 2019, and plans on releasing Revision 0.6 for comment in November 2019. The final CMMC is expected in January 2020.

Contacts

Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 3 min read | 09.15.25

Senate Finance Committee Looking to Take White River to the Train Station, Confirms DOJ Investigation into Tribal Tax Credits

On August 19, 2025, the U.S. Senate Committee on Finance (“Senate Finance Committee”) sent Paul Atkins, Chairman, U.S. Securities and Exchange Commission (“SEC”) a letter calling on the SEC to investigate White River Energy Corp (“White River”). In the letter, the Senate Finance Committee confirmed a criminal investigation into White River related to the sale of so-called “tribal tax credits” that according to both Congress and the IRS, do not exist. The letter further states that White River allegedly earned millions of dollars selling these credits and has not been forthcoming with investors regarding the existence of the criminal investigation. According to the Senate Finance Committee, White River has failed to file financial disclosure documents with the SEC since March 15, 2024, missing six consecutive reporting periods. The letter instructs White River to disclose the existence of the DOJ criminal tax investigation, and calls on the SEC to take action if White River fails to do so....

Client Alert | 4 min read | 09.12.25
SBA’s OHA Further Defines Extraordinary Action in SDVOSB Appeal
Client Alert | 6 min read | 09.11.25
U.S. Department of Commerce Partially Relaxes Export Controls on Syria
Client Alert | 9 min read | 09.11.25
One Year After Illumina/Grail – How Are EU Competition Authorities Now Dealing With Below-Threshold Mergers

View All Insights