Cybersecurity Maturity Model Matures: DoD Adds New Requirements to Draft Cybersecurity Certification
Client Alert | 1 min read | 09.10.19
The Defense Department has released Revision 0.4 of its Cybersecurity Maturity Model Certification (CMMC) that, starting next year, independent auditors are to use to certify contractor compliance with DoD cybersecurity requirements. Revision 0.4 more than doubles the number of cybersecurity controls across the CMMC’s five maturity “Levels.” But the DoD emphasizes that it will further down-select these controls and that mature contractor processes may counteract gaps in the final controls’ implementation. In addition to NIST SP 800-171 (the default standard under DFARS 252.204-7012), Revision 0.4 now incorporates requirements from the NIST Cybersecurity Framework, ISO 27001, and CIS Critical Security Controls, as well as from “additional DIB inputs.” Notably missing is NIST SP 800-171B, which remains under review.
The DoD is requesting feedback on Revision 0.4 through September 25, 2019, and plans on releasing Revision 0.6 for comment in November 2019. The final CMMC is expected in January 2020.
Contacts
Senior Counsel
She/Her/Hers
Partner, Crowell Global Advisors Senior Director
Insights
Client Alert | 3 min read | 07.18.25
Eighth Circuit Cancels Click-to-Cancel
On July 8, 2025, the Eighth Circuit vacated the Federal Trade Commission’s (“FTC”) Negative Option Rule, also known as the Click-to-Cancel Rule, on procedural grounds. The Click-to-Cancel Rule, which provided a streamlined path for consumers to cancel subscription services in a few clicks of a mouse, was scheduled to take effect on July 14, 2025, but the Court found that the FTC had failed to follow mandatory procedural requirements.
Client Alert | 9 min read | 07.18.25
U.S. Lifts Most Sanctions on Syria in Major Policy Development
Client Alert | 6 min read | 07.17.25
Client Alert | 3 min read | 07.17.25
(Not the Funniest) Weekend Update: Recap of Recent Developments in the EU-US Tariff Dispute
