Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates
Client Alert | 1 min read | 11.13.19
Last week, the Defense Department (DoD) released Revision 0.6 to the Cybersecurity Maturity Model Certification (CMMC). Notably absent were revisions to Levels 4 – 5, which DoD promises in the next public release. While the final version of the CMMC is due in late January, Revision 0.6 updated CMMC Levels 1 – 3 by:
- Condensing the CMMC requirements;
- Modifying the practices and processes; and
- Providing clarifications and examples for CMMC Level 1 requirements.
Revision 0.6 also distilled the core requirements for Levels 1 – 3 into the following categories:
- Level 1 -- Basic cyber hygiene: Implementation of security controls in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
- Level 2 -- Intermediate cyber hygiene: Implementation of select NIST SP 800-171 controls; and
- Level 3 -- Good cyber hygiene: Full implementation of NIST SP 800-171 controls.
Industry will benefit from reviewing this latest draft and preparing for DoD’s pending implementation of the CMMC.
Insights
Client Alert | 1 min read | 05.30.25
GAO’s recent dismissal of a protest filed by A2A Integrated Logistics, Inc. provides an important reminder regarding the strict timeliness rules that apply to bid protests. Quoters were required to electronically submit quotations and A2A experienced difficulty doing so. After contract award was announced, A2A emailed the Department of Veterans Affairs (VA) stating that it had been unable to submit its quotation. Twenty days later, the VA responded, confirming that A2A’s quotation had not been received; A2A filed an agency-level protest the same day, which the VA dismissed as untimely. A2A then filed a GAO protest.
Client Alert | 4 min read | 05.28.25
Federal Environmental Justice Compliance: The 180-Degree Change
Client Alert | 5 min read | 05.28.25
Client Alert | 2 min read | 05.27.25
Federal Circuit Resolves Circuit Split on Scope of IPR Estoppel