1. Home
  2. |Insights
  3. |Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates

Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates

Client Alert | 1 min read | 11.13.19

Last week, the Defense Department (DoD) released Revision 0.6 to the Cybersecurity Maturity Model Certification (CMMC). Notably absent were revisions to Levels 4 – 5, which DoD promises in the next public release. While the final version of the CMMC is due in late January, Revision 0.6 updated CMMC Levels 1 – 3 by:

  • Condensing the CMMC requirements;
  • Modifying the practices and processes; and
  • Providing clarifications and examples for CMMC Level 1 requirements.

Revision 0.6 also distilled the core requirements for Levels 1 – 3 into the following categories:

  • Level 1 -- Basic cyber hygiene: Implementation of security controls in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
  • Level 2 -- Intermediate cyber hygiene: Implementation of select NIST SP 800-171 controls; and
  • Level 3 -- Good cyber hygiene: Full implementation of NIST SP 800-171 controls.

Industry will benefit from reviewing this latest draft and preparing for DoD’s pending implementation of the CMMC.

Insights

Client Alert | 3 min read | 05.02.25

Supreme Court Hears Argument About Uninjured Class Members

On April 29, 2025, the Supreme Court heard oral argument in Laboratory Corporation of America Holdings, dba Labcorp, v. Luke Davis, et al., No. 22-55873. The Supreme Court had granted a petition for writ of certiorari in the case as to the following question: “[w]hether a federal court may certify a class action pursuant to Federal Rule of Civil Procedure 23(b)(3) when some members of the proposed class lack any Article III injury.” The Justices focused much of the oral argument on whether the case was moot, suggesting they may not reach the merits. And when soliciting argument on the merits, the Court appeared divided as to how to answer the question....