Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates

Client Alert | 1 min read | 11.13.19

Last week, the Defense Department (DoD) released Revision 0.6 to the Cybersecurity Maturity Model Certification (CMMC). Notably absent were revisions to Levels 4 – 5, which DoD promises in the next public release. While the final version of the CMMC is due in late January, Revision 0.6 updated CMMC Levels 1 – 3 by:

Condensing the CMMC requirements;
Modifying the practices and processes; and
Providing clarifications and examples for CMMC Level 1 requirements.

Revision 0.6 also distilled the core requirements for Levels 1 – 3 into the following categories:

Level 1 -- Basic cyber hygiene: Implementation of security controls in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
Level 2 -- Intermediate cyber hygiene: Implementation of select NIST SP 800-171 controls; and
Level 3 -- Good cyber hygiene: Full implementation of NIST SP 800-171 controls.

Industry will benefit from reviewing this latest draft and preparing for DoD’s pending implementation of the CMMC.

Contacts

Evan D. Wolff
Partner
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2615
ZXdvbGZmQGNyb3dlbGwuY29t
Maida Oringher Lerner
Senior Counsel
She/Her/Hers
- Washington, D.C.
  - D | +1.202.624.2596
bWxlcm5lckBjcm93ZWxsLmNvbQ==
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==

Insights

Client Alert | 3 min read | 06.26.25

FDA Targets Gene Editing Clinical Trials in China and other “Hostile Countries”

In a somewhat ambiguous press release on Wednesday, June 18, 2025, the Food and Drug Administration (FDA) announced a halt and “immediate review” of new clinical trials where American patients’ cells are sent to China or other “hostile countries” for genetic engineering with the expectation that the cells will be infused back into U.S. patients.[1] A subsequent podcast published by the agency also said that therapies that involved cells that were sent to China for genetic engineering and intended for subsequent infusion into U.S. patients would not be approved going forward. The announcement said that there is “mounting evidence” that some clinical researchers failed to obtain informed consent from trial participants about the international transfer and manipulation of biological material....

Client Alert | 3 min read | 06.26.25
Nexus, Schmexus: Patent Licenses Do Not Need a Nexus to Specific Patent Claims to Be a Secondary Consideration of Nonobviousness
Client Alert | 4 min read | 06.26.25
Ninth Circuit Affirms that CIPA Only Applies to Third-Party Eavesdropping
Client Alert | 4 min read | 06.24.25
CBP Issues First Comprehensive Guide to Modifying a Withhold Release Order (WRO)

View All Insights