No More "Wait & See" for CMMC: DoD Releases Final Cybersecurity Maturity Model Certification

Client Alert | 1 min read | 02.03.20

The Department of Defense (DoD) has released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), Appendices A-F, and an Overview Briefing. While Version 1.0 largely mirrors the draft Version 0.7, the final version includes notable revisions, such as:

Process and Practice Descriptions in Appendix B, which include discussions and clarifications for every “practice” within each CMMC Level, including the long-awaited examples for Levels 4 and 5; and
Source Mapping in Appendix E, which maps each “practice” across all five Levels –171 in total – to other pre-existing cybersecurity frameworks.

Much, however, remains to be done. In anticipation of the DoD adopting “go/no-go” CMMC certification requirements later this year, a privately-run Accreditation Body is expected to begin training third-party assessors (3PAOs) this spring in conducting those certifications for contractors. Simultaneously, the DoD is expected to issue a proposed rule incorporating the CMMC into DFARS 252.204-7012, to be finalized this fall.

Contacts

Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner and Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 3 min read | 04.14.26

DOJ’s False Claims Act Resolution Against IBM Signals Heightened Risk for Federal Contractors with DEI Programs

On Friday, April 10, 2026, the U.S. Department of Justice (DOJ) announced that International Business Machines Corporation (IBM) has agreed to pay just over $17 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with federal anti-discrimination requirements incorporated into its federal contracts due to allegedly discriminatory diversity, equity, and inclusion (DEI) employment practices. This resolution marks the first FCA settlement secured by the DOJ under its Civil Rights Fraud Initiative, created in May 2025, and announced by then-Deputy Attorney General Todd Blanche as part of the administration’s coordinated efforts to target allegedly unlawful DEI practices. Per the agreement, the settlement is neither an admission of liability by IBM nor a concession by the United States that its claims are not well founded....

Client Alert | 4 min read | 04.14.26
FedRAMP Solicits Public Comment on Overhaul to Incident Communications Procedures
Client Alert | 5 min read | 04.14.26
OFSI Imposes £390,000 Penalty on Apple Subsidiary for Russian Sanctions Breaches: Key Compliance Takeaways
Client Alert | 4 min read | 04.14.26
SBIR/STTR Programs Reauthorized After Six-Month Lapse

View All Insights