No More "Wait & See" for CMMC: DoD Releases Final Cybersecurity Maturity Model Certification
Client Alert | 1 min read | 02.03.20
The Department of Defense (DoD) has released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), Appendices A-F, and an Overview Briefing. While Version 1.0 largely mirrors the draft Version 0.7, the final version includes notable revisions, such as:
- Process and Practice Descriptions in Appendix B, which include discussions and clarifications for every “practice” within each CMMC Level, including the long-awaited examples for Levels 4 and 5; and
- Source Mapping in Appendix E, which maps each “practice” across all five Levels –171 in total – to other pre-existing cybersecurity frameworks.
Much, however, remains to be done. In anticipation of the DoD adopting “go/no-go” CMMC certification requirements later this year, a privately-run Accreditation Body is expected to begin training third-party assessors (3PAOs) this spring in conducting those certifications for contractors. Simultaneously, the DoD is expected to issue a proposed rule incorporating the CMMC into DFARS 252.204-7012, to be finalized this fall.
Contacts
Partner, Crowell Global Advisors Senior Director
Insights
Client Alert | 4 min read | 09.12.25
SBA’s OHA Further Defines Extraordinary Action in SDVOSB Appeal
On September 4, 2025, the Small Business Administration’s (SBA) Office of Hearings and Appeals (OHA) granted an appeal challenging SBA’s determination that a service-disabled veteran did not control an entity applying for Service-Disabled Veteran-Owned Small Business (SDVOSB) status based on a minority owner’s ability to block certain actions in the matter of VSBC Appeal of: Blue Skye Foods, LLC, SBA No. VSBC-442-A.
Client Alert | 6 min read | 09.11.25
U.S. Department of Commerce Partially Relaxes Export Controls on Syria
Client Alert | 9 min read | 09.11.25
Client Alert | 1 min read | 09.10.25
