CMMC 2.0 Scoping Guidance Limits the Scope of Cybersecurity Assessments
Client Alert | 1 min read | 12.23.21
The Department of Defense (DoD) recently released the initial guidance documents for Version 2.0 of its Cybersecurity Maturity Model Certification (CMMC) program, including its much-anticipated Scoping Guidance. While the guidance documents generally adhere to the current requirements for the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the Scoping Guidance includes notable developments. Chief among them is the introduction of two asset categories — “Specialized Assets” and “Contractor Risk Managed Assets” — that could potentially limit the scope of a contractor’s CMMC assessment, as well as the number and types of assets to be assessed against the applicable CMMC practices.
- Specialized Assets include government property; internet of things (IoT) and industrial internet of things (IIoT) devices; operational technology; systems configured based entirely on government requirements and used to support a contract; and test equipment.
- Contractor Risk Managed Assets include computing resources that are capable of handling CUI but are prevented from doing so by the contractor’s security policies, procedures, and practices.
Contractors expecting to be subject to CMMC should carefully review the Scoping Guidance, as well as the other guidance documents, to determine whether and how they may wish to limit the scope of CMMC’s applicability.
Insights
Client Alert | 2 min read | 05.27.25
Federal Circuit Resolves Circuit Split on Scope of IPR Estoppel
As part of the 2012 America Invents Act, statutory estoppel was included to balance the interests of patent owners and patent challengers following an inter partes review (“IPR”). Estoppel prevents an IPR petitioner from later asserting in court that a claim “is invalid on any ground that the petitioner raised or reasonably could have raised” during the IPR. 35 U.S.C. § 315(e)(2). As applied, estoppel prevents petitioners from later relying in district court or in ITC proceedings on most patents or printed publications – the limited bases upon which petitioner can rely in an IPR. But a question remained, and contradictory district court decisions arose, as to whether petitioners would be estopped from relying on a prior art commercial product (known as “device art,” which could not itself have been raised in the IPR) even if a printed publication describing the product (i.e. a patent or technical manual) was available and presumably could have been raised.
Client Alert | 3 min read | 05.23.25
Executive Order Seeks Most-Favored-Nation Drug Pricing and HHS Announces Price Targets
Client Alert | 4 min read | 05.22.25
Opportunities for Procurement on the Horizon as UK Concludes Free Trade Agreement With India
Client Alert | 2 min read | 05.22.25
What Trump’s Nominee for IRS Commissioner Could Mean for Employee Retention Tax Credit Enforcement