1. Home
  2. |Insights
  3. |Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates

Immaturity of the Cybersecurity Maturity Model: Revisions Omit Higher-Level Updates

Client Alert | 1 min read | 11.13.19

Last week, the Defense Department (DoD) released Revision 0.6 to the Cybersecurity Maturity Model Certification (CMMC). Notably absent were revisions to Levels 4 – 5, which DoD promises in the next public release. While the final version of the CMMC is due in late January, Revision 0.6 updated CMMC Levels 1 – 3 by:

  • Condensing the CMMC requirements;
  • Modifying the practices and processes; and
  • Providing clarifications and examples for CMMC Level 1 requirements.

Revision 0.6 also distilled the core requirements for Levels 1 – 3 into the following categories:

  • Level 1 -- Basic cyber hygiene: Implementation of security controls in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
  • Level 2 -- Intermediate cyber hygiene: Implementation of select NIST SP 800-171 controls; and
  • Level 3 -- Good cyber hygiene: Full implementation of NIST SP 800-171 controls.

Industry will benefit from reviewing this latest draft and preparing for DoD’s pending implementation of the CMMC.

Insights

Client Alert | 2 min read | 05.27.25

Federal Circuit Resolves Circuit Split on Scope of IPR Estoppel

As part of the 2012 America Invents Act, statutory estoppel was included to balance the interests of patent owners and patent challengers following an inter partes review (“IPR”).  Estoppel prevents an IPR petitioner from later asserting in court that a claim “is invalid on any ground that the petitioner raised or reasonably could have raised” during the IPR.  35 U.S.C. § 315(e)(2).  As applied, estoppel prevents petitioners from later relying in district court or in ITC proceedings on most patents or printed publications – the limited bases upon which petitioner can rely in an IPR.  But a question remained, and contradictory district court decisions arose, as to whether petitioners would be estopped from relying on a prior art commercial product (known as “device art,” which could not itself have been raised in the IPR) even if a printed publication describing the product (i.e. a patent or technical manual) was available and presumably could have been raised. ...