Latest Proposed CMMC Rule Would Expand Compliance Obligations and Potential FCA Exposure

Cybersecurity continues to be a significant compliance focus for government contractors and an enforcement focus for the government, as we have previously reported, for example in our September 2023 and March 2024 blog posts. In a January 2024 blog post, we discussed how the December 2023 Department of Defense (DoD) proposed rule laying the foundation for the Cybersecurity Maturity Model Certification (CMMC) Program would bolster cybersecurity but could also present False Claims Act (FCA) risks.

On August 15, 2024, DoD issued another CMMC-focused proposed rule. This rule would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement CMMC through solicitation and contract provisions. The proposed rule confirms that CMMC will expand cybersecurity compliance obligations and liability risks, including under the FCA. If enacted as currently proposed, defense contractors would be required to make express certifications of compliance with CMMC requirements and continuously monitor information systems for any changes in security.

Defense contractors would also face new reporting obligations. The proposed rule would require defense contractors to report “any lapses in information security or changes in the status of CMMC certificate or CMMC self-assessment levels during performance of the contract” to the contracting officer within 72 hours. The proposed rule does not define “lapses in information security,” but DoD’s decision to use that phrase rather than adhering to the existing cyber incident reporting obligations under DFARS 252.204-7012 suggests DoD intends to expand reporting requirements to potentially include any violation of a security policy relating to federal contract information or controlled unclassified information in a covered contractor information system.

For a more in-depth overview of the proposed rule, check out this Advisory.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.