Cybersecurity Insights: Updates on CMMC Implementation and CUI Identification
Marti Arvin and Anthony Buenger on the CMMC Framework
On January 15, 2025, the FAR Council finally released a proposed rule (the Rule)1 regulating the use and handling of controlled unclassified information (CUI) as a part of the general strategy to reduce threats of...more
Earlier this year, the FAR Council issued a proposed rule to implement the Controlled Unclassified Information (CUI) Program as it relates to federal contracts. The proposed rule is "just one element of a larger strategy to...more
The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of...more
On May 2, the Department of Defense (DOD) issued a class deviation to DFARS 252.204-7012 “to provide industry time for a more deliberate transition upon the forthcoming release of [National Institute of Standards and...more
On June 16, 2022, the Department of Defense (DoD) issued a memorandum to its contracting officers emphasizing their obligation to monitor compliance by DoD contractors with the cybersecurity requirements of their contracts....more
WHAT: On November 4, 2021, the U.S. Department of Defense (DOD) announced the completion of a months-long internal review and significant changes to the strategic direction of its Cybersecurity Maturity Model Certification...more
People like to say that cybersecurity threats are constantly evolving. So perhaps it’s fitting that cybersecurity compliance is undergoing a significant evolution of its own this year, too. That evolution is the arrival of...more
The Department of Defense (DoD) Inspector General recently issued a report summarizing the findings of an audit into the protection of Controlled Unclassified Information (CUI) on contractor networks. Based on an in-depth...more
Cybersecurity. It’s never over, is it? In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with formal...more
Is this a Start of Something New for Third-Party Management? The demand for responsible cybersecurity in business is ubiquitous. The need to protect information is not limited to the financial services, insurance and...more
As part of our continuing effort to keep you updated with new developments relating to compliance with the Department of Defense (DoD) Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, this blog post provides a...more
Last month many of you listened to the webinar Jon Williams and I did regarding the December 31, 2017, deadline to comply with the Department of Defense (DoD) Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and...more
The DoD clarifies its expectation for full compliance to protect Controlled Unclassified Information (CUI) residing on Contractor Systems from cyber incidents. A defense contractor’s updated and current System Security...more
After the ball drops in Times Square this New Year’s Eve, many DoD contractors will wake up with a headache. And I don’t mean from too much champagne. I’m talking about extensive DoD cybersecurity requirements these...more
Pursuant to DFARS 252.204-7012, DoD contractors are to implement the security requirements in NIST Special Publication (SP) 800-171 by December 31, 2017. NIST SP 800-171 includes security requirements for protecting...more
Most federal defense contractors are aware that December 31, 2017, is the deadline for them to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled...more
Now that the government fiscal year end has passed, government contractors that handle controlled unclassified information (“CUI”) must turn their attention – if they haven’t already – to the quickly approaching calendar year...more
This month marks an important waypoint for defense contractors subject to the new cybersecurity requirements imposed by the Department of Defense. For contractors subject to the requirements of Defense Federal Acquisition...more
While all companies should be concerned with their cybersecurity posture, companies in the aerospace, defense, and government services (ADG) industry are potentially subject to greater risks due to the industry's highly...more
On May 16, 2016, the Federal Acquisition Regulations (“FAR”) Council published the final FAR rule on Basic Safeguarding of Contractor Information Systems. The rule is intended to prescribe “the most basic level” of...more
The Department of Defense (DoD) issued an interim cybersecurity rule in August 2015 that, among other things, revises the existing Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clause and increases...more
In a move that highlights the changing winds of federal cybersecurity policy, the Department of Defense (“DoD”) has issued an interim Rule (“Rule”) that imposes new security and reporting requirements on federal contractors,...more
The Department of Defense (DoD) released interim rules implementing provisions of the 2013 and 2015 National Defense Authorization Acts. The rules, released on Aug. 26, 2015, are effective immediately and establish the...more
On August 26, 2015, the Department of Defense (DoD) published a long-awaited Interim Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to require “rapid” reporting of “cyber incidents” that result in...more