Crackdown “Light” On Defense Contractor Cybersecurity

January 24, 2022

Stylized image of police officer checking documenets.
Icon, Button, Pictogram with Immigration symbol

A post from law firm Morrison & Foerster outlines top cybersecurity “considerations” for government contractors in 2022, a word possibly chosen with some care in lieu of the more pointed “requirements,” as the subject here is as much what the government, the Department of Defense in particular, is not doing in this regard. The authors note, for example, that in response to “growing pressure from defense contractors, and faced with the daunting task of third party certification of the entire defense industrial base, DoD partially reversed course,” as it announced a revised CMMC 2.0 framework. CMMC stands for the Cybersecurity Maturity Model Certification from the Department of Defense, and the CMMC 2.0 framework was developed with the goal of “fortifying the cybersecurity of the defense industrial base.”

The revision? Contractors, other than those who have access to “critical national security information,” will be allowed to self-assess and then attest to compliance. The rigor of the requirements also appears to have been diluted: Full compliance will not be required to obtain certification. Instead, plans of actions and “milestones to address gaps” will be serve. The timeline for implementing CMMC 2.0 regulations is estimated by DoD to be somewhere been nine months and two years from the initial CMMC 2.0 announcement of November 2021, although DoD has said it will offer financial and other incentives, possibly including some competitive advantage, to contractors that beat the timeline.

Meanwhile, DOJ seems to be moving with more resolve on this front, with its newly created “Civil Cyber-Fraud Initiative.” It enlists the power of an old law, the False Claims Act, which can provide a bounty to whistleblowers who flag contractor cybersecurity failures, including failure to report a breach or knowingly misrepresenting cybersecurity protocols. Security-enhancing measures are also said to be underway at the National Institute of Standards and Technology and The Cybersecurity and Infrastructure Security Agency (CISA), a part of the Department of Homeland Security, as well as the Office of Management and Budget (OMB).

In addition, there are some security provisions embedded in the 2022 National Defense Authorization Act (NDAA), but two key provisions did not become part of that law. One would have required critical infrastructure providers and government contractors to report cyber incidents within 72 hours. The other would have required ransomware payments to be reported to the government. However, the authors note, some version of these requirements could be incorporated into other legislation in the coming year.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top