Cybersecurity Insights: Updates on CMMC Implementation and CUI Identification
Marti Arvin and Anthony Buenger on the CMMC Framework
The recent National 8(a) Small Business Conference underscored pressing challenges and critical updates regarding the Cybersecurity Maturity Model Certification (CMMC) Program, now in an advanced phase known as CMMC 2.0. The...more
The FAR Council issued a proposed rule that would amend the several FAR provisions and add new clauses to provide guidance on the safe handling of CUI. Public comments on the proposed rule are being accepted until March 17,...more
Earlier this year, the FAR Council issued a proposed rule to implement the Controlled Unclassified Information (CUI) Program as it relates to federal contracts. The proposed rule is "just one element of a larger strategy to...more
On January 15, 2025, the Department of Defense (DOD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) (collectively, “the FAR Council”) issued a long-anticipated proposed...more
On January 15, 2025, the Federal Acquisition Regulatory Council published a proposed rule (the FAR CUI Rule) that would amend the Federal Acquisition Regulation (FAR) to impose government-wide cybersecurity, training, and...more
Over the last two decades, federal contractors have been frustrated by the Government’s hodgepodge approach to regulating Controlled Unclassified Information (CUI). Various agencies have implemented differing definitions,...more
After years of anticipation, the Federal Acquisition Regulation (FAR) Council has announced the arrival of its proposed rule to enhance the safeguarding of Controlled Unclassified Information (CUI) in federal contracts (the...more
The Department of Homeland Security (DHS) recently released a final rule (Final Rule), effective July 21, 2023, updating the Homeland Security Acquisition Regulation (HSAR) to include cybersecurity provisions aimed at...more
On June 21, the Department of Homeland Security (DHS) published a final rule to implement security measures that safeguard controlled unclassified information (CUI) from unauthorized access and disclosure and improve incident...more
The National Institute of Standards and Technology (NIST) has released an initial public draft of NIST SP 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Compliance...more
- DoD has released the final version of the CMMC framework. - DoD anticipates that CMMC requirements will appear in a limited number of solicitations starting in October 2020 and that they will appear in all DoD...more
In 2019, cybersecurity has become top-of-mind for most federal government contractors and agencies that share sensitive information. In addition to updated Department of Defense guidance and procedures for evaluating...more
Government agencies collect and hold massive amounts of personally identifiable information (PII), creating valuable targets for cybercrime. Recently proposed legislation would impose baseline standards for cyber hygiene on...more
First and foremost, the proposed Department of Homeland Security (DHS) regulation to safeguard CUI is internally inconsistent or at the very least ambiguous. It appears to conflate the protection of CUI on a federal...more
This week, the Department of Homeland Security (“DHS”) issued three proposed rules expanding data security and privacy requirements for contractors and subcontractors. The proposed rules build upon other recent efforts by...more
The U.S. federal government announced on May 16, 2016, new Federal Acquisition Regulation (FAR) rules that set high-level standards for the basic safeguarding of contractor information systems that process, store or transmit...more
The Department of Defense (DoD) issued an interim cybersecurity rule in August 2015 that, among other things, revises the existing Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clause and increases...more
Is Controlled Unclassified Information Out of Control? The OMB apparently thinks so. On August 11, 2015, the Obama administration, through the Office of Management and Budget (OMB), which is the largest office within the...more
In a move that highlights the changing winds of federal cybersecurity policy, the Department of Defense (“DoD”) has issued an interim Rule (“Rule”) that imposes new security and reporting requirements on federal contractors,...more
The Department of Defense (DoD) released interim rules implementing provisions of the 2013 and 2015 National Defense Authorization Acts. The rules, released on Aug. 26, 2015, are effective immediately and establish the...more
The Office of Management and Budget (OMB) released a draft guidance document on Aug. 11, 2015, titled “Improving Cybersecurity Protection in Federal Acquisitions” (the “OMB Guidance”). The OMB Guidance instructs agencies on...more
Federal government contractors handling Controlled Unclassified Information (CUI) should take notice of two recent executive agency actions. Combined, they lay the groundwork for a new cybersecurity clause to be added to the...more