United States: Proposed CMMC Rule Would Strengthen Cyber Requirements But May Give Rise To FCA Exposure

Cybersecurity has been a hot-button FCA issue ever since Attorney General Lisa Monaco announced cybersecurity initiatives in late 2021. In the last couple of years, DOJ has announced a few cyber-related settlements, and we expect to see more cyber-related FCA investigations and recoveries going forward. Given the potential FCA implications, we at Qui Notes have been waiting for the Department of Defense to issue its long-awaited proposed rule which, if enacted, will establish the Cybersecurity Maturity Model Certification (CMMC) Program. Comments on the proposed rule are due February 26.

Of particular relevance for potential FCA exposure, the rule would require defense contractors to affirm compliance with the applicable CMMC Level after each assessment, after the contractor closes out any "Plan of Actions and Milestones," and annually thereafter. The rule would require that these affirmations be submitted by a senior official responsible for ensuring compliance with CMMC. As our readers know, any affirmations or certifications of compliance bring with them FCA risk. And, of course, if the rule is enacted as proposed, contractors who delay their efforts to achieve CMMC compliance could also face increased FCA risk.

For a more in-depth overview of the proposed rule, check out this Advisory. Otherwise, we at Qui Notes will be tracking the progress of the proposed rule and other cyber FCA developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.