Proposed CMMC Rule Would Strengthen Cyber Requirements but May Give Rise to FCA Exposure

Cybersecurity has been a hot-button FCA issue ever since Attorney General Lisa Monaco announced cybersecurity initiatives in late 2021. In the last couple of years, DOJ has announced a few cyber-related settlements, and we expect to see more cyber-related FCA investigations and recoveries going forward. Given the potential FCA implications, we at Qui Notes have been waiting for the Department of Defense to issue its long-awaited proposed rule which, if enacted, will establish the Cybersecurity Maturity Model Certification (CMMC) Program. Comments on the proposed rule are due February 26.

Of particular relevance for potential FCA exposure, the rule would require defense contractors to affirm compliance with the applicable CMMC Level after each assessment, after the contractor closes out any “Plan of Actions and Milestones,” and annually thereafter. The rule would require that these affirmations be submitted by a senior official responsible for ensuring compliance with CMMC. As our readers know, any affirmations or certifications of compliance bring with them FCA risk. And, of course, if the rule is enacted as proposed, contractors who delay their efforts to achieve CMMC compliance could also face increased FCA risk.

For a more in-depth overview of the proposed rule, check out this Advisory. Otherwise, we at Qui Notes will be tracking the progress of the proposed rule and other cyber FCA developments.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.