After months of review, on November 4, 2021, the Department of Defense (DoD) finally unveiled its new version of the Cybersecurity Maturity Model Certification (CMMC 2.0). Well, almost. In a blink-and-you’ll-miss-it moment, the Department posted, then quickly removed, new federal regulations in/from the Federal Register highlighting the changes in CMMC. Most of those changes, however, were ultimately described on the OUSD Acquisition & Sustainment website, which remain posted and available. In conducting its review of CMMC 1.0, the DoD focused largely on clarifying the standard and reducing the cost impact on the Defense Industrial Base (DIB). The result? A “been there, already had to do that” standard that should leave the DIB relatively pleased and the burgeoning CMMC accreditation industry mildly perplexed. In place of the five-tiered, third-party-assessed cybersecurity framework addressing data confidentiality, integrity, and availability, the new CMMC 2.0 presents as a three-tiered, largely self-assessed bolstering of the NIST SP 800-171 safeguarding requirements already required to be implemented by contractors in possession of “Covered Defense Information” (CDI) under DFARS 252.204-7012.

Continue Reading CMMC 2.0: Throwback Cybersecurity — Everything Old Is New Again

There’s an often mistranslated Taoist adage that counsels “A journey of a thousand miles begins with a single step.” So it is presently with the Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC), which continues its cybersecurity journey with the recently released update of standard CMMC .6.

Continue Reading Cybersecurity Maturity Model Certification (CMMC) Version .6: Another Step on the Department of Defense’s Long and Winding Cybersecurity Road


So you want to acquire a government contractor? Makes sense, and you’re not alone. Over the past few years, the federal contracting landscape continues to evolve as a result of mergers and acquisitions (M&A), primarily involving the acquisition of small and midsize contractors by larger entities as a means to quickly expand into new federal markets. This trend is especially prevalent in the information technology (IT) market, where the acquisition of small or midsize IT firms with new capabilities can provide larger firms with shiny new toys to share with their roster of government clients to gain a larger share of the federal IT “pie,” if not create—almost overnight—new IT market leaders in areas such as cloud computing, cybersecurity, software, and predictive intelligence.


Continue Reading Integrating Cybersecurity Into M&A Compliance Reviews: Avoiding Hidden Cyber Risks in the Acquisition of Government Contractors

As DOD continues to expand its supply chain cybersecurity demands on federal contractors, McCarter & English Government Contracts and Export Controls co-leaders Alex Major and Franklin Turner provide critical guidance for federal contractors in a two-part Feature Comment for Thomson Reuters’ The Government Contractor. In the comprehensive article they address not only the recent and

DoD’s recent efforts to address cybersecurity have caused confusion and chaos for Government contractors. As we all know, cybersecurity is an issue that is impossible to ignore, and the sobering reality is that compliance with federal cybersecurity requirements is critical to avoiding catastrophic liability. Recently, McCarter & English Government Contracts and Export Controls co-leaders Alex