Reed Smith Client Alerts

The U.S. Department of Defense (DoD) recently made two announcements relevant to companies tracking the Cybersecurity Maturity Model Certification (CMMC): (1) the DoD will pilot CMMC enforcement on up to seven upcoming contracts that the DoD agencies expect to award in late 2021, and (2) reciprocity will be afforded to contractors that have already received cybersecurity audits pursuant to certain programs. This client alert will provide an overview of these two important updates.


By now, most defense contractors are familiar with the CMMC, which is the DoD’s new cybersecurity certification requirement. The CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 400,000 companies in the supply chain. The CMMC was developed in response to significant compromises of sensitive information contained in contractor information technology systems. Previously, contractors were responsible for implementing, monitoring, and self-certifying the security of their information technology systems and any sensitive DoD information stored on or transmitted by those systems. Now, contractors remain responsible for implementing critical cybersecurity requirements, but the CMMC shifts the paradigm by mandating third-party assessments of contractors’ compliance with certain practices, procedures, and capabilities to ensure that they can adapt to new and evolving cyber threats from foreign and domestic adversaries. The DoD plans to implement the CMMC requirements through a phased roll-out, with all requirements becoming effective in 2025. We previously discussed the CMMC framework in a September 2019 blog post, a podcast in March 2020, and a client alert in June 2020.