What Potential Whistleblowers Need to Know About the New Department of Defense Rule (CMMC) for Contractor Cybersecurity

October 31, 2024

Author: Aviv Assayag, Bruce C. Judge,

On October 11, 2024, the U.S. Department of Defense (DoD) took a major step to strengthen its contractors’ cybersecurity. The DoD finalized the Cybersecurity Maturity Model Certification (CMMC) program rule. This new rule significantly changes how the DoD will assess and verify the cybersecurity practices of its contractors and subcontractors a­­cross the defense industrial base.

Key Points of the CMMC Program

1. Three-Tier System: The CMMC program introduces a three-level certification system. This simplifies the previous five-level model, making it easier for small and medium-sized businesses to participate. Each level corresponds to a different set of required cybersecurity practices and processes.
2. Mandatory Compliance: Contractors will need to achieve appropriate CMMC certification to be awarded contracts. This replaces the previous self-attestation model, which relied heavily on contractors’ own assurances of compliance.
3. Phased Implementation: The DoD will roll out the program in four phases over several years. The first phase is expected to last one year, with subsequent phases introducing more comprehensive requirements. The exact timeline for full implementation will depend on the progress of each phase.
4. Third-Party Assessments: Many contractors will need Third-Party Assessment Organizations (C3PAOs) to verify their compliance. This independent verification adds an extra layer of assurance for the DoD.
5. Protection of Sensitive Information: The rule aims to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the defense industrial base. This is crucial for maintaining national security and protecting sensitive government data.

What CMMC Means for Contractors and Potential Whistleblowers

This new rule marks a significant shift in DoD’s cybersecurity approach and will impact the cybersecurity practices of thousands of companies doing business with DoD. Contractors face the challenge of substantial investments in cybersecurity infrastructure, personnel, and processes. This could potentially reshape the competitive landscape for defense contracts, providing an advantage to companies that comply with CMMC’s requirements.

The effectiveness of the CMMC program will depend heavily on proper implementation and oversight. As defense contractors take steps to meet these new requirements, we might see various forms of non-compliance or fraud, such as:

• Misrepresenting cybersecurity capabilities to win contracts and subcontracts;
• Failing to implement required security measures after certification;
• Falsely certifying compliance without meeting all requirements;
• Cutting corners on cybersecurity measures to reduce costs and attempting to create after-the-fact logs and other records in advance of assessments; or
• Submitting false or manipulated assessment results achieved (1) by providing false information to unwitting CP3AOs or (2) with the knowing assistance from and collusion with CP3AOs.

These actions could create liability under the False Claims Act. As the Department of Justice announced three years ago, DOJ is encouraging  whistleblowers to file qui tam suits under the False Claims Act to assist in identifying and ending fraudulent cybersecurity practices involving government contractors.

Potential whistleblowers, especially those working in IT or cybersecurity roles within defense contracting companies, could have new opportunities to identify and report non-compliance. Familiarizing yourself with these standards can help you identify potential violations and play a crucial role in ensuring the integrity of the defense industrial base’s cybersecurity posture.

Looking Ahead

The finalization of this rule marks the beginning of a new era in cybersecurity for defense contracting. We expect to see significant changes in how defense contractors operate and compete for contracts over the next few years. Some contractors may gain a competitive edge by quickly adapting to and excelling in these new requirements, while others may struggle to keep up.

Whistleblowers who know about companies failing to meet these new standards or misrepresenting their cybersecurity capabilities have an important part to play. They can help protect national security, ensure the proper use of taxpayer funds, and maintain the integrity of the defense contracting process.

How Whistleblower Law Collaborative Can Help

At Whistleblower Law Collaborative LLC, our experienced qui tam whistleblower attorneys are dedicated to fighting cybersecurity fraud and protecting whistleblowers.

If you have information about potential cybersecurity violations or false claims related to the CMMC program, contact us for a confidential, no-obligation consultation. Our attorneys include former federal prosecutors with experience safeguarding sensitive government information.

With our expertise and commitment, we can help you navigate the complex process of blowing the whistle and work to hold wrongdoers accountable. Together, we can make a difference in the fight against fraud and protect our nation’s critical defense infrastructure.