INSIGHTS

Navigating the Cybersecurity
Maturity Model Certification
(CMMC)

Navigating the Cybersecurity Maturity Model Certification (CMMC)

Share on linkedin
Share on twitter
Share on facebook
Share on email
Share on print

What does Cybersecurity Maturity Model Certification (CMMC) mean, and how does Centre's designation help contractors and subcontractors?

Centre Law & Consulting is now a Cybersecurity Maturity Model Certification (CMMC) Accreditation Board (AB) Registered Practitioner Organization (RPO).  We are one of the first law firms to get this designation.  But that is a lot of acronyms in a very short amount of space; what does that mean?  More importantly, how does it impact the services that you can expect from Centre?

What is the CMMC-AB and what are they designating?

The Department of Defense (DoD) (now you understand why there are so many acronyms) has been attempting to improve the cybersecurity of its vendors for years.  In 2016, DoD promulgated DFARS Clause 252.204-7012, which imposed cybersecurity requirements on certain contractors.  Unfortunately, not every contractor complied with these requirements.

The DoD worked with John Hopkins Applied Physics Laboratory, the Carnegie Mellon University Software Engineering Institute, and others to develop a new method to help address this problem: the CMMC framework.

The CMMC framework requires an independent assessment of a contractor’s cybersecurity program.  Assessing all the defense industrial base’s cybersecurity is beyond the DoD’s capabilities.  To handle this workload, the DoD contracted with the CMMC-AB, a non-profit, which will train and oversee the private entities that will conduct the actual assessments: the CMMC 3rd Party Assessor Organizations (C3PAO).  In short, DoD defines the standards, while the CMMC-AB manages the ecosystem.

The CMMC-AB has created additional designations for organizations in the CMMC ecosystem, because the CMMC requires more than assessors to be successful.  In addition to the C3PAOs, the CMMC designates RPOs, Licensed Partner Publishers, and Licensed Training Providers, among others.  Centre has achieved the RPO designation.

C3PAOs are not permitted to provide consulting services to organizations that they are assessing (they can consult with organizations they will not assess).  RPOs, and the Registered Practitioners (RP) who work for them, provide “advice, consulting, and recommendations” to organizations seeking a CMMC maturity level.  In other words, an RPO helps an organization prepare for an assessment, and a C3PAO conducts an assessment.

But why would someone hire a law firm as an RPO?

Law firms offer several advantages as an RPO.

Government contractors frequently have existing, and sometimes extensive, cybersecurity obligations.  The legal consequences for a failure to meet those obligations can be severe.  The federal government has pursued False Claims Act cases related to insufficient cybersecurity.  Other enforcement agencies have pursued claims related to cybersecurity, going to so far as to put at least one company out of business.  Civil litigation is also a concern.

Law firms are well positioned to evaluate clients’ compliance efforts in a confidential manner.  Organizations that are unsure about whether they currently meet their obligations should retain legal counsel to evaluate their obligations and assist in improving their cybersecurity posture, if necessary.  These efforts may be protected by attorney client privilege and work product protection, which is especially important in the wake of a data breach.

Law firms are also well positioned to link a cybersecurity program into broader corporate governance, including the controls necessary to protect company executives from personal liability.  Cybersecurity is the responsibility of senior leadership in any organization, and cybersecurity failures can be attributed to leadership, both at publicly traded companies and private entities.

Finally, cybersecurity often impacts other legal disciplines, such as licensing, employment, and intellectual property.  Having a single entity capable of advising on all these interrelated concerns can be more cost effective, provide more consistent and effective guidance, and reduce stress, especially for small businesses.

By combining law firm expertise and the training necessary to become an RPO, Centre is well positioned to advise clients on cybersecurity generally and CMMC compliance specifically.  Many clients find it useful to start with a small, discrete engagement, such as a tabletop exercise or a risk assessment, before engaging in a more long-term partnership.

About the Author

Brandon Graves is a Partner at Centre Law & Consulting focusing on cybersecurity practices. He helps clients manage everything from crises related to security breaches, regulatory investigations, and disputes, to helping companies operate more securely in their normal course of business. Recently, Brandon assisted companies develop information security programs, prepare for certifications under the DoD’s Cybersecurity Maturity Model, and manage their supply chain risk. Learn more

Interested in Connecting with our Legal Practice about Cybersecurity and Privacy?

Explore More Insights

DOD Issues New Proposed Rule on Enhanced Debriefings

You may have been aware that the Department of Defense was providing enhanced debriefings as part of its procurement process via a Class Deviation announced in 2018. DOD now seeks to make that rule permanent and has published a proposed rule to amend the Defense Federal Acquisition Regulation (DFAR) to continue to provide enhanced post-award debriefing under negotiated contracts, and task and delivery orders that exceed $10 Million.

Read More »
Executive Order

Biden’s Cybersecurity Order and You

On May 12, 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity (EO). Driven in part by recent cyberattacks on network tools, enterprise software, and critical infrastructure, the EO implements (or attempts to implement; more on that later) a veritable wish-list of cybersecurity provisions.

Read More »
Receive the latest news

Subscribe To Our Newsletter

All Rights Reserved © 2020