Preparing for What DOD Cybersecurity Audits May Uncover

By /

Watch the Deep Dive of this post

Preparing for What DOD Cybersecurity Audits May Uncover

The landscape of defense contracting compliance has shifted dramatically. The U.S. Department of Defense (DOD) released the final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program on September 9, with phased implementation beginning shortly thereafter on November 10. The goal of this major change is to enhance protections for sensitive information across the defense industrial base.

For years, defense contractors were required to implement cybersecurity requirements based on the National Institute of Standards and Technology’s Special Publication 800-171. Compliance under that previous system relied on contractors to self-validate and report their adherence without outside certification.

The Era of Assessment and Certification

That reliance on self-validation is over. The CMMC program requires assessment and certification, meaning contractors may now be required to allow outside auditors to inspect their information systems. To continue competing for defense contracts, these systems must pass an assessment and achieve a required certification level to handle sensitive information.

Depending on the type of information handled, the level of assessment varies:

  • Contractors needing CMMC Level 1 (for handling federal contract information) must complete a self-assessment and report the results.
  • Most contractors needing CMMC Level 2 (required for certain types of controlled unclassified information, or CUI) will need an outside assessment from a certified third-party assessment organization.
  • To achieve the highest certification, CMMC Level 3, a contractor’s information system must successfully complete the Level 2 third-party assessment and a separate assessment from the Defense Industrial Base Cybersecurity Assessment Center.

These outside assessments must be completed once every three years. While this process improves transparency, it significantly increases the possibility of discovering prior, unknown instances of noncompliance.

Unanticipated Risks: False Claims and Export Controls

As the CMMC assessment process increases cybersecurity transparency, companies are exposed to greater risk regarding past violations, which—whether intentional or not—may result in adverse government action.

False Claims Act (FCA) Liability

Litigation involving contractor cybersecurity fraud is not new, especially since the U.S. Department of Justice began its Civil Cyber-Fraud Initiative in 2021 to target cybersecurity-related fraud. Under the FCA, the DOJ can hold companies accountable if they knowingly, or even recklessly, misled the government about their cybersecurity compliance.

Past cybersecurity violations are now more likely to be exposed during the CMMC assessment process. Companies that may have previously misrepresented their compliance with NIST SP 800-171, or those that attested to compliance without verification, are now at increased risk of FCA litigation as they reexamine their current cybersecurity posture.

Export Control Violations

CMMC assessments may also highlight unanticipated export control violations. Sensitive government information, including CUI and federal contract information, can be subject to the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).

Even companies that do not physically export products can face these violations. Deemed exports can occur, for instance, when controlled technical data is released to foreign nationals who are working within the U.S., such as employees or contractors. Furthermore, violations can arise if export-controlled technical data is improperly stored, shared, or accessed, such as by using commercial cloud platforms that are not configured for compliant use.

Contractors and subcontractors should recognize that the DOD is not the only agency regulating this sensitive information; the State and Commerce Departments may also pursue enforcement actions for export control violations.

Recommendations Moving Forward

With the CMMC incorporating new assessment procedures and outside audits, the risk of discovering unintended violations is high. All defense contractors must become more cautious and deliberate with their compliance efforts.

To mitigate enforcement risk, contractors should act promptly to address existing compliance gaps:

  • Develop a clear understanding of the new CMMC program requirements and train employees to recognize and properly handle federal contract information and CUI.
  • Improve internal policies for cybersecurity and incident reporting procedures to prevent future violations.
  • Audit data and supply chains, particularly when working with third parties.

Contractors that suspect prior cybersecurity or export control violations should address these issues immediately and incorporate new procedures for future compliance to limit potential exposure.

CMMC, Cybersecurity Maturity Model Certification, DOD, Controlled Unclassified Information, CUI, False Claims Act, FCA, Export Controls, ITAR, EAR, Defense Contractors, Compliance, Risk Assessment, marketus

Related Posts

Scroll to Top