October 2021

On November 3rd, PreVeil’s 2nd Annual CMMC Summit will provide an exclusive opportunity to learn and gain insights on the CMMC Program from leading compliance experts.    Sign up to hear from scheduled speakers:  o   Karlton Johnson(Chair, CMMC-AB)  o   Robert Metzger (RJO) o   Stacy High-Brinkley (Cask – C3PAO),  o   Karen Stanford (C3PAO Candidate)  o   Robert Teague (Redspin- C3PAO)  o   Ted Steffan (Sr. Security Partner Strategist at AWS)  o   And more….   Don’t miss this incredible opportunity. Sign up today! https://us02web.zoom.us/webinar/register/1016351273856/WN_6pPldwpvQ2yOA_9davoKug

The Government is preparing to pursue new False Claims Act cases against DoD contractors who misrepresent their cybersecurity compliance status. Just last week, Deputy Attorney General Monaco said “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards” See the full news release here: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative This highly relevant recent bulletin from the U.S. Department of Justice also states: “The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.” This is a great follow-up that reinforces former federal prosecutor Kenji Price, who emphasized the emergence of the FCA as a Federal Government tool to enforce cybersecurity. All DoD contractors should be paying close attention to these developments, and making plans accordingly. Please let us know if you have any questions about this topic or suggestions for related matters that you’d like to see addressed in future webinars. This further emphasizes why you should continue with your NIST 800-171 compliance efforts and ensure that you are minimally at the level set in the DoD Interim Rule of November 2020. SERVICES We will perform a pre CMMC review to help you prepare for your CMMC at levels 1-3. This includes setting up NIST 800-171 score and starting you on your way to complete your SSP and POAM. Our goal is to make you as self- sufficient as you want. GJB and Associates provides multiple packages for these services. For more information, please email sales@gjbandassociates.com.

Please note: the FAR CUI rule (FAR Case 2017-016) appears to be on schedule for publication by the end of the year. This rule does two big things: 1) Provides a framework for identifying CUI in government contracts. 2) Mandates NIST SP 800-171 as the minimum requirements for safeguarding CUI for all agencies and their contractors. Regardless of what happens to CMMC in name or substance, NIST SP 800-171 remains the standard for compliance. Doubts around CMMC have more to do with “how” NIST SP 800-171 will be verified for contractors rather than “if”. Thousands of companies have conducted NIST SP 800-171 self-assessments, calculated their scores according to the DoD Assessment Methodology, and officially reported those scores to the government via SPRS to comply with the DFARS interim rule issued in November 2020. It is estimated that many of these companies have been “generous” with their scores. Fedscoop May 13, 2021 issue states: The DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company, which was not named, to move forward in the Cybersecurity Maturity Model Certification (CMMC) process, a spokesperson told FedScoop. Now, it is up to the CMMC Accreditation Body (CMMC-AB) to grant the company Certified Third Party Assessment Organization (C3PAO) status, meaning that it can officially assess the maturity of defense contractors’ cybersecurity in compliance with new CMMC requirements. DIBCAC can come calling to verify your score at any time. Are you “sincerely or generously” prepared? SERVICES We will perform a pre CMMC review to help you prepare for your CMMC at levels 1-3. This includes setting up NIST 800-171 score and starting you on your way to complete your SSP and POAM. Our goal is to make you as self- sufficient as you want. GJB and Associates provides multiple packages for these services. For more information, please email sales@gjbandassociates.com.