Cybersecurity Maturity Model Certification (CMMC) and Whistleblower Connection
The Cybersecurity Maturity Model Certification (CMMC) final rule was posted on the Federal Register on October 15, 2024. The rule is expected to become effective on or about December 24, 2024, with certifications starting in the first quarter of 2025. The final CMMC rule aligns the program with the cybersecurity requirements described in Federal Acquisition Regulation part 52.204-21 and National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Rev 2 and -172. It also clearly identifies the 24 NIST SP 800-172 requirements mandated for CMMC Level 3 certification.
CMMC provides the tools to hold accountable the defense industrial base (DIB) entities or individuals that put U.S. information or systems at risk by knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. The CMMC Program includes annual affirmation requirements as well as certification requirements. As the final rule is interpreted, McKonly & Asbury’s CMMC team will publish more information on the key elements for monitoring and enforcing accountability of a company’s cybersecurity status.
The CMMC framework established by the U.S. Department of Defense (DoD) is intended to enhance the cybersecurity posture of defense contractors and their supply chains. Launched in 2020, CMMC aims to protect sensitive government information from cyber threats by requiring organizations to adhere to specific cybersecurity practices and processes. As this model is implemented across the defense industrial base, the role of whistleblowers becomes increasingly significant in ensuring compliance and enhancing overall security.
The Structure of CMMC
CMMC consists of three maturity levels, each progressively building upon the previous one. Organizations are evaluated based on their ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The levels range from basic cyber hygiene at Level 1 to advanced security practices at Level 3, demanding a comprehensive understanding of cybersecurity risks and the implementation of robust security measures. This structure, along with the annual affirmation and certification requirements, improves the cybersecurity standards within the defense industry and establishes a uniform benchmark that organizations must meet to be eligible for DoD contracts.
The Importance of Whistleblowers
Whistleblowers play a crucial role in maintaining the integrity of the CMMC framework. These individuals, often employees or contractors within organizations, are positioned to identify breaches of compliance, inadequate security measures, or outright fraud. Their willingness to report such issues is vital. They hold organizations accountable for their cybersecurity practices, encourage a culture of transparency, and provide insight into potential vulnerabilities that may not be apparent during formal audits or assessments. The firsthand experience of a whistleblower can highlight areas needing immediate attention, which can be critical in preventing cyber incidents.
The Whistleblower Connection
The DIB is accountable to not retaliate against a whistleblower or against an employee who is truthful during interviews conducted as part of a CMMC Certification Assessment. Providing a culture of transparency is critical to the security of the country. The U.S. government and defense sector’s cybersecurity breach reports indicate a 30% increase in attacks on these entities from 2018 to 2022.
Whistleblowers have been an important part of protecting DoD security. Whistleblowers can receive 15% to 30% of the settlement, which can result in compensation in the millions. Aerojet Rocketdyne, who provides propulsion and power systems for federal agencies including DoD and NASA, agreed to pay $9 million due to misrepresenting compliance with cybersecurity requirements. The whistleblower received $2.61 million as his share. The Department of Justice (DOJ) continues to support whistleblowers who are coming forward from the DIB. In September 2023, the Penn State False Claims Act (FCA) lawsuit was unsealed. According to the lawsuit, Penn State University lied or misled about its adherence to government cybersecurity protocols when contracting with the federal government. In August 2024, the DoD added its own allegations to the whistleblower action against Georgia Tech Research Corporation and Georgia Institute of Technology, claiming failure to comply with NIST 800-171.
Conclusion
As CMMC moves forward and the DIB pursues CMMC certification, it is important to remember that transparency during the certification assessment is an important part of CMMC compliance. By protecting employees and encouraging them to be transparent and truthful during CMMC interviews, organizations will fortify their defenses against ever-evolving cyber threats. In the context of national security, the implications of CMMC compliance are profound, making non retaliation an important part of the DIB’s resilient cybersecurity strategy.
To learn more about CMMC, be sure to visit our CMMC page, and don’t hesitate to contact Elaine Nissley or Mike Murray regarding our services.
About the Author
Elaine is a Director with McKonly & Asbury. Her primary responsibilities include management of the Internal Audit Services group. Elaine handles client relationships and is accountable for the delivery of high quality and timely d… Read more