How do CMMC 2.0 & Civil Cyber-Fraud Initiative Fit Together?

By: Emma Roberts, Commercial Projects Coordinator, & Andy Paul, Director of Commercial Cybersecurity Services

What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is used to ensure all firms within the Defense Industrial Base (DIB) are following the proper protocols when protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Eventually, all defense partners will be required to prove compliance with one of the three levels within CMMC 2.0 for federal work through either self-attestations or formal Certified Third-Party Assessor Organizations (C3PAOs).

What is Civil Cyber-Fraud Initiative?
The Department of Justice recently announced a new Civil Cyber-Fraud Initiative to combat cybersecurity fraud by government contractors and federal fund recipients by applying the False Claims Act (FCA) to cybersecurity self-attestations. The initiative includes a whistleblower provision which under FCA awards up to 30% of all damages and fines to the whistleblower while protecting them from retribution. In 2020, the DOJ obtained more than $2.2 billion in settlements and judgements with over $300 million in whistleblower payouts (Source: The United States Department of Justice). An organization’s entities and individuals can and will be held accountable for any cybersecurity failures that put U.S. information and systems at risk. It is crucial for policies, procedures, and cybersecurity controls to be emplaced and continuously monitored to secure sensitive information and mitigate the risk of litigation.

How do CMMC and Civil Cyber-Fraud Initiative Mesh Together?
CMMC (or a similar framework) will become the new cybersecurity standards for all federal agencies. The Department of Defense (DoD) recently revised the CMMC program to promote the adoption of cybersecurity practices and set priorities to protect U.S. information.

CMMC and the Civil Cyber-Fraud Initiative operate hand in hand. CMMC emphasizes extensive cybersecurity compliance, while the Civil Cyber-Fraud Initiative enforces cybersecurity controls and the disclosure of breaches. DoD contractors should implement CMMC and other DoD cybersecurity requirements to fulfill compliance requirements, achieve greater security, and reduce the risk of breach and FCA liability. The companies that comply with CMMC and NIST will be better protected and possess supplier leverage by differentiating themselves with CMMC certification.

Learn more about CMMC and how Gray Analytics can help

Why Gray Analytics?
Gray Analytics is an established expert aiding federal agencies and contractors to secure their IT infrastructure and achieve their compliance goals in accordance with today’s ever-changing regulatory environment.

Our team of professionals, comprised of Engineers, Auditors, CMMC RPs and SMEs, can help your organization navigate the complexities of cybersecurity compliance. As a CMMC Registered Provider Organization (RPO), Gray Analytics helps companies reach their desired cyber maturity level not only through gap analysis, penetration testing, audit readiness and mock audits packages but also by assisting with the resolution of any findings. CMMC certification will not only prepare you down the road, but it will guide your cybersecurity compliance journey today.

The need for cybersecurity risk management, compliance, and governance will only continue to grow. Gray Analytics is committed to helping our customers maintain compliance and reduce the risk of FCA litigation from the DOJ while helping our customers achieve their CMMC goals.