The Pentagon's stringent new cybersecurity rule for its contractors threatens to drive away companies that may struggle with the added costs of compliance, while exacerbating concerns about an already-shrinking defense industrial base.
[...]
Companies that do both commercial and government work may also choose to stop seeking defense contracts if they determine that complying with the CMMC hampers their overall business model, said Blank Rome LLP associate Michael Montalbano.
"You have a lot of these businesses where their IT infrastructure is combined," he said. "So, taking out that government work and trying to isolate it to an enclave, or finding a way to protect the government side while still keeping things as business-as-usual on the commercial side, it's a lot harder. You're basically trying to untangle a knot."
...
"My take from all of my clients is that they want to implement these protections, they want to be compliant," Montalbano said. "But the elephant in the room is that DOD doesn't really mark documents as CUI in a consistent manner, or provide clear instructions as to what is considered CUI, and that really makes it difficult for my clients to set up systems that have the correct security requirements in place to meet these requirements."
To read the full article, please click here.
"New Cybersecurity Rules Threaten Defense Industrial Base," by Daniel Wilson was published in Law360 on October 15, 2024.
