Popular Articles

Recent Stories

CMMC Program Rule Finalized; Implementation Likely to Begin in 2025

The U.S. Department of Defense (DoD) published a final rule on October 11, 2024 which formalizes and sets the stage for the implementation of its Cybersecurity Maturity Model Certification (CMMC) program.

The CMMC Program aims to ensure that DoD contractors and subcontractors securely handle sensitive government information falling into the following categories:

        • Controlled Unclassified Information (CUI)
        • Federal Contract Information (FCI)

The program will be implemented in four phases, with Phase 1 to start when a separate CMMC rule, the CMMC Clause Rule, is finalized, which will likely occur in 2025.

For each contract, DoD will determine, based on the information being shared, if the CMMC Program applies, and if so, which level of the program (of Levels 1, 2, and 3) will apply. Higher levels require more sophisticated and intensive assessments. For example, Level 1 will require an annual self-assessment, while Level 3 will require a triannual third-party assessment.

Generally, Level 1 applies to contracts involving only FCI, Level 2 to contracts with CUI, and Level 3 to contracts with high-value CUI.

Generally, under the Program, contractors must certify compliance with the 110 cybersecurity controls set forth in National Institute of Standards & Technology Special Publication 800-171A (NIST SP 800-171A), or -172A where applicable. On Level 1 contracts, such certification is only required for 17 of those controls.

With the above in mind, there are steps contractors with DoD contracts can take now to prepare:

Review DoD Contracts: Identify if you handle CUI or FCI on existing contracts and put together a forecast of your require CMMC level.
Conduct Readiness Assessments under Attorney-Client Privilege: To evaluate CMMC compliance under attorney-client privilege, ensure your attorney is included on all conversations about CMMC readiness, via email or otherwise, including technical discussions and gap analysis, to reduce the risk of such findings being disclosed in litigation or other proceeding or investigation in the future.
Develop System Security Plan (SSP): Map data flow and complete an SSP identifying and describing all security controls. This will likely be required for assessment purposes.
Refine Corporate Policies: Ensure company cybersecurity policies are robust, draft incident response plans, etc.
Engage with CMMC-Certified Assessors: If you expect to be subject to Level 2 or Level 3, consider scheduling an assessment with a third-party assessor (C3PAO) early, as there will be a rush of companies trying to sign up. 

 

Nonsuit Obtained Thanks to New Virginia Rules of Evidence

The firm was recently on the winning end of a case in the Loudoun Circuit Court, through the effective application of the new Virginia Rules of Evidence which were adopted by the Virginia General Assembly on July 1, 2012.

The New Rules of Evidence

The new Rules represent a “sea change” in Virginia trial practice, according to many, but will bring the Commonwealth in line with 48 other states that have codified rules of evidence (Massachusetts is now the lone state without codified rules). Rules of evidence are important because they dictate what information a lawyer can put before a judge or jury to prove a case. Virginia’s new Rules serve to replace the mish-mash of evidentiary rules established through the common law that were incomplete and tedious for lawyers to navigate in practice.

The Rules in Action

In August, less than two months after the Rules had been put in place, GarbiaPlocki attorneys Jeff Gaull and Ibrahim Moiz represented an individual at trial who signed as a commercial lease guarantor for a restaurant located in Ashburn, Virginia. When the restaurant owners could not keep up with rental payments, the plaza owners sued the restaurant and all guarantors named in the lease, including the firm’s client, for over $200,000.00.

During the discovery phase of the case leading up to trial, the plaza produced a ledger of accounting, showing a summary of the rents, fees, utilities and other charges that had accrued and were due and owed to the plaza.

At the bench trial before the Honorable Thomas Horne, the plaza’s attorney tried to move the ledger into evidence through a witness representing the plaza’s management company, to prove the amount of damages the plaza had incurred. The defendants jointly raised an objection under of the new Rules of Evidence, Rule 2: 1006 (“Summaries”), which states:

The contents of voluminous writings that, although admissible, cannot conveniently be examined in court may be represented in the form of a chart, summary, or calculation. Reasonably in advance of the offer of such chart, summary, or calculation, the originals or duplicates shall be made available for examination or copying, or both, by other parties at a reasonable time and place. The court may order that they be produced in court.

The defendants objected on the ground that no supporting documentation, including invoices, tax bills, receipts, etc. had been produced or been made available for review by the plaintiff in advance of trial.

Rather than proceed, and thereby risk that the case would lack any support for damages, the plaintiff took a nonsuit – in effect serving to dismiss the case. Taking a nonsuit allows the plaintiff to re-file the lawsuit anew at a later date.