Cybersecurity

Subscribe to Cybersecurity
Photo of Michael G. Gruden, CIPP/GPhoto of Daniel W. WolffPhoto of Nkechi KanuPhoto of Kate GrowleyPhoto of Maida Oringher LernerPhoto of Jacob Harrison

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.Continue Reading An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels

Photo of Michael SamuelsPhoto of Jonathan M. Baker

On December 17, 2024, the Department of Defense (DOD) published a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the data rights portions of the Small Business Innovation Research Program (SBIR) and Small Business Technology Transfer (STTR) Program Policy Directive, which itself was most recently amended in May 2023.  The changes from this final rule will be effective as of January 17, 2025. Continue Reading Final DOD Rule Codifies 20-Year SBIR Data Protection Period and Other SBIR Program Protections While Punting Potential Changes To Marking Requirements

Photo of Michael G. Gruden, CIPP/GPhoto of Daniel W. WolffPhoto of Nkechi KanuPhoto of Maida Oringher LernerPhoto of Jacob HarrisonPhoto of Jasmine Masri

On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors.  The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies.  The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:Continue Reading Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements

Photo of Michael G. Gruden, CIPP/GPhoto of Jacob HarrisonPhoto of Alexis Ward

On January 3, 2025, the FAR Council released a proposed rule titled Strengthening America’s Cybersecurity Workforce (the Proposed Rule).  The Proposed Rule would amend the Federal Acquisition Regulation (FAR) by standardizing workforce criteria for cybersecurity and information technology support services contracts.  The Proposed Rule implements a 2019 executive order, America’s Cybersecurity Workforce, which emphasized the strategic importance of a strong cybersecurity workforce.  Comments will be accepted until March 4, 2025, and the FAR Council specifically invites comments on the Proposed Rule’s impact on small entities.Continue Reading NICE and Easy: Proposed Cybersecurity FAR Amendment Incorporates NICE Framework, Standardizing Cybersecurity Workforce Descriptions

Photo of Adelicia R. CliffePhoto of Alexandra Barbee-GarrettPhoto of Michael G. Gruden, CIPP/GPhoto of Evan D. Wolff

On November 15, 2024, the Department of Defense (DoD) issued a Proposed Rule implementing Section 1655 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (P.L. 115-232), over six years after Congress enacted the requirement. Continue Reading Six Years in the Making, DoD Releases Proposed Rule Requiring Disclosure of Foreign Review of Code for IT, Cybersecurity, Critical Infrastructure, and Weapons System Products and Services

Photo of Nkechi KanuPhoto of Brian Tully McLaughlinPhoto of Jacob HarrisonPhoto of Jennie Wang VonCannonPhoto of Stephen M. Byers

On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA).  The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.Continue Reading Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance

Photo of Peter J. EyrePhoto of Adelicia R. CliffePhoto of Michael SamuelsPhoto of Michael G. Gruden, CIPP/GPhoto of Jacob HarrisonPhoto of Christian CurranPhoto of Sarah BurgartPhoto of Allison Skager

As Crowell covered in a recent alert, the Department of Defense (DoD) on October 11, 2024 released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).Continue Reading CMMC Final Rule Includes M&A Trigger for New Assessment

Photo of Peter J. Eyre

Cybersecurity, Health Information Technology

This week’s episode covers a False Claims Act whistleblower lawsuit involving failure to comply with federal cybersecurity requirements, a new CISA cyber incident reporting tool, and a proposed rule to implement an HHS-wide policy relating to health information technology, and is hosted by Peter Eyre. Crowell & Moring’s “Fastest 5 Minutes”

Photo of Neda ShaheenPhoto of Michael G. Gruden, CIPP/GPhoto of Eric Ransom

On August 21, 2024, the National Institute of Standards and Technology (NIST) released the Second Public Draft of Digital Identity Guidelines (hereinafter, “Draft Guidelines”) for final review. The Draft Guidelines introduce potentially notable requirements for government contractors using artificial intelligence (AI) systems. Among the most significant draft requirements are those related to the disclosure and transparency of AI and machine learning (ML). By doing so, NIST underscores its commitment to fostering secure, trustworthy, and transparent AI, while also addressing broader implications of bias and accountability. For government contractors, the Draft Guidelines are not just a set of recommendations but a blueprint for future AI standards and regulations.Continue Reading Natural Intelligence: NIST Releases Draft Guidelines for Government Contractor Artificial Intelligence Disclosures

Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Maida Oringher LernerPhoto of Jacob HarrisonPhoto of Alexis Ward

On August 15, 2024, the Department of Defense (“DoD”) released the long-awaited proposed rule (“August 2024 Proposed Rule”), updating Defense Federal Acquisition Regulation Supplement (“DFARS”) Clause 252.204-7021 (the “7021 Clause”), which, when final, will initiate the phased implementation of Cybersecurity Maturity Model Certification 2.0 (“CMMC”) requirements into DoD contracts. Continue Reading DFARS 7021 Clause 2.0: DoD Releases Proposed Rule Updating CMMC Clause