On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.Continue Reading Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers
An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels
Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.Continue Reading An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels
Declaration of No Independence: President Trump Asserts Control Over Independent Agencies Through Executive Order
On February 18, President Trump issued an Executive Order titled “Ensuring Accountability for All Agencies” that directs independent agencies (as well as Cabinet Departments and their sub-agencies) to route all “proposed and final significant regulatory” and budgetary actions through the White House and the Office of Management and Budget. If implemented to its full extent, this action will significantly strengthen the authority of the White House by weakening the political autonomy of these independent agencies. As an assertion of the President’s inherent powers under Article II of the U.S. Constitution, it also stands to weaken congressional influence over these independent agencies, both through the appropriations and confirmation processes.Continue Reading Declaration of No Independence: President Trump Asserts Control Over Independent Agencies Through Executive Order
Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements
On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors. The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies. The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:Continue Reading Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements
Second Circuit Holds FOIA Exemption 4 Still Requires Showing of “Competitive Harm” Resulting from Disclosure, Though Not a “Substantial” One
Last month, in Seife v. U.S. Food and Drug Administration, the U.S. Court of Appeals for the Second Circuit became the first appellate court to address a significant question left unanswered by the Supreme Court’s 2019 decision in Food Marketing Institute v. Argus Leader Media: what impact, if any, did the 2016 FOIA Improvement Act (“FIA”) have on FOIA Exemption 4? The answer: a submitter of information ostensibly subject to Exemption 4 must demonstrate competitive harm—though not “substantial” harm—resulting from disclosure in order to invoke the exemption.
Argus clarified the applicability of Exemption 4, which protects from disclosure “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential.” 5 U.S.C. § 552(b)(4). The Argus Court rejected the longstanding National Parks test, which applied Exemption 4 only where the submitter of such information could demonstrate “substantial competitive harm” resulting from its disclosure. Instead, the Argus Court held Exemption 4 applied, at the very least, where the submitter of such information kept it confidential and submitted it to the government with an assurance of privacy. Given the difficulties inherent in establishing “substantial competitive harm,” Argus was welcome news for contractors seeking Exemption 4 protection. (We have previously written about Argus and the district court decisions that followed.)
In 2016, Congress enacted the FIA in response to concerns that FOIA’s exemptions were being overused. The FIA amended FOIA to allow for an exemption’s invocation only if “the agency reasonably foresees that disclosure would harm an interest protected by an exemption” or if disclosure is “prohibited by law.” 5 U.S.C. § 552(a)(8)(A). Since Argus, multiple plaintiffs have argued the FIA effectively codified the National Parks test. (Argus considered a FOIA dispute that commenced prior to the passage of the FIA; the Court there had no reason to address the question.)Continue Reading Second Circuit Holds FOIA Exemption 4 Still Requires Showing of “Competitive Harm” Resulting from Disclosure, Though Not a “Substantial” One
OSHA Publishes Vaccine Requirements for Employers with 100 or More Employees
On November 4, 2021, the Occupational Safety and Health Administration (“OSHA”) released its much-anticipated COVID-19 Vaccination and Testing Emergency Temporary Standard (“ETS”) requiring employers with 100 or more employees to ensure that their employees are either vaccinated by January 4, 2022, or submit to weekly testing. According to OSHA, employees who are unvaccinated face a “grave danger” from COVID-19, including the more contagious Delta variant. The ETS notes that COVID-19 is highly transmissible—particularly in workplaces where multiple people interact throughout the day often for extended periods of time—and exposure to COVID-19 can result in death or illness, with some individuals experiencing long-term health complications. OSHA has determined that vaccination is the most effective way to protect these employees.
The ETS will take effect immediately upon publication in the Federal Register, which is scheduled for November 5, 2021. The ETS will apply in those states where OSHA is responsible for regulating workplace safety and health. Per OSHA regulations, states that have their own OSHA-approved occupational safety and health plans will have 15 days to notify OSHA of the action they will take and 30 days to adopt the ETS or promulgate standards that OSHA considers at least as effective as its ETS.
The OSHA ETS is part of a sweeping policy of the Biden Administration to get more American workers vaccinated. In addition to this ETS, the Centers for Medicare & Medicaid Services (“CMS”) released today a Vaccination Interim Final Rule (“IFR”) requiring workers at healthcare facilities participating in Medicare or Medicaid to be fully vaccinated. Both the OSHA and CMS actions follow on the heels of Executive Order 14042 mandating that certain federal contractors and subcontractors require their covered employees to receive vaccinations against COVID-19, with limited exceptions for those who cannot be vaccinated for legally-protected reasons, and OSHA’s June 10, 2021 ETS directed toward protecting healthcare workers in particular from COVID-19. Our previous alert on OSHA’s June 10, 2021 ETS is available here, and our alerts regarding Executive Order 14042 are available here. OSHA excludes from coverage under the ETS those employers who are subject to the CMS rule or the Executive Order 14042 mandate.
Although the ETS is very detailed—490 pages in all—the key takeaways and deadlines for compliance are below.
Continue Reading OSHA Publishes Vaccine Requirements for Employers with 100 or More Employees
Multiple Post-Argus Decisions Hold No “Assurance of Confidentiality” Required for FOIA Exemption 4
In a string of recent cases following the Supreme Court’s 2019 decision in Food Marketing Institute v. Argus Leader Media, multiple courts have held that a party submitting information to the government need not demonstrate it obtained an assurance of confidentiality from the government in order for the agency to justify withholding that information
SBA To No Longer Rely on Economic Necessity Questionnaires in Processing PPP Forgiveness Applications
On July 29, 2021, the Small Business Administration announced in an FAQ that it is discontinuing any reliance on the Loan Necessity Questionnaires, which the SBA had required of each borrower, that together with its affiliates, received Paycheck Protection Program loans with a principal amount of $2 million or greater. As we’ve previously discussed,
Coronavirus Update: OSHA Increases Scrutiny of COVID-19 Record-Keeping
The Occupational Safety and Health Administration (OSHA) issued interim guidance for enforcing the recording of occupational illnesses requirements, specifically for cases of coronavirus (COVID-19). This guidance rescinds OSHA’s earlier guidance providing for enforcement discretion on COVID-19 complaints arising outside of healthcare or emergency response employers. As of May 26, 2020, and until further notice, OSHA
Supreme Court Rules in Favor of Health Plans in Landmark $13 Billion Affordable Care Act Case
On April 27, the U.S. Supreme Court issued a decision in Maine Cmty. Health Options et al v. United States, ruling in favor of Maine and companion insurers in the long running Affordable Care Act §1342 “risk corridors” litigation, and confirming the government’s obligation to pay insurers approximately $13 billion for their work related