Photo of Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring's Washington, D.C. office, where he is co-chair of the firm's Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Yesterday, the Office of Management and Budget (OMB) released Memorandum M-22-18, implementing software supply chain security requirements that will have a significant impact on software companies and vendors in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.  The Memorandum requires all federal agencies and their software suppliers to comply with the NIST Secure Software Development Framework (SSDF)NIST SP 800-­218, and the NIST Software Supply Chain Security Guidance whenever third-party software is used on government information systems or otherwise affects government information.  The term “software” includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.  It is critical to note that these requirements will apply whenever there is a major version update or new software that the government will be using. 

Continue Reading Going Hard on Software: OMB Unveils Mandatory Software Supply Chain Security Compliance Requirements

After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP).  The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification.  The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.

Continue Reading No Summer Break for Cyber: Newly Unveiled CMMC Assessment Process Provides Industry with Upcoming Assessment Insights

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces.  In this episode, Evan Wolff and Chris Hebdon discuss the notable cybersecurity provisions and omissions in the National Defense Authorization Act (NDAA) for Fiscal Year 2022.

ListenCrowell.com | PodBean | SoundCloud

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, hosts Evan Wolff and Kate Growley talk through the fundamental changes that the DoD has announced will be made under “CMMC 2.0.”

ListenCrowell.com | PodBean | SoundCloud | Apple

The Department of Defense (DoD) recently announced significant changes to its Cybersecurity Maturity Model Certification (CMMC) program intended to simplify the requirements and ease the compliance burden on contractors.  Unlike its predecessor, the new CMMC 2.0 moves to three compliance levels rather than five; aligns the required security controls (known as practices) with National Institute

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, host Evan Wolff talks with Chris Hebdon about micro-purchases and the cybersecurity obligations that contractors may encounter in the performance of these small dollar contracts.

ListenCrowell.com | PodBean |

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this second episode of a three-part series, hosts Kate Growley and Evan Wolff overview the high points from the new DFARS clauses 252.204-7019 and -7020.

ListenCrowell.com | PodBean | SoundCloud |

In this episode, hosts Kate Growley and Evan Wolff talk with Matthew Welling about all things ransomware, including how to prepare for and respond to these kinds of incidents.  Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces.

ListenCrowell.com | PodBean

In this episode, host Evan Wolff discusses the Biden Administration’s recent Executive Order on Improving the Nation’s Cybersecurity. Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces.

Click below to listen or access from one of these links:
Listen: Crowell.com | PodBean |