Jessica Chao

Subscribe to Jessica Chao's Posts

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.Continue Reading An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels

On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA).  The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.Continue Reading Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance

On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] Continue Reading Cybersecurity Matured:  DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program

On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities:  the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud.  This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).Continue Reading Another One: It Pays to Consult the DOJ under the Civil Cyber Fraud Initiative

On May 1, 2024, the Department of Justice (DOJ) announced that Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH) to provide staffing for COVID-19 contact tracing services.  Although contracts with state agencies generally fall outside the FCA’s ambit, PADOH paid Insight using funds received from the federal Centers for Disease Control and Prevention (CDC)—bringing the contract within the FCA’s scope. Continue Reading No End “Insight” for DOJ’s Civil Cyber-Fraud Initiative