On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts. The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information. The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.Continue Reading From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance
Trump Administration Cyber Executive Order Revises Prior Administrations’ Requirements
On June 6, 2025 President Trump signed an Executive Order, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 (the “Trump Cyber EO”). The Trump Cyber EO rescinds and modifies select Biden administration guidance from EO 14144 covering several cybersecurity regimes, including digital identity verification, artificial intelligence, and secure software development practices, and it amends Obama administration guidance from EO 13694 authorizing sanctions on persons involved in malicious cyber activities. We have provided a summary of significant changes made by the Trump Cyber EO below.Continue Reading Trump Administration Cyber Executive Order Revises Prior Administrations’ Requirements
DoD Specifies Implementation Requirements for NIST 800-171 Cyber Standard
The Department of Defense (DoD) has released a memorandum establishing the DoD Organization-Defined Parameters (ODPs) for use in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision (Rev) 3. Currently, DoD’s cybersecurity regimes require government contractors to comply with NIST SP 800-171 Rev. 2. However, the release of this memorandum may indicate DoD’s intention to soon incorporate Rev. 3 into DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cybersecurity Maturity Model Certification (CMMC).Continue Reading DoD Specifies Implementation Requirements for NIST 800-171 Cyber Standard
For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
On March 26, 2025, the Department of Justice (DOJ) announced that defense contractor MORSECORP Inc. (MORSE) will pay $4.6 million to settle allegations that MORSE violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements and subsequently submitting false or fraudulent claims for payment in its contracts with the Departments of the Army and Air Force. This is the first FCA settlement that is based on a defense contractor’s failure to reevaluate and promptly update its self-assessment score in the Supplier Performance Risk System (SPRS) after a third-party assessment resulted in a lower score.Continue Reading For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers
On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.Continue Reading Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers
FedRAMP 20x: Proposed Framework Aims To Increase Automation and Efficiency
On March 24, 2025, the Federal Risk and Authorization Management Program (FedRAMP) unveiled “FedRAMP 20x,” a proposal to make FedRAMP more efficient by automating FedRAMP security assessments and continuous monitoring, simplifying required technical controls, and leaning on industry to provide tooling and solutions to support automation. Continue Reading FedRAMP 20x: Proposed Framework Aims To Increase Automation and Efficiency
An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels
Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.Continue Reading An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels
Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements
On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors. The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies. The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:Continue Reading Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements
NICE and Easy: Proposed Cybersecurity FAR Amendment Incorporates NICE Framework, Standardizing Cybersecurity Workforce Descriptions
On January 3, 2025, the FAR Council released a proposed rule titled Strengthening America’s Cybersecurity Workforce (the Proposed Rule). The Proposed Rule would amend the Federal Acquisition Regulation (FAR) by standardizing workforce criteria for cybersecurity and information technology support services contracts. The Proposed Rule implements a 2019 executive order, America’s Cybersecurity Workforce, which emphasized the strategic importance of a strong cybersecurity workforce. Comments will be accepted until March 4, 2025, and the FAR Council specifically invites comments on the Proposed Rule’s impact on small entities.Continue Reading NICE and Easy: Proposed Cybersecurity FAR Amendment Incorporates NICE Framework, Standardizing Cybersecurity Workforce Descriptions
Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA). The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.Continue Reading Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance