On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA). The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.Continue Reading Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
Jacob Harrison
Jacob Harrison helps his clients navigate both domestic and international legal challenges.
Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.
In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.
During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.
CMMC Final Rule Includes M&A Trigger for New Assessment
As Crowell covered in a recent alert, the Department of Defense (DoD) on October 11, 2024 released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).Continue Reading CMMC Final Rule Includes M&A Trigger for New Assessment
Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program
On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] Continue Reading Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program
DFARS 7021 Clause 2.0: DoD Releases Proposed Rule Updating CMMC Clause
On August 15, 2024, the Department of Defense (“DoD”) released the long-awaited proposed rule (“August 2024 Proposed Rule”), updating Defense Federal Acquisition Regulation Supplement (“DFARS”) Clause 252.204-7021 (the “7021 Clause”), which, when final, will initiate the phased implementation of Cybersecurity Maturity Model Certification 2.0 (“CMMC”) requirements into DoD contracts. Continue Reading DFARS 7021 Clause 2.0: DoD Releases Proposed Rule Updating CMMC Clause
NIST Releases Final Version of NIST SP 800-171, Revision 3
On May 14, 2024, the National Institute of Standard and Technology (NIST) published the final versions of Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion assessment guide, NIST SP 800-171A, Revision 3 (collectively, “Rev. 3 Final Version”). While the Department of Defense (DoD) is not requiring contractors who handle Controlled Unclassified Information (CUI) to implement Rev. 3 for now, it is expected that DoD will eventually incorporate Rev. 3 into both DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program. Continue Reading NIST Releases Final Version of NIST SP 800-171, Revision 3
No End “Insight” for DOJ’s Civil Cyber-Fraud Initiative
On May 1, 2024, the Department of Justice (DOJ) announced that Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH) to provide staffing for COVID-19 contact tracing services. Although contracts with state agencies generally fall outside the FCA’s ambit, PADOH paid Insight using funds received from the federal Centers for Disease Control and Prevention (CDC)—bringing the contract within the FCA’s scope. Continue Reading No End “Insight” for DOJ’s Civil Cyber-Fraud Initiative
“Miss Me with Rev. 3,” Says DoD: DoD Issues Class Deviation Linking DFARS 7012 to NIST SP 800-171, Rev. 2
On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012), specifying that contractors subject to the clause must comply with NIST SP 800-171, Revision 2. The deviation (labeled Deviation 2024-O0013) will delay the incorporation of NIST…
Software Developments: CISA Finalizes Attestation Form, Triggering Secure Software Development Implementation
On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) published an updated Secure Software Development Attestation Form, meaning that producers of software and providers of products containing software used by the federal government may be required to submit their attestations in the very near future. The Attestation Form, first published in April 2023, is a key cog in CISA’s implementation of software supply chain security requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity and OMB Memoranda M-22-18 and M-23-16.Continue Reading Software Developments: CISA Finalizes Attestation Form, Triggering Secure Software Development Implementation
Who I(aa)S Your Foreign Customer? Department of Commerce Proposes Foreign Customer Identification Requirements For U.S. IaaS Providers
On January 29, 2024, the Department of Commerce released a proposed rule: Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, which solicits comments regarding a proposed new set of regulations that would introduce significant new requirements for U.S.-based Infrastructure as a Service (IaaS) providers. The proposed rule implements requirements from the January 2021 Executive Order Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities and part of the October 2023 Executive Order Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. If Commerce implements the regulations as proposed, IaaS providers would be required to create a Customer Identification Program (CIP), ensure any foreign resellers maintain a CIP, track all customer identities, verify the identities of foreign customers, and report certain transactions implicating large AI models that could be used for malicious cyber-enabled activities. The Department is soliciting comments on all aspects of the proposed rule by April 29, 2024.Continue Reading Who I(aa)S Your Foreign Customer? Department of Commerce Proposes Foreign Customer Identification Requirements For U.S. IaaS Providers
No Longer Cloudy: DoD Issues New Guidance on FedRAMP Moderate Equivalency Cloud Security Requirements
The Department of Defense (DoD) recently published a memorandum clarifying what it means for a cloud service provider (CSP) to be Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline “equivalent” and meet incident reporting requirements under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012). The memorandum states, in order to be considered FedRAMP equivalent going forward, CSPs must (1) be FedRAMP Moderate/High-Authorized, or (2) secure a third-party assessment confirming their compliance with all FedRAMP Moderate baseline security controls.Continue Reading No Longer Cloudy: DoD Issues New Guidance on FedRAMP Moderate Equivalency Cloud Security Requirements