Photo of Michael G. Gruden, CIPP/G

Michael G. Gruden, CIPP/G

Subscribe to Michael G. Gruden, CIPP/G's Posts

Michael G. Gruden is a counsel in Crowell & Moring's Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section's Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Contact:Read more about Michael G. Gruden, CIPP/G

In an important first, the yearly defense policy law, the National Defense Authorization Act (NDAA) for Fiscal Year 2026, directs the Department of Defense (DoD)  to develop and implement a framework addressing the cybersecurity and physical security of artificial intelligence and machine learning technologies (AI/ML) acquired by the Pentagon.Continue Reading CMMC for AI? Defense Policy Law Imposes AI Security Framework and Requirements on Contractors

On December 18, 2025, the Fiscal Year 2026 National Defense Authorization Act (FY 2026 NDAA) (P.L. 119-60) was signed into law. The Act makes significant changes to defense acquisition, sourcing restrictions, and interactions between the Defense Industrial Base (DIB) and the Department of Defense (DOD). Continue Reading The FY 2026 National Defense Authorization Act

Earlier this month, the Department of Justice (DOJ) announced that Swiss Automation Inc., an Illinois-based precision machining company, agreed to pay $421,234 to resolve allegations that it violated the False Claims Act (FCA) by inadequately protecting technical drawings for parts delivered to Department of Defense (DoD) prime contractors.  This settlement reflects DOJ’s persistent emphasis on cybersecurity compliance across all levels of the defense industrial base, reaching beyond prime contractors to encompass subcontractors and smaller suppliers.  The settlement is also a reminder to all contractors not to overlook the often confusing relationship between Controlled Unclassified Information (CUI) and export-controlled information.Continue Reading An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.

On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts.  The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information.  The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.Continue Reading From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance

This week’s episode covers DOD’s final rule applying the Cybersecurity Maturity Model Certification program (CMMC) to DoD contractors and subcontractors, and is hosted by Peter Eyre and Michael Gruden. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government

On July 31, 2025, the Department of Justice (DOJ) announced that Illumina, Inc. will pay $9.8 million to resolve allegations that it violated the False Claims Act (FCA) by selling genomic sequencing systems with software containing cybersecurity vulnerabilities to federal agencies. This is the first FCA settlement involving claims that a medical manufacturer failed to incorporate adequate product cybersecurity into its software design and development.Continue Reading Hardening Software Security: DOJ’s Civil Cyber Fraud Settlements Continue to Illumina[te] the Importance of Cybersecurity

On July 23, 2025, the White House released Winning the Race: America’s AI Action Plan (“the Plan”) the Trump Administration’s most significant policy statement on artificial intelligence to date.Continue Reading White House AI Action Plan Seeks to Establish “Dominance,” Boost Innovation, and Scrutinize Regulations

On June 6, 2025 President Trump signed an Executive OrderSustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 (the “Trump Cyber EO”). The Trump Cyber EO rescinds and modifies select Biden administration guidance from EO 14144 covering several cybersecurity regimes, including digital identity verification, artificial intelligence, and secure software development practices, and it amends Obama administration guidance from EO 13694 authorizing sanctions on persons involved in malicious cyber activities. We have provided a summary of significant changes made by the Trump Cyber EO below.Continue Reading Trump Administration Cyber Executive Order Revises Prior Administrations’ Requirements

The Department of Defense (DoD) has released a memorandum establishing the DoD Organization-Defined Parameters (ODPs) for use in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision (Rev) 3. Currently, DoD’s cybersecurity regimes require government contractors to comply with NIST SP 800-171 Rev. 2. However, the release of this memorandum may indicate DoD’s intention to soon incorporate Rev. 3 into DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cybersecurity Maturity Model Certification (CMMC).Continue Reading DoD Specifies Implementation Requirements for NIST 800-171 Cyber Standard

On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.Continue Reading Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers