On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] Continue Reading Cybersecurity Matured: DoD Finalizes Cybersecurity Maturity Model Certification (CMMC) Program
Cyber
Civil Cyber-Fraud Settlement Highlights Potential for Cooperation Credit
A False Claims Act (FCA) settlement recently announced by the U.S. Department of Justice stands at the intersection of two evolving trends: DOJ’s increasing focus on cybersecurity lapses by government contractors as part of its Civil Cyber-Fraud Initiative, and DOJ policies incentivizing corporations to voluntarily self-disclose violations of federal law.
On September 5, 2023, DOJ announced a $4 million settlement with Verizon Business Network Services LLC (Verizon) addressing allegations that Verizon violated the FCA because certain telecommunications services it provided to federal agencies under its General Services Administration (GSA) contracts did not comply with applicable cybersecurity requirements, namely the Office of Management and Budget’s Trusted Internet Connections (TIC) initiative. DOJ specifically alleged that Verizon’s Managed Trusted Internet Protocol Service (MTIPS)—an information technology service that allows federal agencies to securely connect to public internet and external networks—did not comply with three security controls in the Department of Homeland Security’s TIC Reference Architecture Document, including a control that required the use of FIPS 140-2 validated cryptography. The Verizon settlement represents the latest example of DOJ’s continued focus on cybersecurity cases, a trend that we believe will only continue to escalate going forward.Continue Reading Civil Cyber-Fraud Settlement Highlights Potential for Cooperation Credit
Fastest 5 Minutes: False Claims Act, Cybersecurity
This week’s episode covers two notable False Claims Act settlements and the White House National Cybersecurity Strategy Implementation Plan, and is hosted by Peter Eyre and Yuan Zhou. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts…
Biden Admin Eyes IoT Cyber Practices
On June 18, 2023, the Biden-Harris administration announced the launch of a new “U.S. Cyber Trust Mark” program (hereinafter the “Program”). First proposed by Federal Communication Commission (“FCC”) Chairwoman Jessica Rosenworcel, the Program aims to increase transparency and competition across the smart devices sector and to assist consumers in making informed decisions about the security of the devices they purchase. Continue Reading Biden Admin Eyes IoT Cyber Practices
Spring Has Sprung New Cyber Requirements: NIST Unveils Draft Revision 3 to NIST SP 800-171
On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft of NIST Special Publication (SP) 800-171 Revision 3, containing new and revised cybersecurity controls that, when finalized, will be required for federal contractors handling Controlled Unclassified Information (CUI).
NIST proposed five key changes to NIST SP 800-171:
- New controls
Draft NIST Guidance Highlights Supply Chain Fundamentals as Key Practices in Cyber Supply Chain Risk Management
Last week, the National Institute of Standards and Technology (NIST) published the draft NISTIR 8276 “Key Practices in Cyber Supply Chain Risk Management” providing Key Practices and related recommendations for monitoring, controlling, and understanding how to conduct cyber – supply chain risk management (C-SCRM). The Eight Key Practices are general and apply equally, in practice,…
Interim Rule Could Expand Already Onerous DFARS Cyber Requirements
Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors. Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in …