Earlier this month, the Department of Justice (DOJ) announced that Swiss Automation Inc., an Illinois-based precision machining company, agreed to pay $421,234 to resolve allegations that it violated the False Claims Act (FCA) by inadequately protecting technical drawings for parts delivered to Department of Defense (DoD) prime contractors.  This settlement reflects DOJ’s persistent emphasis on cybersecurity compliance across all levels of the defense industrial base, reaching beyond prime contractors to encompass subcontractors and smaller suppliers.  The settlement is also a reminder to all contractors not to overlook the often confusing relationship between Controlled Unclassified Information (CUI) and export-controlled information.Continue Reading An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.

On March 26, 2025, the Department of Justice (DOJ) announced that defense contractor MORSECORP Inc. (MORSE) will pay $4.6 million to settle allegations that MORSE violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements and subsequently submitting false or fraudulent claims for payment in its contracts with the Departments of the Army and Air Force. This is the first FCA settlement that is based on a defense contractor’s failure to reevaluate and promptly update its self-assessment score in the Supplier Performance Risk System (SPRS) after a third-party assessment resulted in a lower score.Continue Reading For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative

On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.Continue Reading Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.Continue Reading An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels

On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors.  The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies.  The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:Continue Reading Cyber For All: Proposed Rule Introduces Government-Wide CUI Cybersecurity Requirements

On January 3, 2025, the FAR Council released a proposed rule titled Strengthening America’s Cybersecurity Workforce (the Proposed Rule).  The Proposed Rule would amend the Federal Acquisition Regulation (FAR) by standardizing workforce criteria for cybersecurity and information technology support services contracts.  The Proposed Rule implements a 2019 executive order, America’s Cybersecurity Workforce, which emphasized the strategic importance of a strong cybersecurity workforce.  Comments will be accepted until March 4, 2025, and the FAR Council specifically invites comments on the Proposed Rule’s impact on small entities.Continue Reading NICE and Easy: Proposed Cybersecurity FAR Amendment Incorporates NICE Framework, Standardizing Cybersecurity Workforce Descriptions

On November 15, 2024, the Department of Defense (DoD) issued a Proposed Rule implementing Section 1655 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019 (P.L. 115-232), over six years after Congress enacted the requirement. Continue Reading Six Years in the Making, DoD Releases Proposed Rule Requiring Disclosure of Foreign Review of Code for IT, Cybersecurity, Critical Infrastructure, and Weapons System Products and Services