On Sept. 10, 2025, the Department Defense (DoD) issued a final rule amending the Defense Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program for government contractors.
Continue Reading Recapping CMMC Level 3: Considerations for Government Contractors
Starting Nov. 10, 2025, contractors and subcontractors handling controlled unclassified information (CUI) may be required to have a current CMMC Level 2 self-assessment for new contracts and option exercises involving CUI.
Continue Reading Recapping CMMC Level 2: Considerations for Government Contractors
On Sept. 10, 2025, the Department Defense (DoD) issued a final rule amending the Defense Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program for government contractors. This final rule established a November 10, 2025 go-live date for the start of phase 1 of CMMC. As we covered in our prior
In June 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued draft updated guidance for public comment on the Minimum Elements for a Software Bill of Materials (SBOM), which the National Telecommunications and Information Administration (NTIA) first published in 2021 for federal agencies in response to Executive Order 14028 on Improving the Nation’s Cybersecurity.
Continue Reading Software Bill of Materials Guidance for Government Contractors
Cybersecurity month starts with a critical compliance date for the Department of Justice (DOJ)’s Data Security Program (DSP). Starting on Oct. 6, any U.S. person or company handling Americans’ bulk sensitive or personal data or U.S. government-related data must implement a written data compliance program that lays out specified due diligence, audit, reporting, and recordkeeping processes for covered data transactions.
Continue Reading Incoming Deadlines and Requirements for DOJ’s Data Security Program on Oct. 6, 2025
On July 31, 2025, the Fraud Section of the U.S. Department of Justice’s Commercial Litigation Branch (Fraud Section) announced new settlement agreements with government contractors to resolve their respective False Claims Act (FCA) liabilities arising out of cyber fraud allegations.
Continue Reading DOJ Settles Cybersecurity FCA Claims With PE Firm and Government Contractors
Despite the potentially sweeping impact of the proposed FAR CUI Rule (Proposed Rule), less than 30 comments have been filed to date during the comment period, which ends March 17, 2025.
Continue Reading Proposed FAR CUI Rulemaking Nears Comment Deadline
On Jan. 15, 2025, the Department of Defense (DoD), General Services Administration, and NASA, all members of the FAR Council, published a proposed FAR CUI Rule under Title 48 of the CFR. This proposed rule amends the Federal Acquisition Regulation (FAR) to implement the third and final piece of the National Archives and Records Administration’s
On Oct. 21, 2024, the OMB Office of Information and Regulatory Affairs (OIRA) concluded its regulatory review of the long-awaited Federal Acquisition Regulation Controlled Unclassified Information Rule (FAR CUI Rule), clearing the proposed rule’s path for publication in the Federal Register in 2024.
The FAR CUI Rule is being issued pursuant to Executive Order 13556
On Oct. 14, 2024, the Department of Defense (DoD) published the final rule that would implement the Cybersecurity Maturity Model Certification 2.0 (CMMC) Program under 32 CFR Part 170 (Final Rule) to the Federal Register. The Final Rule comes less than 10 months after DoD published the proposed rule, which yielded approximately 361 submissions