The wait is over – on September 18, 2025, almost 2 years after implementing the Interim Rule, the Office of the Director of National Intelligence (“ODNI”) issued a Federal Acquisition Supply Chain Security Act (“FASCSA”) order to remove and exclude products and services from Acronis AG, a Swiss cybersecurity and data protection company. Although the FASCSA FAR clauses were implemented in December 2023, this is the first FASCSA order issued by a federal agency. Below is a brief refresher on FASCSA and a reminder on the affirmative steps contractors must take in light of the FASCSA order.Continue Reading Order Up – The First FASCSA Order Has Been Issued by ODNI

On September 10, 2025, the final rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published with an effective date of November 10, 2025 (i.e., 60 days after publication). This is the trigger for the new CMMC clause to start appearing in solicitations and contracts.Continue Reading Don’t Fall Behind: The CMMC Final Rule to Update the DFARS is Here!

The inexorable expansion of the False Claims Act (“FCA”) to cover virtually all types of cybersecurity breaches and violations – to include allegedly poor practices and failure to fully adhere to security controls – continues. At one time, an organization might have thought that it was unlikely to face a potential FCA investigation and litigation relating to its cybersecurity practices. That day is long past. Two recent FCA settlements illustrate the expansion: one is the first cybersecurity FCA settlement relating to healthcare Quality System Regulations (“QSR”) and the other involves the first settlement with a defense contractor that also pulls in its private equity owner.Continue Reading The Expanding Scope of FCA-Cybersecurity Liability

In United States v. Chastain, No. 23-7038, 2025 WL 2165839 (2d Cir. July 31, 2025), the United States Court of Appeals for the Second Circuit vacated wire fraud and money laundering convictions in what the government described as its first crypto insider trading case. The case involves a former employee of OpenSea, an online non-fungible token (“NFT”) marketplace, who allegedly used confidential information about which NFTs would be featured on OpenSea’s homepage to purchase those NFTs before they were promoted, then sold them after a post-promotion price bump for a profit. At trial, the United States District Court for the Southern District of New York instructed the jury that property protected by the wire fraud statute need not have commercial value, and the defendant could be convicted of wire fraud by failing to abide by societal mores. On appeal, the Second Circuit held that both instructions were prejudicial error that warranted a new trial. The Second Circuit’s decision follows the United States Supreme Court’s recent lead in curtailing the reach of the federal wire fraud statute. The decision also has broader implications for the crypto industry, as it limits the situations in which prosecutors can sidestep the debate of whether a digital asset is a security or commodity by pursuing wire fraud in lieu of securities or commodities fraud charges.Continue Reading Second Circuit Vacates Fraud Conviction in First Crypto “Insider Trading” Case

The U.S. Department of Justice (“DOJ”) Data Security Program (“DSP”) 90-day enforcement grace period ended as of July 8, 2025. While the program became effective April 8, 2025, DOJ implemented a 90-day enforcement grace period until July 8, 2025 for good-faith efforts towards compliance (see our previous blog here). With the expiration of the grace period, the majority of the DSP is now effective and will be enforced.Continue Reading DOJ’s 90-Day Data Security Compliance Grace Period is Over: Are You Compliant?

The Federal Acquisition Regulation (FAR), the bedrock of Federal procurement, is undergoing an unprecedented (some would say Revolutionary) overhaul. The Sheppard Mullin Government Contracts Team has created an online resource to help the Federal procurement community stay informed of the proposed changes.Continue Reading Sheppard Mullin’s Government Contracts Team Launches Revolutionary FAR Overhaul Tracker

On June 6, 2025, the Trump Administration released a new Executive Order (“EO”) on cybersecurity, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.[1] The Executive Order itself will not impose new obligations on agencies; instead, it strikes, amends, and updates certain provisions in prior Executive Orders from the Obama and Biden Administrations that have not been rescinded.Continue Reading Trump’s New Cybersecurity Executive Order: What Contractors Need to Know

On April 3, 2025, OMB released two new memorandums on artificial intelligence (“AI”) as directed by Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence. (As a reminder, President Trump issued Executive Order (EO) 14179 on January 23, 2025 after rescinding President Biden’s AI Executive Order (EO 14110)).Continue Reading All American AI: New OMB Memos Set Priorities for Federal AI Use and Acquisition

Last month, the federal government announced a major overhaul of the Federal Risk and Authorization Management Program (“FedRAMP”) called “FedRAMP 20x” (we discussed the initiative here). FedRAMP 20x is moving forward fast – with new authorizations, community engagement efforts, standards documents, and the Phase One pilot program. (More information about the Phase One pilot program is available here.)Continue Reading FedRAMP 20x – Update on Significant Change Process and Assessment Scope Standards

The Trump Administration Executive Orders related to Diversity, Equity, and Inclusion (“DEI”), Executive Order 14170 (Reforming the Federal Hiring Process and Restoring Merit to Government Service) and Executive Order 14173 (Ending Illegal Discrimination and Restoring Merit-Based Opportunity) (the “EOs”), have given businesses and other organizations (including universities) much to think about regarding their DEI initiatives. This includes entities that do business with the federal government, entities that do business with state and local governments, and entities with operations outside the United States. As the landscape continues to shift, below are four issues every organization should consider as they perform their DEI reviews:Continue Reading How Far Do They Reach? Four Issues Entities Should Consider When Analyzing the Trump Administration Executive Orders Related to Diversity, Equity, and Inclusion