Cybersecurity

Subscribe to Cybersecurity via RSS

The wait is over – on September 18, 2025, almost 2 years after implementing the Interim Rule, the Office of the Director of National Intelligence (“ODNI”) issued a Federal Acquisition Supply Chain Security Act (“FASCSA”) order to remove and exclude products and services from Acronis AG, a Swiss cybersecurity and data protection company. Although the FASCSA FAR clauses were implemented in December 2023, this is the first FASCSA order issued by a federal agency. Below is a brief refresher on FASCSA and a reminder on the affirmative steps contractors must take in light of the FASCSA order.Continue Reading Order Up – The First FASCSA Order Has Been Issued by ODNI

On September 10, 2025, the final rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published with an effective date of November 10, 2025 (i.e., 60 days after publication). This is the trigger for the new CMMC clause to start appearing in solicitations and contracts.Continue Reading Don’t Fall Behind: The CMMC Final Rule to Update the DFARS is Here!

The inexorable expansion of the False Claims Act (“FCA”) to cover virtually all types of cybersecurity breaches and violations – to include allegedly poor practices and failure to fully adhere to security controls – continues. At one time, an organization might have thought that it was unlikely to face a potential FCA investigation and litigation relating to its cybersecurity practices. That day is long past. Two recent FCA settlements illustrate the expansion: one is the first cybersecurity FCA settlement relating to healthcare Quality System Regulations (“QSR”) and the other involves the first settlement with a defense contractor that also pulls in its private equity owner.Continue Reading The Expanding Scope of FCA-Cybersecurity Liability

The U.S. Department of Justice (“DOJ”) Data Security Program (“DSP”) 90-day enforcement grace period ended as of July 8, 2025. While the program became effective April 8, 2025, DOJ implemented a 90-day enforcement grace period until July 8, 2025 for good-faith efforts towards compliance (see our previous blog here). With the expiration of the grace period, the majority of the DSP is now effective and will be enforced.Continue Reading DOJ’s 90-Day Data Security Compliance Grace Period is Over: Are You Compliant?

On June 6, 2025, the Trump Administration released a new Executive Order (“EO”) on cybersecurity, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.[1] The Executive Order itself will not impose new obligations on agencies; instead, it strikes, amends, and updates certain provisions in prior Executive Orders from the Obama and Biden Administrations that have not been rescinded.Continue Reading Trump’s New Cybersecurity Executive Order: What Contractors Need to Know

On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the initiative kicks off, we expect major changes to speed up and streamline that authorization path that likely will be welcomed by industry partners and cloud service providers participating in the program. Below are key points based on the recent FedRAMP 20x announcement.Continue Reading FedRAMP 20x – Major Overhaul Announced to Streamline the Security Authorization Process for Government Cloud Offerings

Over the last few years, the Federal Risk and Authorization Management Program (“FedRAMP”) Program Management Office (“PMO”) has released two draft guidance documents related to defining the applicable boundary for security assessments of cloud service offerings, but final versions were never released. On January 16, 2025, FedRAMP released another draft authorization boundary guidance document (RFC-0004). FedRAMP’s authorization boundary guidance is “the most frequently requested policy update” as it forms the foundation for determining the scope of review for assessment and authorization. The new draft currently is open for public comment through February 17, 2025.Continue Reading FedRAMP Releases New Draft Authorization Boundary Guidance

On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April 8, 2025, when the majority of the rule becomes effective—nefarious actors could procure sensitive data through legitimate business transactions.Continue Reading Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern

In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).Continue Reading Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident

The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of the Government’s broader efforts to identify, detect, and respond to ever-evolving threats targeting Federal contractors.Continue Reading At Long Last – The FAR CUI Rule is Here! 

To kick off the New Year (and as is now tradition, since we put out a similar Recap & Forecast last year), Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2024 Recap (highlighting major updates and including links to the resources we put out over the past year) and a 2025 Forecast (previewing what we expect to see in 2025). This Recap & Forecast covers the following six high-interest topic areas relating to cybersecurity and data protection:Continue Reading Governmental Practice Cybersecurity and Data Protection: 2024 Recap & 2025 Forecast Alert