Photo of Jonathan E. Meyer

Jonathan Meyer is a partner in the Governmental Practice Group and leads the firm’s National Security team. From 2021 to 2024, he served as General Counsel of the U.S. Department of Homeland Security.

On June 6, 2025, the Trump Administration released a new Executive Order (“EO”) on cybersecurity, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.[1] The Executive Order itself will not impose new obligations on agencies; instead, it strikes, amends, and updates certain provisions in prior Executive Orders from the Obama and Biden Administrations that have not been rescinded.Continue Reading Trump’s New Cybersecurity Executive Order: What Contractors Need to Know

On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April 8, 2025, when the majority of the rule becomes effective—nefarious actors could procure sensitive data through legitimate business transactions.Continue Reading Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern

In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).Continue Reading Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident

Cell phone and laptop searches do happen but they are relatively rare. Although the Fourth Amendment right to be free of unreasonable searches and seizures is drastically reduced at a port of entry, as are expectations of privacy, U.S. Customs & Border Protection (“CBP”) has internal protocols requiring Officers to have some basis for the search. Below, we dive into the CBP protocols and what to expect if you are selected for a search. Continue Reading Will CBP Search Your Laptop and Cell Phone at the Port of Entry?

Legislation directing the National Institute of Standards and technology (“NIST”) to create standards and guidelines for securing Internet of Things (“IoT”) devices used by Federal agencies and their contractors recently passed the Senate and is heading to the President’s desk. We have been following this legislation closely for the past two years, here and here.  The bill passed in the Senate without amendment by unanimous consent.
Continue Reading IoT Legislation Passes Congress

After many years of being in draft form, NIST recently released its final version of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations to address a need for a more proactive and systematic approach to cybersecurity. With the release of Revision 5, NIST hopes to provide updated security and privacy controls that will make information systems more penetration resistant, limit damages from cyber-attacks, make systems more cyber-resilient, and protect individuals’ privacy. NIST intends this update to be usable by a more diverse set of consumer groups than previous iterations of the document permitted.
Continue Reading NIST Issues Long-Awaited Final Guidance on Security and Privacy Controls – SP 800-53

Congress recently advanced legislation that directs the National Institute of Standards and Technology (NIST) to create standards and guidelines for securing Internet of Things (“IoT”) devices used by Federal agencies and their contractors. We previously reported on this legislation in April of 2019 when it was introduced in the House (H.R. 1668) and the Senate (S. 734). On September 14, 2020, the House of Representatives passed the legislation on a voice vote.
Continue Reading IoT Legislation Advances in Congress

NIST’s news draft guidance, Special Publication 800-53B, Control Baselines for Information Systems and Organizations, provides important information on selecting both security and privacy control baselines for the Federal Government. These control baselines are from NIST Special Publication 800-53 and have been moved to this separate publication “so the SP 800-53 [can] serve as a consolidated catalog of security and privacy controls regardless of how those controls [are] used by different communities of interest.”   The new guidance addresses federal information systems and is applicable to information systems used or operated by an agency, a contractor on behalf of an agency, or another organization on behalf of an agency.
Continue Reading NIST Issues Draft Guidance on Security and Privacy Control Baselines – SP 800-53B

NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.
Continue Reading NIST Proposes Draft Enhanced Security Requirements for Protecting CUI