On September 10, 2025, the final rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published with an effective date of November 10, 2025 (i.e., 60 days after publication). This is the trigger for the new CMMC clause to start appearing in solicitations and contracts.Continue Reading Don’t Fall Behind: The CMMC Final Rule to Update the DFARS is Here!
The inexorable expansion of the False Claims Act (“FCA”) to cover virtually all types of cybersecurity breaches and violations – to include allegedly poor practices and failure to fully adhere to security controls – continues. At one time, an organization might have thought that it was unlikely to face a potential FCA investigation and litigation relating to its cybersecurity practices. That day is long past. Two recent FCA settlements illustrate the expansion: one is the first cybersecurity FCA settlement relating to healthcare Quality System Regulations (“QSR”) and the other involves the first settlement with a defense contractor that also pulls in its private equity owner.Continue Reading The Expanding Scope of FCA-Cybersecurity Liability
The U.S. Department of Justice (“DOJ”) Data Security Program (“DSP”) 90-day enforcement grace period ended as of July 8, 2025. While the program became effective April 8, 2025, DOJ implemented a 90-day enforcement grace period until July 8, 2025 for good-faith efforts towards compliance (see our previous blog here). With the expiration of the grace period, the majority of the DSP is now effective and will be enforced.Continue Reading DOJ’s 90-Day Data Security Compliance Grace Period is Over: Are You Compliant?
The Federal Acquisition Regulation (FAR), the bedrock of Federal procurement, is undergoing an unprecedented (some would say Revolutionary) overhaul. The Sheppard Mullin Government Contracts Team has created an online resource to help the Federal procurement community stay informed of the proposed changes.Continue Reading Sheppard Mullin’s Government Contracts Team Launches Revolutionary FAR Overhaul Tracker
On June 6, 2025, the Trump Administration released a new Executive Order (“EO”) on cybersecurity, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.[1] The Executive Order itself will not impose new obligations on agencies; instead, it strikes, amends, and updates certain provisions in prior Executive Orders from the Obama and Biden Administrations that have not been rescinded.Continue Reading Trump’s New Cybersecurity Executive Order: What Contractors Need to Know
On April 3, 2025, OMB released two new memorandums on artificial intelligence (“AI”) as directed by Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence. (As a reminder, President Trump issued Executive Order (EO) 14179 on January 23, 2025 after rescinding President Biden’s AI Executive Order (EO 14110)).Continue Reading All American AI: New OMB Memos Set Priorities for Federal AI Use and Acquisition
Last month, the federal government announced a major overhaul of the Federal Risk and Authorization Management Program (“FedRAMP”) called “FedRAMP 20x” (we discussed the initiative here). FedRAMP 20x is moving forward fast – with new authorizations, community engagement efforts, standards documents, and the Phase One pilot program. (More information about the Phase One pilot program is available here.)Continue Reading FedRAMP 20x – Update on Significant Change Process and Assessment Scope Standards
On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the initiative kicks off, we expect major changes to speed up and streamline that authorization path that likely will be welcomed by industry partners and cloud service providers participating in the program. Below are key points based on the recent FedRAMP 20x announcement.Continue Reading FedRAMP 20x – Major Overhaul Announced to Streamline the Security Authorization Process for Government Cloud Offerings
Over the last few years, the Federal Risk and Authorization Management Program (“FedRAMP”) Program Management Office (“PMO”) has released two draft guidance documents related to defining the applicable boundary for security assessments of cloud service offerings, but final versions were never released. On January 16, 2025, FedRAMP released another draft authorization boundary guidance document (RFC-0004). FedRAMP’s authorization boundary guidance is “the most frequently requested policy update” as it forms the foundation for determining the scope of review for assessment and authorization. The new draft currently is open for public comment through February 17, 2025.Continue Reading FedRAMP Releases New Draft Authorization Boundary Guidance
On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April 8, 2025, when the majority of the rule becomes effective—nefarious actors could procure sensitive data through legitimate business transactions.Continue Reading Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern
In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).Continue Reading Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident