Photo of Townsend Bourne

Townsend Bourne is a partner in the Governmental Practice in the firm's Washington, D.C. office. She also is Leader of the firm’s Government Business Group.

The U.S. Department of Justice (“DOJ”) Data Security Program (“DSP”) 90-day enforcement grace period ended as of July 8, 2025. While the program became effective April 8, 2025, DOJ implemented a 90-day enforcement grace period until July 8, 2025 for good-faith efforts towards compliance (see our previous blog here). With the expiration of the grace period, the majority of the DSP is now effective and will be enforced.Continue Reading DOJ’s 90-Day Data Security Compliance Grace Period is Over: Are You Compliant?

The Federal Acquisition Regulation (FAR), the bedrock of Federal procurement, is undergoing an unprecedented (some would say Revolutionary) overhaul. The Sheppard Mullin Government Contracts Team has created an online resource to help the Federal procurement community stay informed of the proposed changes.Continue Reading Sheppard Mullin’s Government Contracts Team Launches Revolutionary FAR Overhaul Tracker

On June 6, 2025, the Trump Administration released a new Executive Order (“EO”) on cybersecurity, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.[1] The Executive Order itself will not impose new obligations on agencies; instead, it strikes, amends, and updates certain provisions in prior Executive Orders from the Obama and Biden Administrations that have not been rescinded.Continue Reading Trump’s New Cybersecurity Executive Order: What Contractors Need to Know

On April 3, 2025, OMB released two new memorandums on artificial intelligence (“AI”) as directed by Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence. (As a reminder, President Trump issued Executive Order (EO) 14179 on January 23, 2025 after rescinding President Biden’s AI Executive Order (EO 14110)).Continue Reading All American AI: New OMB Memos Set Priorities for Federal AI Use and Acquisition

Last month, the federal government announced a major overhaul of the Federal Risk and Authorization Management Program (“FedRAMP”) called “FedRAMP 20x” (we discussed the initiative here). FedRAMP 20x is moving forward fast – with new authorizations, community engagement efforts, standards documents, and the Phase One pilot program. (More information about the Phase One pilot program is available here.)Continue Reading FedRAMP 20x – Update on Significant Change Process and Assessment Scope Standards

On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the initiative kicks off, we expect major changes to speed up and streamline that authorization path that likely will be welcomed by industry partners and cloud service providers participating in the program. Below are key points based on the recent FedRAMP 20x announcement.Continue Reading FedRAMP 20x – Major Overhaul Announced to Streamline the Security Authorization Process for Government Cloud Offerings

Over the last few years, the Federal Risk and Authorization Management Program (“FedRAMP”) Program Management Office (“PMO”) has released two draft guidance documents related to defining the applicable boundary for security assessments of cloud service offerings, but final versions were never released. On January 16, 2025, FedRAMP released another draft authorization boundary guidance document (RFC-0004). FedRAMP’s authorization boundary guidance is “the most frequently requested policy update” as it forms the foundation for determining the scope of review for assessment and authorization. The new draft currently is open for public comment through February 17, 2025.Continue Reading FedRAMP Releases New Draft Authorization Boundary Guidance

On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions, and outlines trusted data flows for companies with overseas operations involving countries of concern, including IT infrastructure. The general effect of the rule is to close “front door” access to bulk sensitive personal data on U.S. persons and certain U.S.-government-related data. Until now—or rather, April 8, 2025, when the majority of the rule becomes effective—nefarious actors could procure sensitive data through legitimate business transactions.Continue Reading Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concern

In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).Continue Reading Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident

The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of the Government’s broader efforts to identify, detect, and respond to ever-evolving threats targeting Federal contractors.Continue Reading At Long Last – The FAR CUI Rule is Here! 

To kick off the New Year (and as is now tradition, since we put out a similar Recap & Forecast last year), Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2024 Recap (highlighting major updates and including links to the resources we put out over the past year) and a 2025 Forecast (previewing what we expect to see in 2025). This Recap & Forecast covers the following six high-interest topic areas relating to cybersecurity and data protection:Continue Reading Governmental Practice Cybersecurity and Data Protection: 2024 Recap & 2025 Forecast Alert