Cybersecurity Government Contracts and Investigations.
Cybersecurity | Government Contracts & Investigations Blog Latest Updates on Developments Affecting Government Contracts & Investigations
- Order Up – The First FASCSA Order Has Been Issued by ODNI
by Ryan Roberts, Daniel Alvarado and Lillia Damalouji on September 24, 2025 at 4:06 pmThe wait is over – on September 18, 2025, almost 2 years after implementing the Interim Rule, the Office of the Director of National Intelligence (“ODNI”) issued a Federal Acquisition Supply Chain Security Act (“FASCSA”) order to remove and exclude products and services from Acronis AG, a Swiss cybersecurity and data protection company. Although the… Continue Reading
- Don’t Fall Behind: The CMMC Final Rule to Update the DFARS is Here!by Townsend Bourne and Sidney Howe* on September 15, 2025 at 9:07 pm
On September 10, 2025, the final rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published with an effective date of November 10, 2025 (i.e., 60 days after publication). This is the trigger for the new CMMC clause to start appearing in solicitations and contracts…. Continue Reading
- The Expanding Scope of FCA-Cybersecurity Liabilityby Townsend Bourne, David T. Fischer, Calla Simeone and Sidney Howe* on September 5, 2025 at 5:04 pm
The inexorable expansion of the False Claims Act (“FCA”) to cover virtually all types of cybersecurity breaches and violations – to include allegedly poor practices and failure to fully adhere to security controls – continues. At one time, an organization might have thought that it was unlikely to face a potential FCA investigation and litigation… Continue Reading
- DOJ’s 90-Day Data Security Compliance Grace Period is Over: Are You Compliant?by Townsend Bourne and Sidney Howe* on July 15, 2025 at 6:28 pm
The U.S. Department of Justice (“DOJ”) Data Security Program (“DSP”) 90-day enforcement grace period ended as of July 8, 2025. While the program became effective April 8, 2025, DOJ implemented a 90-day enforcement grace period until July 8, 2025 for good-faith efforts towards compliance (see our previous blog here). With the expiration of the grace… Continue Reading
- Trump’s New Cybersecurity Executive Order: What Contractors Need to Knowby Townsend Bourne and Jonathan E. Meyer on June 10, 2025 at 4:21 pm
On June 6, 2025, the Trump Administration released a new Executive Order (“EO”) on cybersecurity, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.[1] The Executive Order itself will not impose new obligations on agencies; instead, it strikes, amends, and updates certain provisions in prior Executive Orders… Continue Reading
- FedRAMP 20x – Major Overhaul Announced to Streamline the Security Authorization Process for Government Cloud Offeringsby Townsend Bourne and Daniel Alvarado on April 2, 2025 at 9:09 pm
On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the… Continue Reading
- FedRAMP Releases New Draft Authorization Boundary Guidanceby Townsend Bourne and Daniel Alvarado on January 29, 2025 at 7:23 pm
Over the last few years, the Federal Risk and Authorization Management Program (“FedRAMP”) Program Management Office (“PMO”) has released two draft guidance documents related to defining the applicable boundary for security assessments of cloud service offerings, but final versions were never released. On January 16, 2025, FedRAMP released another draft authorization boundary guidance document (RFC-0004)…. Continue Reading
- Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concernby Townsend Bourne, Jonathan E. Meyer and Jordan Mallory on January 29, 2025 at 7:20 pm
On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions,… Continue Reading
- Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incidentby Jonathan E. Meyer, Townsend Bourne and Nikole Snyder on January 29, 2025 at 7:14 pm
In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government… Continue Reading
- At Long Last – The FAR CUI Rule is Here!by Townsend Bourne, Lillia Damalouji and Sidney Howe* on January 29, 2025 at 7:09 pm
The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of the Government’s broader efforts to identify, detect, and respond to ever-evolving threats targeting Federal contractors. History and Development of the… Continue Reading
