Cybersecurity Government Contracts and Investigations.
Cybersecurity | Government Contracts & Investigations Blog Latest Updates on Developments Affecting Government Contracts & Investigations
- FedRAMP 20x – Major Overhaul Announced to Streamline the Security Authorization Process for Government Cloud Offeringsby Townsend Bourne and Daniel Alvarado on April 2, 2025 at 9:09 pm
On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the… Continue Reading
- FedRAMP Releases New Draft Authorization Boundary Guidanceby Townsend Bourne and Daniel Alvarado on January 29, 2025 at 7:23 pm
Over the last few years, the Federal Risk and Authorization Management Program (“FedRAMP”) Program Management Office (“PMO”) has released two draft guidance documents related to defining the applicable boundary for security assessments of cloud service offerings, but final versions were never released. On January 16, 2025, FedRAMP released another draft authorization boundary guidance document (RFC-0004)…. Continue Reading
- Data, Deals, and Diplomacy, Part III: DOJ Issues National Security Final Rule with New Data Compliance Obligations for Transactions Involving Countries of Concernby Townsend Bourne, Jonathan E. Meyer and Jordan Mallory on January 29, 2025 at 7:20 pm
On January 8, 2025, the Department of Justice (“DOJ”) published its final rule addressing Executive Order (E.O.) 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” With the final rule, the DOJ National Security Division’s Foreign Investment Review Section (“FIRS”) defines prohibited and restricted data transactions,… Continue Reading
- Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incidentby Jonathan E. Meyer, Townsend Bourne and Nikole Snyder on January 29, 2025 at 7:14 pm
In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government… Continue Reading
- At Long Last – The FAR CUI Rule is Here! by Townsend Bourne, Lillia Damalouji and Sidney Howe* on January 29, 2025 at 7:09 pm
The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of the Government’s broader efforts to identify, detect, and respond to ever-evolving threats targeting Federal contractors. History and Development of the… Continue Reading
- Governmental Practice Cybersecurity and Data Protection: 2024 Recap & 2025 Forecast Alertby Townsend Bourne, Nikole Snyder, Daniel Alvarado, Lillia Damalouji, Jordan Mallory, Patrick Amano-Dolan* and Sidney Howe* on January 7, 2025 at 8:28 pm
To kick off the New Year (and as is now tradition, since we put out a similar Recap & Forecast last year), Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2024 Recap (highlighting major updates and including links to the resources we put out over the past year) and a… Continue Reading
- DoD Issues Proposed Rule for New Disclosures on Foreign Review of Computer Codeby Townsend Bourne and Sidney Howe* on December 13, 2024 at 5:00 pm
On November 15, 2024, the Department of Defense (“DoD”) issued a long-awaited Proposed Rule to implement Section 1655 of the National Defense Authorization Act for Fiscal Year 2019. Section 1655 prohibits DoD from acquiring technology, cybersecurity, industry control, or weapon system products or services unless the contractor provides certain disclosures. Specifically, per newly proposed Defense… Continue Reading
- Update – Penn State to Pay Up for Cyber-Related FCA Caseby Townsend Bourne, Nikole Snyder and Sidney Howe* on October 30, 2024 at 6:39 pm
On October 22, 2024, the Department of Justice (“DOJ”) announced that Pennsylvania State University (“Penn State”) has agreed to pay $1,250,000 to settle a False Claims Act (“FCA”) case brought against the University approximately two years ago. The whistleblower in the case, former chief information officer of the Penn State Applied Research Laboratory, alleged that… Continue Reading
- Countdown to Compliance: DoD Finalizes the CMMC Program Ruleby Townsend Bourne, Lillia Damalouji and Sidney Howe* on October 15, 2024 at 5:43 pm
On October 15, 2024, the Department of Defense (“DoD”) published the final version of its Cybersecurity Maturity Model Certification (“CMMC”) rule in Title 32 of the Code of Federal Regulations (the “Final Rule”). (Reminder, there are two CMMC rulemakings going on in parallel. This Final Rule updates DoD national security regulations while the other rulemaking… Continue Reading
- DOJ Sues Georgia Tech Entities for Cybersecurity Failures in the Latest Civil Cyber Fraud Initiative (CCFI) Activityby Townsend Bourne and Nikole Snyder on August 26, 2024 at 7:49 pm
On August 22, 2024, the United States Department of Justice (“DOJ”) filed a Complaint-In-Intervention (the “Complaint”) against the Georgia Institute of Technology (“Georgia Tech”) and Georgia Tech Research Corp. (“GTRC”). The 99-page DOJ Complaint alleges the defendants knowingly failed to meet contractual cybersecurity requirements in connection with various Department of Defense (“DoD”) contracts. The suit… Continue Reading
