This week, the Trump Administration reached the 100-day mark—a significant milestone in any presidential term wherein key administrative priorities and objectives are promulgated. Perhaps unsurprisingly, cybersecurity stands out as an area of heightened focus and attention.
In this Alert, we discuss major cyber developments at the Department of Justice, the Securities and Exchange Commission, the Department of Defense, the Department of Homeland Security and the Federal Communications Commission. While it is still early days, recent developments suggest that regulators will sustain enforcement efforts for existing cybersecurity standards as new compliance and security requirements come into effect.
Department of Justice
In the first 100 days, the Department of Justice (DOJ) has continued to leverage civil fraud enforcement tools, most notably the False Claims Act (FCA), to advance cybersecurity standards in critical systems.
In 2021, the Biden Administration established the Civil Cyber-Fraud Initiative to encourage the use of the FCA to enforce federal contractors’ cybersecurity obligations.1 The new DOJ leadership has yet to express its views on that initiative, but cases filed in prior years and the ability of qui tam whistleblowers to initiate suits will fortify the FCA as a critical cyber tool.
Speaking at the Federal Bar Association’s annual Qui Tam Conference in February, Deputy Assistant Attorney General for the Commercial Litigation Branch Michael Granston said the DOJ plans to “continue to aggressively enforce the False Claims Act,” consistent with the Trump Administration’s broader goals to reduce government waste.2 While the speech highlighted the Administration’s potential use of the FCA to address foreign trade priorities (as described at length in another WilmerHale Client Alert), relators’ attorneys will remain focused on the FCA as a critical cyber tool.
In February, the DOJ settled alleged FCA violations with Health Net Federal Services, LLC (HNFS) and its parent company for over $11 million in connection with cybersecurity violations—the largest FCA settlement for cyber-related violations since the DOJ established the Civil Cyber-Fraud Initiative.3 The United States claimed that HNFS had falsely certified compliance with cybersecurity requirements in a contract with the Department of Defense (DoD) to administer the Defense Health Agency’s TRICARE health benefits program by, among other things, failing to scan for known vulnerabilities and remedy security flaws on its networks and systems, ignoring reports from third-party and internal security audits, and falsely attesting that it was in compliance with certain NIST security controls.4
In late March, defense contractor MORSECORP Inc. agreed to pay $4.6 million to settle allegations that it violated the FCA by submitting claims for payment on contracts with the Departments of the Army and Air Force despite allegedly knowing that it had not complied with those contracts’ cybersecurity requirements governing, among other things, the use of third-party cloud service providers and safety controls to prevent network exploitation.5
And just this week, DOJ announced that RTX Corporation, Raytheon and other entities had agreed to pay $8.4 million in connection with allegations that Raytheon violated the FCA for failure to institute mandatory cybersecurity controls on an internal system used to perform unclassified work on several DoD contracts between 2015 and 2021.6
It is too early to tell whether these settlements reflect the unfinished business of the prior administration or an enduring commitment to cyber-fraud enforcement in the Trump Administration. But new opportunities for expanded FCA enforcement, including both qui tam actions and government-initiated enforcement, will inevitably emerge as new cybersecurity requirements come into effect.
DOJ’s new data transfer rules go into effect this year.
As described in a WilmerHale Client Alert, companies seeking to engage in certain transfers of bulk data abroad are now subject to new regulations, including new cybersecurity standards and reporting requirements, administered and enforced by the DOJ’s National Security Division (NSD).
On January 8, 2025, the DOJ published its final Rule implementing Biden’s February 28, 2024 Executive Order Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (DOJ Rule).7 As a result of this new DOJ Rule, US persons are for the first time restricted, and in some cases categorically prohibited, from engaging in certain covered data transactions that may result in one of six “countries of concern” or a “covered person” gaining access to broad categories of US sensitive personal data and government data.
Restricted transactions involving vendor, employment and investment agreements may be permitted in certain circumstances but are now subject to certain “security requirements” to mitigate risk. These “security requirements,” independently published in January 2025 by the US Cybersecurity and Infrastructure Security Agency (CISA) and incorporated by reference into the final DOJ Rule, include cybersecurity policies and practices, physical and logical access controls, data masking and minimization, encryption, and the use of privacy-enhancing technologies.8
Portions of the DOJ Rule came into effect on April 8, 2025, and the NSD issued much-anticipated guidance on the Rule’s implementation on April 11. As we described in another WilmerHale Client Alert, NSD has indicated that although it will not “prioritize civil enforcement actions” over the next 90 days for those US persons engaging “in good faith efforts to comply with or come into compliance with the Data Security Program,” it will nonetheless focus on “egregious, willful violations.”9 At the end of this 90-day period, the NSD expects that entities should be “in full compliance,” though certain affirmative obligations, including auditing requirements for restricted transactions and reporting obligations for restricted or rejected prohibited transactions, do not come into effect until October 2025.
Securities and Exchange Commission
Meanwhile, the Securities and Exchange Commission (SEC) has announced new plans to stem cyber-related misconduct.
On February 20, 2025, the SEC announced the creation of a new Cyber and Emerging Technologies Unit (CETU) to combat “cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space.”10 Led by longtime SEC cyber-expert Laura D’Allaird, the CETU replaces the Crypto Assets and Cyber Unit and is comprised of approximately 30 fraud specialists and attorneys across multiple SEC offices. As described in another WilmerHale Client Alert, the CETU will prioritize fraud-related actions, with a focus on regulated entities’ compliance with cybersecurity rules and regulations and fraudulent disclosures relating to cybersecurity by public entities.
The SEC’s new cyber incident disclosure Rules, which took effect in December 2023, will likely shape CETU’s efforts.11 As detailed at length in another WilmerHale Client Alert, these Rules require covered entities to publicly disclose, inter alia, the nature, scope and timing of “material” cybersecurity incidents they experience on Form 8-Ks, generally within four business days, and to disclose material information regarding their cybersecurity risk management, strategy and governance annually through Form 10-Ks.12 Certain industry groups have expressed concern that the rules are too prescriptive—requiring companies to disclose too much, too fast. And certain SEC commissioners agree. In an interview with the Wall Street Journal in late March, Republican SEC Commissioner Hester Peirce shared her concerns about the Rules being overly prescriptive—stating, “I would prefer not to be in the business of us being the designer of every regulated entity’s cyber program.”13
The Department of Defense
The DoD is advancing efforts to strengthen implementation of cybersecurity requirements across the defense industrial base.
On October 15, 2024, the DoD published a final Rule establishing the revised Cybersecurity Maturity Model Certification (CMMC) Program—often referred to as CMMC 2.0 given efforts in the first Trump Administration that did not ultimately take effect.14
While the CMMC Program does not impose any new cybersecurity standards itself, it is a new mechanism by which the DoD will verify that federal contractors, and their subcontractors, are implementing required security measures to safeguard two critical classes of information: federal contract information and controlled unclassified information.15 As described at length in a prior WilmerHale Client Alert, the new CMMC Program adopts a calibrated approach to verification, requiring companies to assess (or in some cases have third parties assess) certain cybersecurity standards at progressively advanced levels depending on the type and sensitivity of the information they process, store or transmit.
In mid-January, the DoD issued an internal memorandum for how the new Rule would be implemented, including the process for waiving CMMC assessment requirements. That said, the Rule’s timeline remains uncertain. While the Rule envisions a phased implementation plan over a three-year period, it is tied to issuance of the complementary CMMC acquisition rule, 48 CFR part 204, which likely will not be finalized until mid-2025.16
Notably, Trump’s recent pick to perform the duties of DoD Chief Information Officer—Katie Arrington—was instrumental in developing an earlier version of the CMMC Program in the first Trump Administration, suggesting ongoing efforts will continue.17 Indeed, when Arrington was speaking at the Armed Forces Communications & Electronics (AFCEA) conference last week, her support for the program was unmistakable.18
Companies should begin preparing now, as DoD contractors will be required to achieve a particular CMMC level as a condition of a contract award after the complementary acquisition rule is published in the Federal Register.19 Moreover, failure to comply with CMMC requirements may expose clients to FCA liability, consistent with the DOJ’s zealous enforcement posture.
Separately, Arrington has outlined plans to pursue broader reforms to DoD software acquisition and approval processes. At the same AFCEA conference last week, Arrington laid out how the DoD’s new Software Fast Track (SWIFT) process will leverage artificial intelligence (AI) to replace the long-standing Authorization to Operate (ATO) process as well as the Risk Management Framework, which has been the gold standard of cybersecurity risk management in defense for the past decade. Under Arrington’s proposal, SWIFT will collect third-party data about the cybersecurity of vendors and technical information about their software through a new government application called eMASS, while leveraging AI tools on the back end to review the data and, where requirements are met, grant provisional ATOs rather than waiting for a human to review. The DoD expects to release a request for information in the coming weeks soliciting industry input on this proposed new software authorization process.20
Cybersecurity and Infrastructure Security Agency
CISA is working to finalize new CIRCIA reporting requirements.
CISA is working to finalize a new Rule implementing the 2022 Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires that entities across 16 critical infrastructure sectors report cyber incidents and ransom payments to CISA within 72 hours and 24 hours, respectively.21 CISA published a Notice of Proposed Rulemaking implementing CIRCIA in the Federal Register on April 4, 2024,22 and CISA has stated plans to finalize it in October 2025.23 As detailed in a prior WilmerHale Client Alert, the NPRM provides a useful template for the final Rule and suggests considerable preparation will be necessary to achieve compliance.
Federal Communications Commission
The Federal Communications Commission (FCC) has also announced a new unit to enforce cybersecurity reporting obligations.
On March 13, FCC Chairman Brendan Carr separately announced the establishment of a new Council on National Security within the FCC to “leverage the full range of the Commission’s regulatory, investigatory, and enforcement authorities to promote America’s national security and counter foreign adversaries,” with an emphasis on efforts to mitigate America’s vulnerabilities to cyberattacks.24 Carr named Adam Chan as the first Director of the new council, which will be comprised of representatives from eight bureaus and offices within the FCC. In a statement, Carr said that the council will have a three-part goal to:
- reduce the American technology and telecommunications sectors’ trade and supply chain dependencies on foreign adversaries;
- mitigate America’s vulnerabilities to cyberattacks, espionage and surveillance by foreign adversaries; and
- ensure the United States wins the strategic competition with China over critical technologies, such as 5G and 6G, AI, satellites and space, quantum computing, robotics and autonomous systems, and the Internet of Things.25
That the FCC is taking a hard line on cybersecurity is hardly surprising in the wake of the Salt Typhoon attacks last year, when the People’s Republic of China (PRC)-affiliated threat actors compromised the infrastructure of at least eight telecommunications companies.26 That said, it remains to be seen what new standards the FCC will impose as part of this enforcement surge. Carr has been publicly critical of the FCC’s recent cybersecurity actions, specifically its Declaratory Ruling on January 16, 2025, that interpreted Section 105 of the Communications Assistance for Law Enforcement Act to include an affirmative obligation for telecommunications carriers to secure their entire networks, as opposed to just their “switching premises,” from any unlawful access or interception of communications. Carr has also questioned the advisability of the FCC’s January 16 NPRM that proposes additional cybersecurity requirements for certain covered providers, including an annual certification of their cybersecurity and supply chain risk management plans.27
Key Personnel
President Trump has also nominated individuals to several additional key cyber posts across the government, including Sean Cairncross to lead the Office of the National Cyber Director, Sean Plankey to lead CISA, Ethan Klein to serve as the Associate Director of the Office of Science and Technology Policy and the US Chief Technology Officer, and Katherine Sutton to serve as the Assistant Secretary of Defense for cyber policy.
* * *
We will continue to follow legal and policy developments in cybersecurity closely and update you on these developments.
Footnotes