Cybersecurity in the First 100 Days

The Department of Defense

The DoD is advancing efforts to strengthen implementation of cybersecurity requirements across the defense industrial base.

On October 15, 2024, the DoD published a final Rule establishing the revised Cybersecurity Maturity Model Certification (CMMC) Program—often referred to as CMMC 2.0 given efforts in the first Trump Administration that did not ultimately take effect.¹⁴

While the CMMC Program does not impose any new cybersecurity standards itself, it is a new mechanism by which the DoD will verify that federal contractors, and their subcontractors, are implementing required security measures to safeguard two critical classes of information: federal contract information and controlled unclassified information.¹⁵ As described at length in a prior WilmerHale Client Alert, the new CMMC Program adopts a calibrated approach to verification, requiring companies to assess (or in some cases have third parties assess) certain cybersecurity standards at progressively advanced levels depending on the type and sensitivity of the information they process, store or transmit.

In mid-January, the DoD issued an internal memorandum for how the new Rule would be implemented, including the process for waiving CMMC assessment requirements. That said, the Rule’s timeline remains uncertain. While the Rule envisions a phased implementation plan over a three-year period, it is tied to issuance of the complementary CMMC acquisition rule, 48 CFR part 204, which likely will not be finalized until mid-2025.¹⁶

Notably, Trump’s recent pick to perform the duties of DoD Chief Information Officer—Katie Arrington—was instrumental in developing an earlier version of the CMMC Program in the first Trump Administration, suggesting ongoing efforts will continue.¹⁷ Indeed, when Arrington was speaking at the Armed Forces Communications & Electronics (AFCEA) conference last week, her support for the program was unmistakable.¹⁸

Cybersecurity and Infrastructure Security Agency

CISA is working to finalize new CIRCIA reporting requirements.

CISA is working to finalize a new Rule implementing the 2022 Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires that entities across 16 critical infrastructure sectors report cyber incidents and ransom payments to CISA within 72 hours and 24 hours, respectively.²¹ CISA published a Notice of Proposed Rulemaking implementing CIRCIA in the Federal Register on April 4, 2024,²² and CISA has stated plans to finalize it in October 2025.²³ As detailed in a prior WilmerHale Client Alert, the NPRM provides a useful template for the final Rule and suggests considerable preparation will be necessary to achieve compliance.

Federal Communications Commission

The Federal Communications Commission (FCC) has also announced a new unit to enforce cybersecurity reporting obligations.

On March 13, FCC Chairman Brendan Carr separately announced the establishment of a new Council on National Security within the FCC to “leverage the full range of the Commission’s regulatory, investigatory, and enforcement authorities to promote America’s national security and counter foreign adversaries,” with an emphasis on efforts to mitigate America’s vulnerabilities to cyberattacks.²⁴ Carr named Adam Chan as the first Director of the new council, which will be comprised of representatives from eight bureaus and offices within the FCC. In a statement, Carr said that the council will have a three-part goal to:

1. reduce the American technology and telecommunications sectors’ trade and supply chain dependencies on foreign adversaries;
2. mitigate America’s vulnerabilities to cyberattacks, espionage and surveillance by foreign adversaries; and
3. ensure the United States wins the strategic competition with China over critical technologies, such as 5G and 6G, AI, satellites and space, quantum computing, robotics and autonomous systems, and the Internet of Things.²⁵

That the FCC is taking a hard line on cybersecurity is hardly surprising in the wake of the Salt Typhoon attacks last year, when the People’s Republic of China (PRC)-affiliated threat actors compromised the infrastructure of at least eight telecommunications companies.²⁶ That said, it remains to be seen what new standards the FCC will impose as part of this enforcement surge. Carr has been publicly critical of the FCC’s recent cybersecurity actions, specifically its Declaratory Ruling on January 16, 2025, that interpreted Section 105 of the Communications Assistance for Law Enforcement Act to include an affirmative obligation for telecommunications carriers to secure their entire networks, as opposed to just their “switching premises,” from any unlawful access or interception of communications. Carr has also questioned the advisability of the FCC’s January 16 NPRM that proposes additional cybersecurity requirements for certain covered providers, including an annual certification of their cybersecurity and supply chain risk management plans.²⁷

Key Personnel

President Trump has also nominated individuals to several additional key cyber posts across the government, including Sean Cairncross to lead the Office of the National Cyber Director, Sean Plankey to lead CISA, Ethan Klein to serve as the Associate Director of the Office of Science and Technology Policy and the US Chief Technology Officer, and Katherine Sutton to serve as the Assistant Secretary of Defense for cyber policy.

* * *

We will continue to follow legal and policy developments in cybersecurity closely and update you on these developments.

Footnotes

1. Press Release, US Dep’t of Just., “Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative” (Oct. 6, 2021), https://www.justice.gov/opa/pr/health-net-federal-services-llc-and-centene-corporation-agree-pay-over-11-million-resolve.

2. Deputy Assistant Attorney General Michael Granston made these prepared remarks during his speech at the Federal Bar Association’s Annual Qui Tam Conference, held February 20–21, 2025, in Washington DC.

3. Settlement Agreement between US Dep’t of Just., US Dep’t of Def., Health Net Fed. Servs. and Centene Corp. (Feb. 5, 2025), https://www.justice.gov/opa/pr/health-net-federal-services-llc-and-centene-corporation-agree-pay-over-11-million-resolve.

4. Id.

5. Settlement Agreement between US Dep’t of Just., US Dep’t of Def. and MORSECORP (March 25, 2025), https://www.justice.gov/d9/2025-03/usa_v._morse_-_settlement_agreement.pdf.

6. Settlement Agreement between US Dep’t of Just., US Dep’t of Def. and Raytheon, RTX, and Nightwing (announced May 1), https://www.justice.gov/d9/2025-03/usa_v._morse_-_settlement_agreement.pdf.

7. Executive Order No. 14117 of February 28, 2024, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, 89 FR 15421 (March 1, 2024).

8. US Cybersecurity and Infrastructure Sec. Agency, Security Requirements for Restricted Transactions (Jan. 2025).

9. Press Release, US Dep’t of Just., “Justice Department Implements Critical National Security Program to Protect Americans’ Sensitive Data from Foreign Adversaries” (April 11, 2025), https://www.justice.gov/opa/pr/justice-department-implements-critical-national-security-program-protect-americans-sensitive.

10. Press Release, Sec. and Exch. Comm’n, “SEC Announces Cyber and Emerging Technologies Unit to Protect Retail Investors” (Feb. 20, 2025), https://www.sec.gov/newsroom/press-releases/2025-42.

11. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 17 C.F.R. pts. 229, 232, 239, 240, 249 (2023).

12. Id.

13. SEC’s Hester Peirce Discusses New Approach to Crypto and Cyber Rule Making, Wall Street Journal (March 25, 2025), accessed at https://www.wsj.com/articles/secs-hester-peirce-discusses-new-approach-to-crypto-and-cyber-rule-making-a6b08432.

14. Cybersecurity Maturity Model Certification (CMMC) Program, 89 Fed. Reg. 83092 (Oct. 15, 2024) (to be codified at 32 C.F.R. pt. 170); see also Defense Federal Acquisition Regulation Supplement (DFARS): Assessing Contractor Implementation of Cybersecurity Requirements, 85 FR 48513 (Sept. 9, 2020).

15. FAR 4.1901 (2025); 32 C.F.R. § 2002.4(h) (2025).

16. Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), 89 Fed. Reg. 66327 (Aug. 15, 2024).

17. Katharine Arrington Biography, US Dep’t of Def., https://dodcio.defense.gov/About-DoD-CIO/bios/arrington.aspx (last visited March 17, 2025).

18. Id.

19. US Dep’t of Def., About CMMC (2024), https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-FAQs.pdf (within 60 days).

20. Acting Pentagon CIO Signing Off on New, Faster Cyber Rules for Contractors, https://www.airandspaceforces.com/acting-pentagon-cio-faster-cyber-rules-contractors/ (last visited April 30, 2025).

21. 6 U.S.C. § 681b(a)(1)-(3).

22. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, 89 Fed. Reg. 23644 (April 4, 2024) (to be codified at 6 C.F.R. pt. 226).

23. Id.

24. Press Release, Fed. Commc’ns Comm’n, “Chairman Carr Establishes New Council on National Security Within Agency” (March 13, 2025), https://www.fcc.gov/document/chairman-carr-establishes-new-council-national-security.

25. Id.

26. Fed. Commc’ns Comm’n, Fact Sheet: Implications of Salt Typhoon Attack and FCC Response (Dec. 5, 2024).

27. Declaratory Ruling and Notice of Proposed Rulemaking, In re Protecting the Nation’s Commc’ns Sys. from Cybersecurity Threats, FCC No. 22-239 (Jan. 16, 2025); Brendan Carr (@BrendanCarrFCC), X.com (Jan. 15, 2025, 6:39 PM), https://x.com/BrendanCarrFCC/status/1879674875973165368/photo/2.