Cybersecurity Insights: Updates on CMMC Implementation and CUI Identification
[Podcast] Cybersecurity Maturity Model Certification (CMMC) 2.0 – What Federal Contractors Need To Know
Marti Arvin and Anthony Buenger on the CMMC Framework
On January 5, 2026, the General Services Administration (“GSA”) issued an updated version of its policy guidance document for contractors on protecting Controlled Unclassified Information (“CUI”). This document, titled IT...more
Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as...more
If you are a trade and legal compliance decision-maker, where can you go to learn, expand your export controls brain trust, and strengthen your strategy? At ACI’s Advanced Forum on Global Export Controls, you’ll connect...more
Since 2004, October has marked Cybersecurity Awareness Month and for more than 15 years Wiley’s team of cybersecurity, tech, and government contracts experts has been helping organizations manage cyber risk. On October 21, as...more
The wait is finally over, and U.S. Department of Defense (DoD) contractors need to be prepared. On September 10, 2025, DoD posted a final rule that will officially make Cybersecurity Maturity Model Certification (CMMC) a...more
On September 10, 2025, the U.S. Department of Defense (DoD) published a final rule that will shake up cybersecurity compliance for DoD contractors. The new rule formally incorporates the Cybersecurity Maturity Model...more
WHAT: The U.S. Department of Defense (DOD) this month published the second of two final rules needed to begin phasing in the long-awaited Cybersecurity Maturity Model Certification (CMMC) Program. This final rule amends the...more
The Cybersecurity Maturity Model Certification (CMMC) has been a long-anticipated framework designed to bolster cybersecurity across the defense industrial base. After extensive development and revisions, the Department of...more
Starting November 10, federal contractors that perform work with the Department of Defense will need to ensure they comply with a new cybersecurity framework. The Department of Defense (DoD) just amended the Defense Federal...more
WHAT: The U.S. Department of Defense (DOD) has published the final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements for the Cybersecurity Maturity Model...more
Key point: Beginning November 10, 2025, DoD contracting officers will begin adding Cybersecurity Maturity Model Certification (CMMC) requirements to solicitations, and contracting officers “shall not award a contract, task...more
On July 31, 2025, the United States Department of Justice (DOJ) announced a pair of settlements with companies accused of having violated the False Claims Act (FCA) by falsely representing their compliance with certain...more
With the rapid development of informatization, how to better safeguard national security in an increasingly complex information environment has become a critical consideration in digital legislation. A key issue within this...more
On January 15, 2025, the FAR Council finally released a proposed rule (the Rule)1 regulating the use and handling of controlled unclassified information (CUI) as a part of the general strategy to reduce threats of...more
Earlier this year, the FAR Council issued a proposed rule to implement the Controlled Unclassified Information (CUI) Program as it relates to federal contracts. The proposed rule is "just one element of a larger strategy to...more
On January 15, 2025, the Federal Acquisition Regulatory Council (FAR Council) proposed two significant rule changes that could reshape compliance obligations for government contractors: one establishing standardized...more
The wait is finally over! After more than 14 years of anticipation, the Federal Acquisition Regulation (“FAR”) Proposed Rule on Controlled Unclassified Information (“CUI”) was released on January 15, 2025 and comes as part of...more
WHAT: The FAR Council published a proposed rule to incorporate the Controlled Unclassified Information (CUI) Program into the acquisition process and, in doing so, seeks to more clearly define government and contractor roles...more
The Order directs the revocation of any active or current security clearances held by former intelligence officials who worked with former President Biden on his 2020 presidential campaign and several specific individuals....more
On January 15, 2025, the Federal Acquisition Regulation (“FAR”) Council issued its long-awaited “CUI Rule.” CUI, or Controlled Unclassified Information, is information that the government creates or possesses, or that an...more
On October 11, 2024, the United States Department of Defense (DOD) published a final rule implementing its Cybersecurity Maturity Model Certification (CMMC) program, which is designed to verify that defense contractors are...more
On August 22, 2024, the United States intervened in a whistleblower suit against the Georgia Institute of Technology, initially filed by current and former members of Georgia Tech’s cybersecurity team, alleging that Georgia...more
On May 14, the National Institute of Standards and Technology (NIST) released “Revision 3” to Special Publication 800-171 (Protecting Controlled Unclassified Information on Nonfederal Systems and Organizations) and 800-171A...more
On May 2, the Department of Defense (DOD) issued a class deviation to DFARS 252.204-7012 “to provide industry time for a more deliberate transition upon the forthcoming release of [National Institute of Standards and...more
The United States notified the U.S. District Court for the Northern District of Georgia that it plans to intervene in a False Claims Act case filed against Georgia Tech Research Corporation (Georgia Tech) by its Associate...more