Cybersecurity Insights: Updates on CMMC Implementation and CUI Identification
[Podcast] Cybersecurity Maturity Model Certification (CMMC) 2.0 – What Federal Contractors Need To Know
Marti Arvin and Anthony Buenger on the CMMC Framework
Civilian-agency contractors will now be required to evaluate the security of information technology systems that process, store or transmit Controlled Unclassified Information (CUI) as the Government Services Administration...more
In a recent update to internal procedural guidance, the General Services Administration (GSA) has established a new framework of security requirements and privacy controls for contractor information systems that process,...more
On January 5, 2026, the General Services Administration (“GSA”) issued an updated version of its policy guidance document for contractors on protecting Controlled Unclassified Information (“CUI”). This document, titled IT...more
Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as...more
Last month the General Services Administration’s (“GSA”) Office of the Chief Information Security Officer (“OCISO”) issued CIO-IT Security-21-112 Rev. 1, a procedural guide governing how Controlled Unclassified Information...more
Defense contractors subject to Cybersecurity Maturity Model Certification (CMMC) compliance under government contracts will be subject to False Claims Act (FCA) liability risks going forward. The CMMC program went live on...more
November 2025 has been a busy month for cybersecurity rules affecting government contractors. The long-awaited Cybersecurity Maturity Model Certification (CMMC) Program went into effect on November 10. We are now seeing the...more
On Nov. 10, 2025, the long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program became effective. This rule,...more
Our Privacy, Cyber & Data Strategy Team breaks down the Department of Defense’s finalized Cybersecurity Maturity Model Certification (CMMC) rule, which establishes a tiered compliance framework that will soon be mandatory for...more
After half a decade of development and review, the U.S. Department of Defense (DoD) will implement contracting regulations, effective November 10, 2025, making the Cybersecurity Maturity Model Certification (CMMC) Program a...more
The U.S. Department of Justice (“DOJ”) has kept busy in pursuing cybersecurity-related fraud in government contracts resulting in seven settlements. These settlements illustrate the continuing need for contractors to...more
Notwithstanding Executive Orders to reduce federal rules affecting industry in effect today, the Department of Defense (DOD) recently enacted new regulations by finalizing the Cybersecurity Maturity Model Certification (CMMC)...more
On September 10, the U.S. Department of Defense (DOD) posted its final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program for defense acquisitions. This new rule (acquisition rule) updates the...more
The wait is finally over, and U.S. Department of Defense (DoD) contractors need to be prepared. On September 10, 2025, DoD posted a final rule that will officially make Cybersecurity Maturity Model Certification (CMMC) a...more
On September 10, 2025, the U.S. Department of Defense (DoD) published a final rule that will shake up cybersecurity compliance for DoD contractors. The new rule formally incorporates the Cybersecurity Maturity Model...more
The U.S. Department of Defense (DOD) issued a final rule this month that fundamentally changes eligibility for DOD procurement by tying contract awards directly to cybersecurity readiness....more
WHAT: The U.S. Department of Defense (DOD) this month published the second of two final rules needed to begin phasing in the long-awaited Cybersecurity Maturity Model Certification (CMMC) Program. This final rule amends the...more
The Department of Defense (DoD) recently finalized a new rule, to be codified at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 (contract clause) and 252.204-7025 (solicitation provision), which will...more
The wait is over. Five years after the Department of Defense (DoD) first introduced the Cybersecurity Maturing Model Certification (CMMC) program, the companion Final Rule was published in the Federal Register on Sept. 10....more
The Department of Defense (DoD) has issued its highly anticipated final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements for the Cybersecurity Maturity Model...more
Starting November 10, federal contractors that perform work with the Department of Defense will need to ensure they comply with a new cybersecurity framework. The Department of Defense (DoD) just amended the Defense Federal...more
The inexorable expansion of the False Claims Act (“FCA”) to cover virtually all types of cybersecurity breaches and violations – to include allegedly poor practices and failure to fully adhere to security controls –...more
This past month, the Department of Defense sent the final rule for the new Cybersecurity Maturity Model Certification (CMMC) program under the Federal Acquisition Regulation to the Office of Information and Regulatory Affairs...more
In our August 1 post, we discussed how companies that acquire government contractors can inherit the False Claims Act (“FCA”) exposure based on their targets’ cybersecurity violations. Now, the Department of Justice (“DOJ”)...more
The U.S. Department of Defense (DoD) recently issued a memorandum signaling that defense contractors soon will be required to comply with new cybersecurity compliance requirements. The memorandum establishes...more