In a recent update to internal procedural guidance, the General Services Administration (GSA) has established a new framework of security requirements and privacy controls for contractor information systems that process,...more
On January 5, 2026, the General Services Administration (“GSA”) issued an updated version of its policy guidance document for contractors on protecting Controlled Unclassified Information (“CUI”). This document, titled IT...more
Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as...more
As we welcome 2026, it is a good time for government contractors to reflect on their cybersecurity posture and the major shifts in federal data protection policy from 2025. Last year was more than just a year of evolution in...more
Last month the General Services Administration’s (“GSA”) Office of the Chief Information Security Officer (“OCISO”) issued CIO-IT Security-21-112 Rev. 1, a procedural guide governing how Controlled Unclassified Information...more
WHAT: The FedRAMP Program Management Office (PMO) has released a “final set” of proposed changes to the FedRAMP process for authorizing and assessing the security of cloud services for federal consumption. The final proposed...more
In 2025, Department of Justice (DOJ)’s Civil Cyber-Fraud Initiative drove major False Claims Act (FCA) settlements involving defense contractors, research institutions, and health care companies—highlighting the need for...more
On December 10, 2025, the U.S. Department of Justice (DOJ) announced that Danielle Hillmer, a former senior manager at a government contractor, was indicted for falsely claiming that her employer had implemented required...more
The U.S. Department of Justice continues an increasingly aggressive approach to enforcing cybersecurity requirements applicable to federal contractors and subcontractors, as we previously highlighted in a November client...more
A recent indictment underscores the U.S. Department of Justice (“DOJ”)’s focus on cybersecurity compliance in federal contracting and DOJ’s willingness to escalate enforcement beyond the civil False Claims Act (see Foley’s...more
The U.S. Department of Defense (DOD) obligates about half a trillion dollars a year to private contractors for everything from high-end weapons and data systems to basic goods and services like fuel, shipping, food, and...more
President Trump issued a cybersecurity Executive Order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity” (Trump EO), along with a corresponding Fact Sheet on June 6, 2025. The Trump EO clears some of the...more
Last week, the Trump administration made its priorities clear for the nation’s cybersecurity posture in the form of the newly issued executive order entitled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity...more
On June 6, 2025, President Donald J. Trump signed a new executive order on “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” (“Trump Cyber EO”),...more
Last month, the federal government announced a major overhaul of the Federal Risk and Authorization Management Program (“FedRAMP”) called “FedRAMP 20x”. FedRAMP 20x is moving forward fast – with new authorizations, community...more
Despite a change in administrations, the government’s vigilance and enforcement of cybersecurity requirements have not missed a beat. On March 14, 2025, MORSECORP, Inc. of Cambridge, MA resolved allegations that it had...more
Major changes are coming again to the Federal Risk and Authorization Management Program ("FedRAMP"), the federal government's cybersecurity authorization program for cloud service providers ("CSPs")....more
The Department of Justice (DOJ) recently reached a $4.6 million civil False Claims Act (FCA) settlement with MORSECORP, Inc. (MORSE) arising out of allegations that the company failed to comply with Department of Defense...more
In a striking move at the end of March, the U.S. Department of Justice (“DOJ”) announced a $4.6 million settlement with MORSE Corp Inc. (“MORSE”), a defense contractor based in Cambridge, Massachusetts, for falsely certifying...more
While some areas of white-collar enforcement have been deprioritized by the Trump Administration, the Department of Justice (DOJ) remains committed to its Civil Cyber-Fraud Initiative as demonstrated by two recent False...more
Last week, President Trump signed over 10 executive orders related to efforts to strengthen America’s defense industry, bolster coal production and electric grid management, and roll back other regulations it views as...more
FedRAMP 20x aims to increase efficiency through automation and removal of hurdles to FedRAMP authorization....more
The U.S. General Services Administration (GSA) recently announced plans to develop the Federal Risk and Authorization Management Program (FedRAMP) 20x – a new approach to the government-wide program for the security...more
On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate...more
On Monday, March 24, 2025, the General Services Administration (GSA) launched FedRAMP 20x, as an effort to automate parts of the program and create collaboration with the industry to improve authorization process for cloud...more