The Department of Defense published the final version of its Cybersecurity Maturity Model Certification (CMMC) rule last week. This rule establishes the parameters of the program and timeline for implementation. A separate rule to finalize associated contract requirements is expected early to mid-next year. For a deep-dive into noteworthy takeaways for the Final Rule, see our analysis here. Here are some highlights:Continue Reading Countdown to Compliance: The Department of Defense Finalizes Its Cybersecurity Program Rule

In its first major overhaul since 2014, the National Institute of Standards and Technology (NIST) updated its Cybersecurity Framework (CSF) on February 26, 2024. The updated 27-page CSF version 2.0 builds on version 1.1 and provides guidance to industry, government agencies, and other organizations on how to manage cybersecurity risks. While voluntary, the CSF has been a popular compliance resource within the private sector, both domestically and internationally, and has increasingly appeared in state and federal regulations as well as federal grants and grant incentive programs. The revised guidance, therefore, potentially has significant implications for organizations managing cybersecurity risks.Continue Reading NIST Expands Cybersecurity Framework with Release of Version 2.0

In response to a constantly-evolving cyber threat landscape, the Biden Administration recently announced the launch of a new cybersecurity labeling program – the U.S. Cyber Trust Mark program – in an effort to enhance transparency and protection against cyber threats in the growing Internet of Things (“IoT”) device space.Continue Reading Cybersecurity Labeling Program to Increase Transparency of IoT Device Security

The National Institute of Standards and Technology is updating the security standards that govern the protection of sensitive government information. NIST recently released an initial public draft for comment. The document will be the third version of its existing standard (NIST SP 800-171), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The comment period closes July 14, 2023.Continue Reading NIST Seeks Input on Standards for Protecting Sensitive Government Information

The Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on various aspects of proposed incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (discussed here). CISA issued a Request for Information (RFI) and has scheduled a number of listening sessions across the country. Written comments may be submitted until November 14, 2022.Continue Reading CISA Seeking Input on Cyber Incident Reporting for Critical Infrastructure

President Biden recently signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as a part of a larger omnibus appropriations bill.  The new law sets out mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments.  Under the Act, once implementing regulations are issued (which are not expected this year) covered entities will be subject to two new reporting requirements:  
Continue Reading Cybersecurity Act Signed Into Law Creates New Reporting Obligations

As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part four of a four-part series (you can read Part 1 here, Part 2 here, and Part 3 here.
Continue Reading 2021 Cybersecurity Recap for Government Contractors (and What to Expect in 2022) – Part 4 of 4: Cybersecurity Maturity Model Certification (“CMMC”) 2.0

As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part three of a four-part series (you can read Part 1 here and Part 2 here).
Continue Reading 2021 Cybersecurity Recap for Government Contractors (and What to Expect in 2022) – Part 3 of 4: Cyber Incident & Ransomware Payment Reporting Legislation

As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part two of a four-part series (you can read Part 1 here).
Continue Reading 2021 Cybersecurity Recap for Government Contractors (and What to Expect in 2022) – Part 2 of 4: Department of Justice (DOJ) Civil-Cyber Fraud Initiative

As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part one of a four-part series.
Continue Reading 2021 Cybersecurity Recap for Government Contractors (and What to Expect in 2022) – Part 1 of 4: Biden’s Cybersecurity Executive Order (EO 14028)

The Department of Defense (DOD) recently announced several changes to its Cybersecurity Maturity Model Certification program. The program applies to those who serve as contractors and suppliers to the DOD. As described in our sister blog, the new version of the program – “CMMC 2.0” – has several important differences from the original program. CMMC 2.0 is anticipated to go into effect anywhere from nine to 24 months from now.
Continue Reading Updates Announced to Department of Defense Cybersecurity Certification Program