Investigations into alleged violations of cybersecurity requirements under the federal civil False Claims Act (FCA) and its state analogues are increasingly an area of focus for the U.S. Department of Justice (DOJ), state attorneys general and whistleblowers (known as qui tam plaintiffs or relators under the FCA). We expect a continued uptick in enforcement activity, leading to elevated risk and additional potential financial exposure for companies subject to government cybersecurity requirements.
First, federal agencies and state and local governments are imposing progressively stricter cybersecurity requirements in their contracts that will ultimately apply to a broader set of contractors than before.
For example, when the Pentagon's new Cybersecurity Maturity Model Certification (CMMC) regulations go into effect on November 10, 2025, they will remove certain flexibility currently afforded to contractors that handle controlled unclassified information (CUI); contractors will be required to fully implement required cybersecurity controls, undergo additional assessments — including third party assessments in some instances — to validate implementation of these controls and periodically self-attest to the government that they have implemented and will continue to maintain compliance with all applicable requirements for CMMC status.
More generally, the U.S. government has been working for many years on a rule that would impose rigorous cybersecurity controls for CUI on...
Aussie cricket coach Andrew McDonald has rejected suggestions from England that Scott Boland could be a major weakness for the Australians in the Ashes. Boland looks set to play a huge role in the ...