On August 22, 2024, the Department of Justice (DOJ) filed a complaint-in-intervention in a previously filed whistleblower suit under the qui tam provisions of the False Claims Act (FCA) against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC), an affiliate of Georgie Tech, for falsely representing its compliance with Department of Defense (DoD) cybersecurity requirements. Former and current Georgia Tech cybersecurity team employees brought the initial whistleblower lawsuit. Continue Reading DOJ Looks To Sting Georgia Tech Under the False Claims Act: The Perils of Cybersecurity Non-Compliance

By Stephen Tobin

In 2021, the DOJ announced its Civil-Cyber-Fraud Initiative, which focused on contractors who fail to follow required cybersecurity standards. The initiative is aimed at accountability for knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.Continue Reading DOJ Is Taking Cybersecurity Seriously; Contractors Should Too

On December 26, 2023, the U.S. Department of Defense (DoD) published the much anticipated proposed rule for the revamped Cybersecurity Maturity Model Certification (CMMC) 2.0 Program.

Following growing concerns within DoD that contractors were not consistently implementing the cybersecurity requirements of DFARS 252.204-2012, DoD responded with the creation of the CMMC Program in 2019 to move away from a “self-attestation” model of security. The CMMC Program’s purpose is for contractors and subcontractors to demonstrate that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) being processed, stored, or transmitted is adequately safeguarded. CMMC builds from existing cybersecurity requirements by requiring that contractors and subcontractors undergo Self-Assessments, Third-Party Assessments, or Government Assessments, as required, to ensure that mandated information protection requirements have been implemented. Continue Reading Happy New Year From DoD – The Proposed CMMC Rule Is Here

On October 3, 2023, the FAR Council released two proposed rules for federal contractor cybersecurity requirements that relate to cyber threat and incident reporting and information sharing (case 2021-017) and standardizing cybersecurity requirements for unclassified federal information systems (case 2021-019). Both proposed rules not only provide new requirements for federal contractors to follow but also provide new definitions and contract provisions for information and contract technology and federal information systems contracts. Continue Reading New Proposed Cybersecurity Rules Mean Big Changes for Federal Contractors

On November 4, 2021, the Department of Defense (DOD) announced it is revamping the Cybersecurity Maturity Model Certification program. The changes are intended to make the program more streamlined and flexible, which, in turn, will make it easier (and cheaper) for contractors to implement. Details of the revised program are limited, but some of the highlights include:

  • Fewer Levels: CMMC 2.0 will have only three levels of certification rather than five, and they will align more closely with existing cybersecurity standards. For example, Level 2 will align with NIST SP 800-171, the standard that applies when contractors handle controlled unclassified information.

Continue Reading DOD Announces CMMC 2.0; Cancels Rollout of CMMC 1.0