Category: Cybersecurity

This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule

Michael Joseph Montalbano ●

After years of drafts and interim measures, the Department of Defense (“DOD”) has issued the final Defense Federal Acquisition Regulation Supplement (“DFARS”) rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) program. This long-awaited development cements CMMC as a contractual requirement and clarifies key aspects of the rule’s certification, compliance, and oversight requirements.

How Will CMMC Work?

Under the final rule, every solicitation where a contractor may store, process, or transmit Federal Contract Information (“FCI”) or controlled unclassified information (“CUI”) will be assigned a CMMC level. Solicitations involving just FCI will have a CMMC Level 1 requirement. Solicitations involving non-Defense CUI will have a CUI Level 2 Self-Attestation requirement. Solicitations involving Defense CUI will have a CUI Level 2 third-party certification (i.e., C3PAO) requirement. Solicitations involving particularly sensitive DOD programs will have a Level 3 requirement. Level 3 requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”).

Continue reading “This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule”

Beyond the Balance Sheet: The Continued Importance of Cybersecurity in M&A

Merle M. DeLancey Jr., Samarth Barot, and Michael Joseph Montalbano 

Samarth Barot headshot image

In our August 1 post, we discussed how companies that acquire government contractors can inherit the False Claims Act (“FCA”) exposure based on their targets’ cybersecurity violations. Now, the Department of Justice (“DOJ”) delivered another vivid real-world example: a $1.75 million settlement in which a private equity (“PE”) firm, Gallant Capital Partners LLC, was named jointly and severally liable for its portfolio company’s cybersecurity violations on a U.S. Air Force contract.

The outcome underscores two critical truths. First, DOJ will pursue financial sponsors when a contractor in their portfolio fails to comply with its contractual cybersecurity requirements. Second, investors that fail to ask about, document, and remediate a target’s security shortcomings can find themselves financing both the acquisition and the government’s recovery.

Continue reading “Beyond the Balance Sheet: The Continued Importance of Cybersecurity in M&A”

Buyer Beware: Cybersecurity Compliance in M&A

Merle M. DeLancey Jr. and Samarth Barot 

Samarth Barot headshot image

A recent Department of Justice (“DOJ”) settlement highlights the importance of assessing cybersecurity compliance for government contractors during mergers and acquisitions (“M&A”). In April 2025, DOJ announced an $8.4 million settlement with a defense contractor resolving alleged cybersecurity noncompliance by a company it acquired. Notably, under the settlement, the acquiring company was liable for cybersecurity noncompliance that occurred prior to the acquisition.

In the M&A context, successor liability arises when an acquiring company becomes responsible for liabilities, obligations, or wrongful acts committed by the company to be acquired prior to the acquisition. Fundamentally, successor liability ensures that a corporate acquisition does not allow the acquired entity to escape accountability. In the settlement, DOJ explicitly named the acquiring company as the “successor in liability” for the acquired company’s alleged violations, even though the conduct at issue occurred years before the acquisition. This underscores the importance for acquirers to add cybersecurity compliance to the issues vetted during due diligence.

Continue reading “Buyer Beware: Cybersecurity Compliance in M&A”

Defense Contractors’ Restrictions When Contracting with Chinese Companies

Merle M. DeLancey, Jr. and Oliver E. Jury ●

In the current economic climate, the obvious focus of many companies is on the administration’s imposition of tariffs. However, government contractors, especially those contracting with the U.S. Department of Defense (“DoD”), must not lose sight of their current and potential future direct and indirect relationships with certain Chinese entities.

Contractors’ compliance obligations regarding relationships with Chinese entities flow from:

  • FAR 52.204-25 (Section 889 of the 2019 National Defense Authorization Act (“NDAA”)), and
     
  • The Chinese Military Companies (“CMC”) List (Section 1260H of the 2021 NDAA) (also known as the “1260H List”).

Continue reading “Defense Contractors’ Restrictions When Contracting with Chinese Companies”

What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level

Michael Joseph Montalbano 

The Department of Defense (“DOD”) recently issued new guidance outlining how it will determine Cybersecurity Maturity Model Certification (“CMMC”) levels for its solicitations and contracts. Prior to this guidance, contractors generally understood that contracts with only Federal Contract Information (“FCI”) would require a CMMC Level 1 self-assessment; contracts with Controlled Unclassified Information (“CUI”) would require either a CMMC Level 2 self-assessment or a CMMC Level 2 certification; and DOD contracts “supporting its most critical programs and technologies” would require a CMMC Level 3 certification. DOD’s new guidance provides additional information contractors can use to help them determine which CMMC Level they should achieve.

Continue reading “What CMMC Level Do I Need? The Department of Defense Issues New Guidance for Determining Appropriate CMMC Compliance Level”

The FAR Council Publishes Long-Awaited CUI Rule

Michael Joseph Montalbano 

On January 15, 2025, the Federal Acquisition Regulation (“FAR”) Council issued its long-awaited “CUI Rule.” CUI, or Controlled Unclassified Information, is information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. For nearly 15 years, contractors have struggled to determine what information meets this definition. The CUI rule is an opportunity for the federal government to finally provide contractors with the guidance needed to better identify and safeguard the CUI they receive in connection with their federal contracts.

Continue reading “The FAR Council Publishes Long-Awaited CUI Rule”

Department of Defense Issues Final CMMC Rule

Michael Joseph Montalbano 

On October 11, 2024, the Department of Defense (“DoD”) issued the first part of its final rule establishing the Cybersecurity Maturity Model Certification (“CMMC”) program. As expected, the final rule requires companies entrusted with national security information to implement cybersecurity standards at progressively advanced levels, (CMMC level 1, CMMC level 2, and CMMC level 3) depending on the type and sensitivity of the information. While the final rule largely tracks the proposed rule issued in December 2023, we outline below several notable updates DoD included in the final rule and their potential impacts on DoD contractors.

Continue reading “Department of Defense Issues Final CMMC Rule”

Time for Compliance with DOD’s Cybersecurity Regulations is NOW

Michael Joseph Montalbano and Samarth Barot 

Samarth Barot headshot image

On February 19, 2024, the Department of Justice (“DOJ”) notified the U.S. District Court for the Northern District of Georgia that it would intervene in a False Claims Act (“FCA”) case filed against Georgia Tech Research Corporation and Georgia Institute of Technology (collectively “Georgia Tech”) for not complying with the requirements of DFARS 252.204-7012 and National Institute of Standards and Technology Special Publication 800-171 (“NIST 800-171”).

All Department of Defense (“DOD”) solicitations and contracts contain DFARS clause 252.204-7012. DFARS 252.204-7012 requires a contractor to assess its compliance with 110 cybersecurity controls set out in the NIST 800-171 if the Company has controlled unclassified information. Specifically, pursuant to DFARS 252.204-7012, contractors must implement all of the NIST 800-171 requirements and upload the results of that assessment to the Department of Defense’s Supplier Performance Risk System (“SPRS”), or have a plan of action and milestones in place for any requirement the contractor has not yet implemented.

Continue reading “Time for Compliance with DOD’s Cybersecurity Regulations is NOW”

More Cases and Expanded Data Analytics: A Closer Look at DOJ’s FY 2023 False Claims Act Statistics


Dominique L. Casimir, Luke W. Meier, and Oliver E. Jury ●


The United States Department of Justice (“DOJ”) recently announced its statistics for False Claims Act (“FCA”) FY 2023 settlements and judgments. DOJ recovered $2.68 billion in FY 2023; as usual, the majority of these recoveries (nearly 70 percent, or $1.8B) came from the healthcare industry. DOJ continues to make use of data analytics to inform its enforcement activity.

Background

Comparing year-to-year variance in the volume of DOJ’s FCA recoveries provides only marginal utility. More telling is the rapid expansion of the non-qui tam matters opened during the past two years. In FY 2022, DOJ opened 305 non-qui tam matters, representing approximately 186 percent of its prior ten-year average (164). In FY 2023, this increase continued, with DOJ opening 500 non-qui tam matters—305 percent of the ten-year average over FY 12–21.

Continue reading “More Cases and Expanded Data Analytics: A Closer Look at DOJ’s FY 2023 False Claims Act Statistics”

The Department of Defense Clarifies FedRAMP Equivalency Standard

Michael Joseph Montalbano 

As many Department of Defense (“DoD”) contractors know, if they want to store, process, or transmit covered defense information (“CDI”) with a cloud service provider (“CSP”), then the CSP must meet the security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. This begs the question, what is equivalence to the FedRAMP Moderate baseline? Earlier this month, the DoD issued a much-needed memorandum that helps answer this question.

Continue reading “The Department of Defense Clarifies FedRAMP Equivalency Standard”