Now that the final Cybersecurity Maturity Model Certification (CMMC) Program and Procurement Rules have been issued by the Department of War (DoW) (see our CMMC Toolkit for in-depth analysis of these Rules) and the CMMC Program is set to begin in earnest, there is some uncertainty in industry as to
Continue Reading How Will DoW Determine Which Level of CMMC Applies to My Agreement?
Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule Announced
This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.
On September 10, 2025, DoD published the final version of the Cybersecurity Maturity Model Certification (“CMMC”) Defense Federal Acquisition Regulation Supplement (“DFARS”) Procurement Rule (“Procurement Rule” or “Rule”) in the Federal Register. This Rule imposes the contractual requirements associated with the CMMC Program Rule that was published in final form in October 2024. The Procurement Rule will become effective sixty days after publication, on November 10, 2025 and will be implemented in a phased approach. Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule Announced
Bid Rigging Risk for Government Contractors
Consistent with the Trump Administration’s focus on procurement fraud, a recent settlement and guilty pleas secured by the DOJ demonstrate that bid rigging is in the Administration’s crosshairs. Government contractors should be aware of the legal risks associated with bid rigging when engaging in the bidding process. Continue Reading Bid Rigging Risk for Government Contractors
Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems
In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies. The case is the latest in a series of False Claims Act (“FCA”) settlements under the current administration that evidence DOJ’s continued focus on cybersecurity obligations for government contractors, particularly those that maintain sensitive data and personal information on behalf of federal customers.Continue Reading Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems
Recent Cybersecurity FCA Settlement Demonstrates Heightened FCA Risk to Government Contractors
On July 14, 2025, the U.S. Department of Justice (DoJ) and General Services Administration (GSA) announced a $14.75 million settlement of Civil False Claims Act allegations against IT company Hill ASC Inc. (Hill). This settlement is consistent with the current Administration’s focus on “fraud, waste, and abuse” in government procurement and the recent DoJ FCA initiative focused on cybersecurity fraud. This also follows the Department’s Criminal Division announcement of corporate procurement fraud as an enforcement priority.
The government alleged that between 2018 and 2023 Hill provided information technology services to federal agencies through the GSA’s Multiple Award Schedule (MAS) program. The settlement resolved allegations that: (i) Hill billed federal agencies for information technology personnel who lacked the experience and/or education required under the contract; (ii) Hill had not passed GSA’s required technical evaluations for contractors who sought to offer highly adaptive cybersecurity services to government customers; (iii) Hill submitted claims for cybersecurity services and other services that were not within the scope of the contract; and (iv) Hill charged the government for unapproved fees, failed to provide government customers with required information about discounts for prompt payment, and included unallowable incentive compensation in a cost submission in connection with a new contract proposal (which the settlement agreement acknowledges that Hill withdrew before any contract based on the proposal was awarded.)
To settle these allegations, Hill agreed to pay $14.75 million “plus additional amounts if certain financial contingencies occur.” The settlement imposes additional financial requirements including that Hill pay the United States 2.5% of its annual gross revenue that exceeds $18,800,000.00 from January 1, 2026 to December 31, 2029 (named the “Revenue Contingency Period”). It appears that the amount of damages initially sought by the government was higher because DoJ noted that the settlement amount was based on “the company’s ability to pay.” Continue Reading Recent Cybersecurity FCA Settlement Demonstrates Heightened FCA Risk to Government Contractors
June 2025 Cybersecurity Developments Under the Trump Administration
This is the fifth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration. The fourth blog is available here and our initial blog is available here. This blog describes key cybersecurity developments that took place in June 2025.
White House Issues New Cybersecurity Executive Order
On June 6, President Trump issued an Executive Order (“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144”) (the Order) that modifies certain initiatives in prior Executive Orders issued by Presidents Obama and Biden and highlights key cybersecurity priorities for the current Administration. We wrote about the Order in additional detail here.
At a high level, the Order: (i) directs that existing federal government regulations and policy be revised to focus on securing third-party software supply chains, quantum cryptography, artificial intelligence, and Internet of Things (IoT) devices; and (ii) more expressly focuses cybersecurity-related sanctions authorities on “foreign” persons. Although the Order makes certain changes to prior cybersecurity related Executive Orders issued under previous administrations, it generally leaves the framework of those Executive Orders in place. For example, the Order removes certain requirements relating to the form of attestations (i.e., removing the requirement for machine readable format), as well as the directive for centralized validation of software attestations by the Cybersecurity and Infrastructure Agency (CISA). Likewise, the associated directive to the Federal Acquisition Regulatory Council to amend the Federal Acquisition Regulation to incorporate those requirements has also been eliminated. However, the Order appears to leave the core program in place. Further, it does not appear to modify other cybersecurity Executive Orders beyond those specified. To that end, although the Order highlights some areas where the Trump administration has taken a different approach than prior administrations, it also signals a more general alignment between administrations on core cybersecurity principles. Continue Reading June 2025 Cybersecurity Developments Under the Trump Administration
April 2025 Cybersecurity Developments Under the Trump Administration
This is the third blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the new Trump Administration. This blog describes key cybersecurity developments that took place in April 2025.
NIST Publishes Initial Draft of Guidance for High Performance Computing Systems
U.S. National
Continue Reading April 2025 Cybersecurity Developments Under the Trump AdministrationNovember 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2024. This blog describes key actions taken to implement the Cyber EO, the U.S. National Cybersecurity Strategy, and other actions taken that support their general principles during November 2024.
National Institute of Standards and Technology (“NIST”) Publishes Draft “Enhanced Security Requirements for Protecting Controlled Unclassified Information”
On November 13, 2024, NIST published a draft of Special Publication (“SP”) 800-172 Rev. 3 that “provides recommended security requirements to protect the confidentiality, integrity, and availability of [Controlled Unclassified Information] when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program.” In particular, the draft requirements “give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats . . . and help to ensure the resiliency of systems and organizations.” The draft requirements “are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations.” In the publication, NIST stated that it does not expect that all requirements are needed “universally.” Instead, the draft requirements are intended to be “selected by federal agencies based on specific mission needs and risks.”
These requirements serve as a supplement to NIST SP 800-171, and apply to particular high-risk entities. To that end, the current version of this NIST SP 800-172 (i.e., Rev. 2) is used by the U.S. Department of Defense (“DoD”) for its forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program, which we discussed in more detail here. Specifically, contractors must implement twenty-four controls that DoD selected from SP 800-172 Rev. 2 in order to obtain the highest level of certification – Level 3. Just as the CMMC Final Rule incorporated Rev. 2 of SP 800-171 (rather than Rev. 3), the CMMC program will not immediately incorporate SP 800-172 Rev. 3 requirements. However, the draft requirements provide insight into how CMMC could evolve.Continue Reading November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
Department of Defense Publishes Notice of Proposed Rulemaking on Disclosure of Computer and Source Code to Foreign Entities
On November 15, 2024, the Department of Defense (“DoD”) published a Notice of Proposed Rulemaking (“Proposed Rule”) entitled “Defense Federal Acquisition Regulation Supplement: Disclosure of Information Regarding Foreign Obligations.” The Proposed Rule would impose new disclosure obligations on “Offeror[s]” (pre-award) and “Contractor[s]” (post-award) that are triggered in certain circumstances by review or by an obligation to allow review of their source or computer code either by a foreign government or a foreign person. If the Proposed Rule takes effect, the obligations would apply to any “prospective contractor” or any existing contractor. The Proposed Rule also does not distinguish between companies based in or outside the United States.
The Proposed Rule would implement the requirement of National Defense Authorization Act for Fiscal Year 2019 (“NDAA”) section 1655 which states that “[DoD] may not use a product, service, or system procured or acquired after the date of the enactment of this Act relating to information or operational technology, cybersecurity, an industrial control system, or weapons system provided by a person unless that person” makes certain disclosures related to: (1) foreign government or foreign person access to computer or source code, and (2) the person’s Export Administration Regulations (“EAR”) or International Traffic in Arms Regulations (“ITAR”) applications or licenses. Importantly, per the NDAA, these disclosure obligations include activities dating back to August 13, 2013.
A summary of the obligations and key definitions as described by the Proposed Rule are below.
Disclosure Obligations
Disclosure of Source or Computer Code
The Proposed Rule would require any “Offeror” or “Contractor” for defense contracts to disclose in the Catalog Data Standard in the Electronic Data Access (“EDA”) system (https://piee.eb.mil) “[w]hether, and if so, when, at any time after August 12, 2013,” they (1) “allowed a foreign person or foreign government to review” or (2) “[are] under any obligation to allow a foreign person or foreign government to review, as a condition of entering into an agreement for sale or other transaction with a foreign government or with a foreign person on behalf of such a government”:
- “The source code for any product, system, or service that DoD is using or intends to use; or
- The computer code for any other than commercial product, system, or service developed for DoD.”
When this clause is included in a solicitation, by submitting its offer to the government or higher tier contractor, an “Offeror” is representing that it “has completed the foreign obligation disclosures in EDA and the disclosures are current, accurate, and complete.” For post-award disclosures, the requirements would most likely first be added in new task orders, delivery orders, and options. Continue Reading Department of Defense Publishes Notice of Proposed Rulemaking on Disclosure of Computer and Source Code to Foreign Entities
October 2024 Developments Under President Biden’s AI Executive Order
This is part of an ongoing series of Covington blogs on the implementation of Executive Order No. 14110 on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (the “AI EO”), issued by President Biden on October 30, 2023. The first blog summarized the AI EO’s key provisions and
Continue Reading October 2024 Developments Under President Biden’s AI Executive Order