Insights

On September 10, 2025, the Department of Defense (DoD) published a final rule (CMMC Clause Rule) that will apply its much-anticipated Cybersecurity Maturity Model Certification program (CMMC) to DoD contractors and subcontractors. Under the CMMC Clause Rule, starting on November 10, 2025, DoD can include CMMC requirements—potentially including third-party cybersecurity assessments—in contracts that require the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

The U.S. Department of Justice’s (DOJ) reprieve on civil enforcement of its Data Security Program (DSP), which imposes sweeping restrictions on bulk data transfers by U.S. entities to certain “countries of concern” and “covered persons,” is set to expire on July 8, 2025.

The flow of data across borders is essential to our global economy. As companies grow more and more dependent on cross-border data transfers to conduct business, two parallel legal trends have emerged:

After years of anticipation and a series of delays, implementation of the U.S. Department of Defense’s Cyber Maturity Model Certification Program (CMMC) is rapidly approaching. Though CMMC is not expected to enter into effect until early-to- mid 2025, DOD contactors can start taking steps now to ensure a smooth transition into this new regulatory era.

U.S. colleges and universities watched closely this summer when the DOJ, in a novel move, scrutinized the cybersecurity compliance of a research lab at an academic institution.

The Department of Defense (DoD) has released the highly anticipated second final rule for the Cybersecurity Maturity Model Certification Program (CMMC), ushering in its mandatory implementation that begins on November 10. CMMC is a unified assessment model released by the DoD in response to the growing threat of cyberattacks on and data theft from the Defense Industrial Base.  This program requires every DoD contractor that handles sensitive government data to certify compliance with certain cybersecurity controls.  CMMC brings greater scrutiny to contractors’ cybersecurity compliance and greater risks associated with compliance failures. To achieve certification, contractors must prove that their organizations can meet a myriad of security control obligations, a process that can be daunting without familiarity with the policies, procedures, and practices that will be required when the program is finalized.