Insights

On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts.  The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information.  The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.

On September 10, 2025, the Department of Defense (DoD) published a final rule (CMMC Clause Rule) that will apply its much-anticipated Cybersecurity Maturity Model Certification program (CMMC) to DoD contractors and subcontractors. Under the CMMC Clause Rule, starting on November 10, 2025, DoD can include CMMC requirements—potentially including third-party cybersecurity assessments—in contracts that require the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

The U.S. Department of Justice’s (DOJ) reprieve on civil enforcement of its Data Security Program (DSP), which imposes sweeping restrictions on bulk data transfers by U.S. entities to certain “countries of concern” and “covered persons,” is set to expire on July 8, 2025.

After years of anticipation and a series of delays, implementation of the U.S. Department of Defense’s Cyber Maturity Model Certification Program (CMMC) is rapidly approaching. Though CMMC is not expected to enter into effect until early-to- mid 2025, DOD contactors can start taking steps now to ensure a smooth transition into this new regulatory era.

U.S. colleges and universities watched closely this summer when the DOJ, in a novel move, scrutinized the cybersecurity compliance of a research lab at an academic institution.

The Department of Defense (DoD) has released the highly anticipated second final rule for the Cybersecurity Maturity Model Certification Program (CMMC), ushering in its mandatory implementation that begins on November 10. CMMC is a unified assessment model released by the DoD in response to the growing threat of cyberattacks on and data theft from the Defense Industrial Base.  This program requires every DoD contractor that handles sensitive government data to certify compliance with certain cybersecurity controls.  CMMC brings greater scrutiny to contractors’ cybersecurity compliance and greater risks associated with compliance failures. To achieve certification, contractors must prove that their organizations can meet a myriad of security control obligations, a process that can be daunting without familiarity with the policies, procedures, and practices that will be required when the program is finalized.