Insights

Last year, the California General Assembly passed the California AI Transparency Act (CAITA), which Governor Gavin Newsom signed into law on September 19, 2024, and goes into effect on January 1, 2026. This may change because this year, the same General Assembly passed AB 853, an amendment to CAITA with potentially far-reaching implications.

Marking a significant milestone toward the broad deployment of commercial drones over American skies, the Federal Aviation Administration (“FAA”) and Transportation Security Administration issued a proposed rule in August that would streamline how drones can operate when they fly beyond the visual line of sight of their operators.

On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts.  The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information.  The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.

On September 26, the White House invited the public to submit comments on Federal laws, rules, and policies that “unnecessarily hinder” the development or deployment of artificial intelligence (AI) technologies in the United States. This request marks one of the Trump Administration’s most substantial moves yet to reduce the regulatory burden on AI. Respondents may submit comments through a government website until October 27, 2025.

On September 10, 2025, the Department of Defense (DoD) published a final rule (CMMC Clause Rule) that will apply its much-anticipated Cybersecurity Maturity Model Certification program (CMMC) to DoD contractors and subcontractors. Under the CMMC Clause Rule, starting on November 10, 2025, DoD can include CMMC requirements—potentially including third-party cybersecurity assessments—in contracts that require the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

On July 31, 2025, the Department of Justice (DOJ) announced that Illumina, Inc. will pay $9.8 million to resolve allegations that it violated the False Claims Act (FCA) by selling genomic sequencing systems with software containing cybersecurity vulnerabilities to federal agencies. This is the first FCA settlement involving claims that a medical manufacturer failed to incorporate adequate product cybersecurity into its software design and development.The allegations were first made in United States ex rel. Lenore v. Illumina Inc., No. 1:23-cv-00372 (D.R.I.), a qui tam action filed by Illumina’s former Director for Platform Management, On-Market Portfolio in September 2023. The relator alleged that, between February 2016 and September 2023, Illumina knowingly sold genomic sequencing systems to government agencies without adequate security programs or quality systems to identify and address software vulnerabilities. The complaint further alleged that Illumina failed to properly resource personnel and processes responsible for product security, did not remediate design features introducing cybersecurity risks, and misrepresented the software’s adherence to required cybersecurity standards.According to the government, Illumina’s actions included:

The U.S. Department of Justice’s (DOJ) reprieve on civil enforcement of its Data Security Program (DSP), which imposes sweeping restrictions on bulk data transfers by U.S. entities to certain “countries of concern” and “covered persons,” is set to expire on July 8, 2025.

The flow of data across borders is essential to our global economy. As companies grow more and more dependent on cross-border data transfers to conduct business, two parallel legal trends have emerged:

On June 6, 2025 President Trump signed an Executive Order, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 (the “Trump Cyber EO”). The Trump Cyber EO rescinds and modifies select Biden administration guidance from EO 14144 covering several cybersecurity regimes, including digital identity verification, artificial intelligence, and secure software development practices, and it amends Obama administration guidance from EO 13694 authorizing sanctions on persons involved in malicious cyber activities. We have provided a summary of significant changes made by the Trump Cyber EO below.

On April 11, 2025, the U.S. Department of Justice (DOJ) issued guidance regarding the implementation and enforcement of the newly enacted final rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” now referred to as the Data Security Program (DSP). The release included an Implementation and Enforcement Policy, a Compliance Guide, and Frequently Asked Questions (FAQs). Collectively, these documents are designed to help entities subject to the DSP understand and comply with the obligations set out under the Final Rule.

On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.

On March 24, 2025, the Federal Risk and Authorization Management Program (FedRAMP) unveiled “FedRAMP 20x,” a proposal to make FedRAMP more efficient by automating FedRAMP security assessments and continuous monitoring, simplifying required technical controls, and leaning on industry to provide tooling and solutions to support automation. 

As digitalization has become more ubiquitous and attacks surfaces widened, the number of cyberattacks have correspondingly increased. In 2024, ransomware attacks in particular grew in their frequency and impact. In an effort to enact more stringent policy approaches, governments introduced over 170 data protection laws between 2023 and 2024. With not a single company immune from these regulatory winds, industry must keep a close watch.

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.

Significant shifts in U.S. technology policy are taking shape at the start of the new administration. This is especially true in the field of artificial intelligence (AI), where President Trump revoked President Biden’s Executive Order 14110, titled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” as part of his flurry of Day One executive actions. The administration is now moving quickly to put its own stamp on this area in an effort to strengthen U.S. AI leadership and competitiveness and outpace other nations, particularly the People’s Republic of China.

Crowell Global Advisors joined the industry delegation to the 5thASEAN Digital Ministers’ Meeting (ADGMIN) hosted by Thailand from January 16-17, 2025. The official theme for this year was “Secure, Innovative, Inclusive: Shaping ASEAN’s Digital Future,” with a focus on promoting safe adoption of emerging technologies by ASEAN Member States (AMS).

While it is unclear at this stage what exactly a second Trump administration means for U.S. digital, technology, and trade policy, one thing that is clear is that it will involve major changes, especially as it relates to the potential for high, broad tariffs. Media reports and commentary and recent personnel appointments give some early clues on what else a second Trump administration may do. It is an open question as to which Biden administration policies a second Trump administration keeps, revises, or scraps (like Biden administration executive orders on artificial intelligence) and which policies and strategies from the first Trump administration it revives or revises. It is also unclear the extent to which a second Trump administration will consider the interests of allies and close trading partners and whether the Trump administration will pursue its own vision for global technology governance at the G7 and other fora.  

Amid the continued exponential rise and adoption of artificial intelligence (AI) systems, the Council of Europe set a unique precedent earlier this year by adopting the first-of-its-kind legally binding international AI framework. Aimed at ensuring the respect of human rights, the rule of law, and democracy in the use of AI systems, the framework strikes an important balance in addressing the risks throughout the lifecycle of an AI system without hampering innovation.

The Cyber Security Agency of Singapore (CSA) is currently in the process of introducing the first ever amendments to its Cybersecurity Act (CS Act) 2018 via the Cybersecurity (Amendment) Bill.  Through these Amendments, CSA is looking to account for advancements in Singapore’s technology and business landscape since 2018.  It is also hoping to holistically enhance the cybersecurity of not only the country’s critical information infrastructure (CII) but also other digital infrastructure important for Singapore’s economy.

C&M International’s Asia-based digital policy team joined an industry delegation last week at a key gathering to discuss Southeast Asia’s future digital economy. Singapore hosted the 4thASEAN Digital Ministers’ Meeting (ADGMIN) from 30 January to 02 February, 2024 under the theme “Building an Inclusive and Trusted Digital Ecosystem”. Josephine Teo, Singapore’s Minister for Communications and Information, chaired the meeting alongside her counterpart from Thailand, Prasert Jantararuangtong, Minister of Digital Economy and Society as the Vice Chair.