On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.Continue Reading DoD’s New Year Resolution: A Cybersecurity Maturity Model Certification Program (CMMC) Proposed Rule
Alexis Ward
Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.
During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.
DoD Digs In Its Cyber “SPRS”: New Solicitation Provision Requires Contracting Officers to Consider SPRS Risk Assessments
On March 22, 2022, the Department of Defense (DoD) issued a final rule requiring contracting officers to consider supplier risk assessments in DoD’s Supplier Performance Risk System (SPRS) when evaluating offers. SPRS is a DoD enterprise system that collects contractor quality and delivery performance data from a variety of systems to develop three risk assessments:…
Biden Administration Releases Comprehensive National Cybersecurity Strategy
On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”
Summary and Analysis
The Strategy highlights the government’s commitment to investing in cybersecurity research and new technologies to protect the nation’s security…
Illinois High Court Rules Every Collection or Disclosure is a Separate BIPA Violation
On February 17, 2023, the Illinois Supreme Court ruled 4-3 that violations of the Biometric Information Privacy Act (“BIPA”) (the country’s first biometric privacy legislation) accrue for each incident of capture or dissemination of biometric information, and not only once for each data subject. Cothron v. White Castle Systems found based on the plain language…
BIPA Claims Uniformly Have a 5-Year Statute of Limitations
Key Takeaways
- A Potential Increase in Claims, Costs, and Damages
- Reduce Liability Through Transparency
On February 2, 2023, the Illinois Supreme Court ruled that all Biometric Information Privacy Act (“BIPA”) claims are uniformly subject to a five-year statute of limitations, expanding liability for businesses collecting biometric information.[1] In Tims v. Black Horse Carriers, Inc.…