Insights

Washington – February 22, 2019: Crowell & Moring LLP is pleased to announce that its Government Contracts Group has been recognized as one of Law360’s “Practice Groups of the Year” for government contracts. This is the ninth consecutive year that the group has earned this honor.

Washington, D.C. – January 9, 2015: Crowell & Moring LLP is pleased to announce that its Government Contracts Group has been named to Law360's "Practice Groups of the Year" listing for Government Contracts for the fifth straight year. For this listing, Law360 recognizes "firms that came through for their clients in 2014, sealing the big deals and winning the high-stakes suits."

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.

On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors.  The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies.  The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:

On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] 

Crowell & Moring's Ounce of Prevention Seminar, hosted by the firm's Government Contracts Group, is featured in a BNA article discussing compliance measures for federal contractors. George Washington University law professor Steven Schooner, who spoke at the conference, discussed key compliance cases to highlight the importance of risk avoidance for contractors.

Washington, D.C.-based Government Contracts partner Evan Wolff and senior counsel Maida Lerner are featured in BNA after speaking at Crowell & Moring’s annual Ounce of Prevention Seminar. Wolff and Lerner highlight best practices that lawyers can recommend to mitigate cybersecurity risks, noting that the most important step is to prepare for an incident. Wolff and Lerner also advised that firms should clearly establish who is in charge of cyber issues and should advise clients to have well-established policies and procedures related to cybersecurity.

In 2025, owners and operators of critical infrastructure will have new security and information sharing obligations to consider under the National Security Memorandum 22 (“NSM-22” or the “Memorandum”). NSM- 22 replaces the Obama-era Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21).

Protecting critical infrastructure is paramount to today’s digital age. Critical infrastructure includes physical and virtual systems essential for the functioning of our society, economy, and national security. Such a definition may include power grids, communication networks, and financial institutions, among other networks that heavily rely on interconnected computer systems. These systems are also considered critical infrastructure, as they are used to protect critical cybersecurity infrastructure.