Insights

On March 26, 2025, the Department of Justice (DOJ) announced that defense contractor MORSECORP Inc. (MORSE) will pay $4.6 million to settle allegations that MORSE violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements and subsequently submitting false or fraudulent claims for payment in its contracts with the Departments of the Army and Air Force. This is the first FCA settlement that is based on a defense contractor’s failure to reevaluate and promptly update its self-assessment score in the Supplier Performance Risk System (SPRS) after a third-party assessment resulted in a lower score.

On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.

On March 24, 2025, the Federal Risk and Authorization Management Program (FedRAMP) unveiled “FedRAMP 20x,” a proposal to make FedRAMP more efficient by automating FedRAMP security assessments and continuous monitoring, simplifying required technical controls, and leaning on industry to provide tooling and solutions to support automation. 

FY 2024 saw continued growth in False Claims Act enforcement, with a record year for new qui tam and government-initiated actions, and the highest total recovery in three years. Enforcement of pandemic-related fraud and cybersecurity noncompliance increased, and health care, procurement, and small business fraud violations were again priority areas. A groundbreaking opinion from the District Court for the Middle District of Florida may have teed up a potentially landscape-shifting decision about the viability of the qui tam mechanism in the not too distant future. And a landmark administrative law decision at the U.S. Supreme Court may impact many FCA cases to come. Significant decisions regarding retaliation, excessive fines, the first-to-file rule, and the public disclosure bar were also handed down by courts of appeals. Crowell attorneys discuss these highlights and others in a “Feature Comment” published in The Government Contractor.

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.

On January 15, 2025, the FAR Council released a proposed rule (FAR CUI Rule) that would amend the FAR to implement federal government-wide Controlled Unclassified Information (CUI) cybersecurity, training, and incident reporting requirements for government contractors and subcontractors.  The rule’s key cybersecurity requirements closely mirror the Department of Defense’s Cyber Maturity Model Certification (CMMC) program (for example, compliance with National Institute of Standards and Technology Special Publication 800-171, Revision 2), but broaden the scope to include contractors and subcontractors working across all federal agencies.  The Rule is intended to standardize the handling of CUI by federal government contractors and subcontractors in accordance with Executive Order 13556, including by:

On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA).  The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.

On October 11, 2024, the Department of Defense (DoD) released a final rule (the “Final Program Rule”) formalizing the requirements, assessment processes, and related governance for its Cyber Maturity Model Certification Program (CMMC).[1] 

As the primary civil enforcement statute for investigating and remedying fraud in connection with United States government programs, the False Claims Act (FCA) has resulted in more than $75 billion in recoveries of government funds since 1986. The FCA imposes liability on any person or entity that knowingly submits false claims or certifications to the government or improperly retains money owed to the U.S. government.

On July 25, 2024 the Office of Management and Budget (OMB) issued Memorandum M-24-15, Modernizing the Federal Risk Authorization Management Program (FedRAMP) (the Memo).  The Memo proposes substantial updates to FedRAMP, replacing the December 2011 memorandum (2011 Memo) that established FedRAMP as the government-wide security and risk assessments program for cloud services providers (CSPs) supporting federal government operations.

On June 17, 2024, the Department of Justice (DOJ) announced a $11.3 million False Claims Act (FCA) settlement that touches on two key enforcement priorities:  the DOJ’s Civil Cyber-Fraud Initiative and pandemic-related fraud.  This settlement, the largest under the Civil Cyber-Fraud Initiative to date, resolved allegations that Guidehouse Inc. (Guidehouse) and its subcontractor, Nan McKay and Associates (Nan McKay), violated the FCA because they failed to conduct pre‑production cybersecurity testing on New York State’s Emergency Rental Assistance Program (ERAP) technology product before public launch, and that Guidehouse used an unapproved third-party data cloud software program to store personally identifiable information (PII).

On May 1, 2024, the Department of Justice (DOJ) announced that Insight Global LLC (Insight), an international staffing and services company, will pay $2.7 million to resolve allegations that it violated the False Claims Act (FCA) by failing to implement adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII) under its contracts with the Pennsylvania Department of Health (PADOH) to provide staffing for COVID-19 contact tracing services.  Although contracts with state agencies generally fall outside the FCA’s ambit, PADOH paid Insight using funds received from the federal Centers for Disease Control and Prevention (CDC)—bringing the contract within the FCA’s scope. 

On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012,  Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012), specifying that contractors subject to the clause must comply with NIST SP 800-171, Revision 2.  The deviation (labeled Deviation 2024-O0013) will delay the incorporation of NIST SP 800-171, Revision 3—which is set to be finalized in the next few weeks—into DFARS 7012.

2023 brought many important False Claims Act developments for companies with business involving government funds.  While overall recoveries remained down compared to pre-2022 levels, the total number of settlements and judgments exceeded any prior year.  Those settlements and judgments also highlight areas of particular focus for the Government, including cybersecurity compliance, pandemic fraud, and small business fraud, among others.  Of particular note, 2023 saw the U.S. Supreme Court issue decisions concerning the Government’s authority to dismiss qui tam actions and the critical element of scienter/knowledge that will have wide-reaching impact.  The courts of appeals also issued significant decisions on damages, materiality, and more.  Crowell attorneys discuss these highlights and others in a "Feature Comment" published in The Government Contractor.

The Department of Defense (DoD) recently published a memorandum clarifying what it means for a cloud service provider (CSP) to be Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline “equivalent” and meet incident reporting requirements under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012). The memorandum states, in order to be considered FedRAMP equivalent going forward, CSPs must (1) be FedRAMP Moderate/High-Authorized, or (2) secure a third-party assessment confirming their compliance with all FedRAMP Moderate baseline security controls.

On December 26, 2023, the Department of Defense (DoD) released the highly anticipated proposed rule for the Cybersecurity Maturity Model Certification Program (CMMC), a cybersecurity regulatory program that will likely impact most of the government contractor community. Every contractor who handles sensitive data such as Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) during DoD contract performance will be covered by this regulation. While the CMMC program builds upon the security requirements included in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, CMMC will bring greater scrutiny to contractors’ cybersecurity compliance and potentially greater consequences for failure to comply in the era of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. If finalized as proposed, the rule will significantly impact the CMMC regime, notably by requiring senior company officials to complete an affirmation for every CMMC level self-assessed or certified, thus increasing legal compliance risks.

On November 9, 2023, the National Institute of Standards and Technology (“NIST”) released the Final Public Draft (“FPD”) of Special Publication (“SP”) 800-171 Revision (“Rev.”) 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Initial Public Draft of NIST SP 800-171A Rev 3, “Assessing Security Requirements for Controlled Unclassified Information.”  The FPD of SP 800-171 Rev. 3 condenses several control requirements from the initial public draft while adding new requirements under existing controls.  The initial draft of SP 800-171A now aligns with SP 800-171 Rev. 3 and includes more detailed assessment procedures than its predecessor.  Changes in both documents forecast the evolving compliance requirements for organizations required to safeguard Controlled Unclassified Information (“CUI”).

Almost a decade after the Department of Defense developed rules requiring mandatory reporting of cyber incidents, on October 3, 2023, the Federal Acquisition Regulation (FAR) Council released new proposed rules—one addressing cyber incident reporting and another addressing cybersecurity requirements for contractors maintaining a Federal Information System (FIS).  When enacted, these rules could implement new security measures and incident reporting requirements via FAR clauses for contractors across the entire federal government.  The “Cyber Threat and Incident Reporting and Information Sharing” proposed rule focuses on increasing the sharing of information about cyber threats between government and private industry, while the “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems” proposed rule focuses on implementing policies, procedures, and requirements for contractors maintaining an FIS.  These rules implement Biden Administration initiatives pursuant to Executive Order (“EO”) 14028, “Improving the Nation’s Cybersecurity” issued in May 2021. 

A False Claims Act (FCA) settlement recently announced by the U.S. Department of Justice stands at the intersection of two evolving trends:  DOJ’s increasing focus on cybersecurity lapses by government contractors as part of its Civil Cyber-Fraud Initiative, and DOJ policies incentivizing corporations to voluntarily self-disclose violations of federal law.

On June 21, 2023, the Department of Homeland Security (DHS) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) by updating an existing clause (HSAR 3052.204-71) and adding two new contract clauses (HSAR 3052.204-72 and 3052.204-73) to address safeguarding of Controlled Unclassified Information (CUI).  The final rule is effective July 21, 2023.