Insights

Washington – February 23, 2021: Chambers and Partners has ranked three Crowell & Moring practice groups and ten individual lawyers in the Chambers Global 2021 guide. The rankings are driven by independent interviews of clients and members of the legal community.

Washington – April 23, 2020: Chambers and Partners has ranked 53 Crowell & Moring lawyers in 62 rankings across 33 categories in the Chambers USA 2020 guide. In addition, 21 practice areas were also ranked in the guide. The regional and national rankings are driven by independent interviews of clients and lawyers.

On September 10, 2025, the Department of Defense (DoD) published a final rule (CMMC Clause Rule) that will apply its much-anticipated Cybersecurity Maturity Model Certification program (CMMC) to DoD contractors and subcontractors. Under the CMMC Clause Rule, starting on November 10, 2025, DoD can include CMMC requirements—potentially including third-party cybersecurity assessments—in contracts that require the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

On July 31, 2025, the Department of Justice (DOJ) announced that Illumina, Inc. will pay $9.8 million to resolve allegations that it violated the False Claims Act (FCA) by selling genomic sequencing systems with software containing cybersecurity vulnerabilities to federal agencies. This is the first FCA settlement involving claims that a medical manufacturer failed to incorporate adequate product cybersecurity into its software design and development.The allegations were first made in United States ex rel. Lenore v. Illumina Inc., No. 1:23-cv-00372 (D.R.I.), a qui tam action filed by Illumina’s former Director for Platform Management, On-Market Portfolio in September 2023. The relator alleged that, between February 2016 and September 2023, Illumina knowingly sold genomic sequencing systems to government agencies without adequate security programs or quality systems to identify and address software vulnerabilities. The complaint further alleged that Illumina failed to properly resource personnel and processes responsible for product security, did not remediate design features introducing cybersecurity risks, and misrepresented the software’s adherence to required cybersecurity standards.According to the government, Illumina’s actions included:

The U.S. Department of Justice’s (DOJ) reprieve on civil enforcement of its Data Security Program (DSP), which imposes sweeping restrictions on bulk data transfers by U.S. entities to certain “countries of concern” and “covered persons,” is set to expire on July 8, 2025.

The Asia-Pacific (APAC) region witnessed a rapid digital transformation in 2024, powered by its connectivity and technological innovations. However, these advancements have introduced new vulnerabilities into the region’s digital ecosystem, which more sophisticated and nuanced cyber threats are already exploiting. In Q2 2024 alone, the APAC region experienced an average of 2,510 weekly cyberattacks per organization, marking a 23 percent increase compared to the same period in 2023.

The People’s Republic of China’s data protection laws have evolved rapidly in recent years, reflecting the global trend towards greater data privacy and security. The cornerstone of this legal framework has been a trio of measures: the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL). These three laws collectively govern the whole lifecycle of data processing.

The Department of Defense (DoD) has released the highly anticipated second final rule for the Cybersecurity Maturity Model Certification Program (CMMC), ushering in its mandatory implementation that begins on November 10. CMMC is a unified assessment model released by the DoD in response to the growing threat of cyberattacks on and data theft from the Defense Industrial Base.  This program requires every DoD contractor that handles sensitive government data to certify compliance with certain cybersecurity controls.  CMMC brings greater scrutiny to contractors’ cybersecurity compliance and greater risks associated with compliance failures. To achieve certification, contractors must prove that their organizations can meet a myriad of security control obligations, a process that can be daunting without familiarity with the policies, procedures, and practices that will be required when the program is finalized.

Since the November 2022 release of ChatGPT, generative AI has been a regulatory accelerator for governance of AI writ large. Individuals, organizations, industries, and governments across the world have grappled with the implications of AI, including how it is and could be regulated using existing and new legal frameworks. For example, since our December 2023 update:

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, Kate Growley overviews Medium Assessments and the importance of them for defense contractors.

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, hosts Evan Wolff and Kate Growley talk through some key elements that are no longer expected under CMMC 2.0.

Crowell & Moring’s “Byte-Sized Q&A” podcast takes the complex world of government contracts cybersecurity and breaks it down into byte-sized pieces. In this episode, host Kate Growley is joined by Yuan Zhou to talk through how to determine if you’re providing a commercial off-the-shelf – or “COTS” – item and what that means for your contractual cybersecurity obligations.