Insights

On April 11, 2025, the U.S. Department of Justice (DOJ) issued guidance regarding the implementation and enforcement of the newly enacted final rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” now referred to as the Data Security Program (DSP). The release included an Implementation and Enforcement Policy, a Compliance Guide, and Frequently Asked Questions (FAQs). Collectively, these documents are designed to help entities subject to the DSP understand and comply with the obligations set out under the Final Rule.

On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.

On March 24, 2025, the Federal Risk and Authorization Management Program (FedRAMP) unveiled “FedRAMP 20x,” a proposal to make FedRAMP more efficient by automating FedRAMP security assessments and continuous monitoring, simplifying required technical controls, and leaning on industry to provide tooling and solutions to support automation. 

As digitalization has become more ubiquitous and attacks surfaces widened, the number of cyberattacks have correspondingly increased. In 2024, ransomware attacks in particular grew in their frequency and impact. In an effort to enact more stringent policy approaches, governments introduced over 170 data protection laws between 2023 and 2024. With not a single company immune from these regulatory winds, industry must keep a close watch.

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.

Significant shifts in U.S. technology policy are taking shape at the start of the new administration. This is especially true in the field of artificial intelligence (AI), where President Trump revoked President Biden’s Executive Order 14110, titled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” as part of his flurry of Day One executive actions. The administration is now moving quickly to put its own stamp on this area in an effort to strengthen U.S. AI leadership and competitiveness and outpace other nations, particularly the People’s Republic of China.

Crowell Global Advisors joined the industry delegation to the 5thASEAN Digital Ministers’ Meeting (ADGMIN) hosted by Thailand from January 16-17, 2025. The official theme for this year was “Secure, Innovative, Inclusive: Shaping ASEAN’s Digital Future,” with a focus on promoting safe adoption of emerging technologies by ASEAN Member States (AMS).

While it is unclear at this stage what exactly a second Trump administration means for U.S. digital, technology, and trade policy, one thing that is clear is that it will involve major changes, especially as it relates to the potential for high, broad tariffs. Media reports and commentary and recent personnel appointments give some early clues on what else a second Trump administration may do. It is an open question as to which Biden administration policies a second Trump administration keeps, revises, or scraps (like Biden administration executive orders on artificial intelligence) and which policies and strategies from the first Trump administration it revives or revises. It is also unclear the extent to which a second Trump administration will consider the interests of allies and close trading partners and whether the Trump administration will pursue its own vision for global technology governance at the G7 and other fora.  

Amid the continued exponential rise and adoption of artificial intelligence (AI) systems, the Council of Europe set a unique precedent earlier this year by adopting the first-of-its-kind legally binding international AI framework. Aimed at ensuring the respect of human rights, the rule of law, and democracy in the use of AI systems, the framework strikes an important balance in addressing the risks throughout the lifecycle of an AI system without hampering innovation.

The Cyber Security Agency of Singapore (CSA) is currently in the process of introducing the first ever amendments to its Cybersecurity Act (CS Act) 2018 via the Cybersecurity (Amendment) Bill.  Through these Amendments, CSA is looking to account for advancements in Singapore’s technology and business landscape since 2018.  It is also hoping to holistically enhance the cybersecurity of not only the country’s critical information infrastructure (CII) but also other digital infrastructure important for Singapore’s economy.

C&M International’s Asia-based digital policy team joined an industry delegation last week at a key gathering to discuss Southeast Asia’s future digital economy. Singapore hosted the 4thASEAN Digital Ministers’ Meeting (ADGMIN) from 30 January to 02 February, 2024 under the theme “Building an Inclusive and Trusted Digital Ecosystem”. Josephine Teo, Singapore’s Minister for Communications and Information, chaired the meeting alongside her counterpart from Thailand, Prasert Jantararuangtong, Minister of Digital Economy and Society as the Vice Chair.

On January 29, 2024, the Department of Commerce released a proposed rule:  Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, which solicits comments regarding a proposed  new set of regulations that would introduce significant new requirements for U.S.-based Infrastructure as a Service (IaaS) providers.  The proposed rule implements requirements from the January 2021 Executive Order Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities and part of the October 2023 Executive Order Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.  If Commerce implements the regulations as proposed, IaaS providers would be required to create a Customer Identification Program (CIP), ensure any foreign resellers maintain a CIP, track all customer identities, verify the identities of foreign customers, and report certain transactions implicating large AI models that could be used for malicious cyber-enabled activities.  The Department is soliciting comments on all aspects of the proposed rule by April 29, 2024.

On 15 December 2023, the Cyber Security Agency of Singapore (CSA) opened stakeholder consultation on its draft Cybersecurity (Amendment) Bill 2023. This draft Bill is the first review of the Cybersecurity Act 2018 and aims to enhance Singapore’s cyber resilience in the face of the country’s increasing digitalization.

On November 9, 2023, the National Institute of Standards and Technology (“NIST”) released the Final Public Draft (“FPD”) of Special Publication (“SP”) 800-171 Revision (“Rev.”) 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Initial Public Draft of NIST SP 800-171A Rev 3, “Assessing Security Requirements for Controlled Unclassified Information.”  The FPD of SP 800-171 Rev. 3 condenses several control requirements from the initial public draft while adding new requirements under existing controls.  The initial draft of SP 800-171A now aligns with SP 800-171 Rev. 3 and includes more detailed assessment procedures than its predecessor.  Changes in both documents forecast the evolving compliance requirements for organizations required to safeguard Controlled Unclassified Information (“CUI”).

On October 30, 2023, President Biden released an Executive Order (EO) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI).  This landmark EO seeks to advance the safe and secure development and deployment of AI by implementing a society-wide effort across government, the private sector, academia, and civil society to harness “AI for good,” while mitigating its substantial risks.

On September 28, 2023, the Cyberspace Administration of China (“CAC”) published the draft Provisions on Regulating and Promoting Cross-Border Data Flows (“Draft Provisions”) for public consultation.

Artificial intelligence (AI) has been at the forefront of public debate since the release of OpenAI’s ChatGPT in November 2022. Since then, numerous AI applications have been released to the public that serve a wide variety of functions, exacerbating the need for governance, as many technical, ethical, and legal questions remain unanswered. As the AI landscape continues to rapidly evolve, the Biden Administration has taken proactive efforts to develop a National Artificial Intelligence Strategy that seeks to mitigate the risks associated with the transformative technology. These efforts include the establishment of guidelines and standards, investments in research and development (R&D) initiatives, collaborative partnerships with major technology companies, and even a national competition with nearly $20 million in awards.

The summer has been anything but slow in the People’s Republic of China. China is leaning into its regulation of emerging technologies, while attempting to strike a balance with its domestic economic priorities. In just the past few weeks, state authorities have issued a slew of draft measures and announced new initiatives – all with significant ramifications for businesses processing data within the PRC. From personal information processing to facial recognition to cross-border data transfers, what follows is a highlight reel of what you may have missed while you were away on vacation, with the comment period for many of these developments closing within the next few weeks.

On July 21, 2023, the Biden administration announced that seven companies leading the development of artificial intelligence (AI) -- Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI -- have made voluntary commitments, which the companies agreed to undertake immediately, to help move towards safe, secure, and transparent development of AI technology. The goal of the voluntary commitments, or the “AI Agreement” as it is informally dubbed, is to establish a set of standards that promote the principles of safety, security, and trust deemed fundamental to the future of AI.

On June 18, 2023, the Biden-Harris administration announced the launch of a new “U.S. Cyber Trust Mark” program (hereinafter the “Program”). First proposed by Federal Communication Commission (“FCC”) Chairwoman Jessica Rosenworcel, the Program aims to increase transparency and competition across the smart devices sector and to assist consumers in making informed decisions about the security of the devices they purchase.