On April 15, 2025, the Department of Defense (DoD) released official guidance on Organizationally Defined Parameters (ODPs) appearing in the newly published NIST SP 800-171 Revision 3. At the same time, the DoD reaffirmed that contractors must continue complying with Revision 2 thanks to a previously issued class deviation. What does this mean in plain terms? The DoD is slowly pulling back the curtain on the next major shift in cybersecurity compliance. Still, the full prestige hasn’t happened yet.Continue Reading The “Prestige”: DoD Unveils NIST SP 800-171 Revision 3, Organizationally Defined Parameters
Compliance
DEI, Discrimination, Affirmative Action and More: How the Recent Executive Order Impacts Private Employers


Amid a flurry of executive orders starting his second administration, President Donald Trump issued an order entitled “Ending Illegal Discrimination and Restoring Merit-Based Opportunity” (the “Order”) on January 21, 2025. The Order will have an immediate impact on federal contractors and subcontractors currently subject to the affirmative action obligations concerning women and minorities under now-revoked Executive Order 11246 dated September 24, 1965 (and the subsequent executive orders that refined these obligations). It also signals a significant change in the focus of federal enforcement of equal opportunity laws. The Order does NOT, however, change any of the substantive federal law regarding employment discrimination. Under Title VII of the Civil Rights Act of 1964, it remains illegal for employers to make employment decisions on the basis of race, color, religion, sex, or national origin. Other federal and state statutes prohibit making employment decisions on various other bases, including age, disability, genetic make-up, etc.; none of these substantive laws have been changed. So what has changed?Continue Reading DEI, Discrimination, Affirmative Action and More: How the Recent Executive Order Impacts Private Employers
Antitrust Corporate Compliance Programs: Late 2024 Changes Mean Companies Should Revisit Their Programs Early in 2025

The US Department of Justice Antitrust Division (DOJ or Division) recently released a revised Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Guidance). The Guidance reflects how the Division assesses the effectiveness and adequateness of a company’s antitrust compliance program. The Guidance offers insight into the Division’s evaluations of antitrust compliance programs at the charging and the sentencing stages of a criminal prosecution but is equally applicable to civil compliance. Adherence to the Guidance improves the chances a company can receive leniency and reduces the risk of prosecution should a violation occur.Continue Reading Antitrust Corporate Compliance Programs: Late 2024 Changes Mean Companies Should Revisit Their Programs Early in 2025
Feature Comment: The CUI Program: DOD, We Have A Problem (Part II)
In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶…
Feature Comment: The CUI Program: DOD, We Have a Problem
The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require…
A Standard on Many Levels: A Look at CMMC 2.0 in Final
Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final
DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement Actions

Johnny, rosin up your bow and play your fiddle hard
’Cause Hell’s broke loose in Georgia and the Devil deals the cards
And if you win, you get this shiny fiddle made of gold
But if you lose the Devil gets your soul
~ The Charlie Daniels Band
Some might say there’s little difference between dealing with the devil and being a federal contractor. And for the unwary or unprepared, that may not be far off. Federal contracting comes with a litany of “fine print” that would make “Old Scratch” proud. However, as most savvy contractors recognize, it’s all hiding in plain sight, with the devil in the details. Take, for example, the cybersecurity requirements found in the Federal Acquisition Regulations (FAR) at 52.204-21 and the Department of Defense (DoD) FAR Supplement (DFARS) at 252.204-7012, -7019, and -7020. These requirements have been the topic of countless articles, trainings, webinars, whole conferences, etc., so it is surprising while simultaneously not surprising that they form the basis of a federal False Claims Act (FCA) claim the Department of Justice (DOJ) recently filed in its complaint in intervention.Continue Reading DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement Actions
Department of Labor Issues New Guidance on the Use of Artificial Intelligence and Employment Decision-Making
On April 29, 2024, the Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) released guidance to federal contractors regarding the use of artificial intelligence (AI) in their employment practices. See https://www.dol.gov/agencies/ofccp/ai/ai-eeo-guide. The guidance reminds federal contractors of their existing legal obligations, the potentially harmful effects of AI on employment decisions if used improperly, and best practices. Arriving early, the guidance puts contractors on notice of their responsibilities when using AI in their employment decisions.Continue Reading Department of Labor Issues New Guidance on the Use of Artificial Intelligence and Employment Decision-Making
NIST SP 800-171 Revision 3 Goes Final: Who’s Down with ODP?

“Arm me with harmony.” – Treach, Naughty By Nature[1]
On May 14, 2024, the National Institute of Standards and Technology (NIST) dropped the third remix…er, revision…of its Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It even came with a critical sidekick in the form of the companion assessment guide, “NIST SP 800-171A, Revision 3,” which gives organizations the necessary lowdown on “assessment procedures and methodologies” to check if they’re playing by NIST SP 800-171’s rules. Over a year in the making after previous releases in May and November of 2023, NIST’s finalized revision takes inspiration from industry by laying down the cybersecurity rules that contractors should expect to follow when handling Controlled Unclassified Information (CUI) for the US Department of Defense (DoD). While DoD isn’t requiring contractors who handle CUI to roll with Rev. 3 just yet, contractors can expect that DoD will eventually bring Rev. 3 into the mix for DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (DFARS 7012), and will be harmonizing it with the upcoming Cyber Maturity Model Certification (CMMC) program at some point soon.Continue Reading NIST SP 800-171 Revision 3 Goes Final: Who’s Down with ODP?
Supply Chain Checkup: FAR Council Announces New Rulemaking Focused on Prohibiting Certain Semiconductor Acquisitions

If you happen to be a government contractor and are contemplating additions to your Summer reading list, consider adding the FAR Council’s May 3, 2024 advanced notice of proposed rulemaking (“ANPR”) to the mix. The ANPR, which was issued in furtherance of implementing Section 5949 of the FY 2023 National Defense Authorization Act (“NDAA”), contemplates various forthcoming changes to the FAR, all of which focus on banning agencies from purchasing certain products or services that contain or otherwise utilize semiconductors that are produced, designed, or provided by three Chinese entities and their subsidiaries, affiliates, or successors: Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies (“CXMT”), and Yangtze Memory Technologies Corp. (“YMTC”). In addition, the FAR will likely be amended to prohibit the acquisition of semiconductor products or services from any entity that is owned, controlled by, or otherwise connected to China, North Korea, Iran, Russia and any other “foreign country of concern” – a designation to be determined by the Secretary of Defense or the Secretary of Commerce, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation.Continue Reading Supply Chain Checkup: FAR Council Announces New Rulemaking Focused on Prohibiting Certain Semiconductor Acquisitions