On June 6, 2025, President Trump issued a new executive order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” (EO), signaling the construction of a fortified cyber defense across federal operations. This directive updates the nation’s digital stronghold, modernizing risk management, defending against quantum and artificial intelligence (AI) threats, and drawing sharper lines in the battle against foreign cyber adversaries. For technology companies and federal suppliers, this is a clarion call to reinforce their digital walls and sharpen their defenses. Agencies will soon build these secure-by-design principles into every contract and procurement decision. In this era of fortress-building, failing to meet these standards not only will leave your gates unguarded but also could bar you from the entire federal marketplace. The EO may read like ordinary policy, but don’t be misled: It’s a direct command for companies to strengthen their cyber defenses or be locked out of federal opportunities altogether.Continue Reading Building the Cyber Fortress: New Cybersecurity Executive Order Targets Quantum, AI, and Supply Chain Security
Cybersecurity
The Need for Speed: DoD’s “Software Fast Track” Targets Bureaucracy at Mach 2

The Department of Defense (DoD) is revving its engines again—this time to rocket past its own software acquisition drag. Launched via an April 24 memo from Acting DoD CIO Katie Arrington, the DoD’s Software Fast Track (SWFT) Initiative entered a 90‑day sprint to redefine Accelerating the Authority to Operate (ATOs), aiming to replace the outdated Risk Management Framework (RMF) with AI‑enabled, continuous compliance workflows. Officially live on June 1, 2025, SWFT isn’t a fully cleared runway—it’s a mission in motion, with Requests for Information (RFIs) out and industry poised to respond. But the real turbulence won’t be technical—it’ll be cultural: Can Pentagon policy and personnel move at Top Gun pace?Continue Reading The Need for Speed: DoD’s “Software Fast Track” Targets Bureaucracy at Mach 2
Check Your Process or Pay Your Fine: Recent 6-Figure Fines from the California Privacy Protection Agency

The California Privacy Protection Agency (CPPA) recently fined clothing retailer Todd Snyder almost $350,000 for two types of consumer privacy errors. Due to technical errors during a 40-day period, it was impossible for Todd Snyder website users to request to opt out of having their information sold or shared. When users clicked the button for the Cookie Preferences Center, the consent banner would appear but instantly disappear, thus making it impossible for anyone to actually opt out. For those who were able to actually access the preferences center, Todd Snyder over-collected information from its users who wanted to opt out of having their information sold or shared. Todd Snyder’s data request form required users to verify their identity by submitting a photograph of themselves holding their identity document, even when they wanted to opt out.Continue Reading Check Your Process or Pay Your Fine: Recent 6-Figure Fines from the California Privacy Protection Agency
Former US Attorney Zach Myers Joins McCarter & English

Zachary Myers, the former United States Attorney for the Southern District of Indiana, has officially joined McCarter & English’s Indianapolis office as a partner in the Business Litigation group. He will also serve as a co-leader of the firm’s multidisciplinary Cybersecurity & Data Privacy team. Zach brings extensive experience in high-stakes litigation and cybersecurity. As part of his practice, he will counsel clients in navigating federal government issues, including congressional inquiries and regulatory matters.Continue Reading Former US Attorney Zach Myers Joins McCarter & English
The “Prestige”: DoD Unveils NIST SP 800-171 Revision 3, Organizationally Defined Parameters

On April 15, 2025, the Department of Defense (DoD) released official guidance on Organizationally Defined Parameters (ODPs) appearing in the newly published NIST SP 800-171 Revision 3. At the same time, the DoD reaffirmed that contractors must continue complying with Revision 2 thanks to a previously issued class deviation. What does this mean in plain terms? The DoD is slowly pulling back the curtain on the next major shift in cybersecurity compliance. Still, the full prestige hasn’t happened yet.Continue Reading The “Prestige”: DoD Unveils NIST SP 800-171 Revision 3, Organizationally Defined Parameters
McCarter & English Welcomes Erin Prest Former Privacy & Civil Liberties Officer and Deputy General Counsel of FBI to Cybersecurity and Data Privacy Practice

WASHINGTON (March 25, 2025) – McCarter & English today announced that Erin Prest, former FBI Privacy & Civil Liberties Officer and Deputy General Counsel has joined the firm’s cybersecurity team as a partner in the firm’s Washington, DC office. Prest joins following an exemplary 18-year career at the FBI, where she oversaw the agency’s data security and privacy protection practices, its responses to breaches and cybersecurity events impacting FBI information, and provided guidance to FBI executives to protect the civil liberties of individuals under investigation. As Deputy General Counsel, she also oversaw the legal guidance related to criminal investigative activities, crisis response, procurement, criminal history information, and DNA matters among others.Continue Reading McCarter & English Welcomes Erin Prest Former Privacy & Civil Liberties Officer and Deputy General Counsel of FBI to Cybersecurity and Data Privacy Practice
Whisper Through the Screams: DOJ Commits to False Claims Act Enforcement in 2025



Amid the chaos of the past few weeks—sweeping executive orders, relentless cost-cutting, and an air of uncertainty that lingers like smoke after a fire—federal contractors have been left reeling, straining to hear what comes next through the deafening noise. In this storm, predicting the future is as futile as fortune-telling. And yet beneath the shouts of change and upheaval, one truth remains, a whisper through the screams—some things, especially those that serve the government’s interests, are not going anywhere.Continue Reading Whisper Through the Screams: DOJ Commits to False Claims Act Enforcement in 2025
Feature Comment: The CUI Program: DOD, We Have A Problem (Part II)
In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶…
Feature Comment: The CUI Program: DOD, We Have a Problem
The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require…
A Standard on Many Levels: A Look at CMMC 2.0 in Final
Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final