The DoD has finally crossed the CMMC finish line, but for contractors, the race is just beginning. With the Final Rule effective Nov. 10, award eligibility will hinge on a “current” CMMC status in SPRS, backed by annual affirmations and strict compliance. The next two months are critical for getting race-ready. In this Featured Comment
“Ding ding.” – Apollo Creed,
Rocky III
September 30. All (most?) federal years end the same way, at least on paper—like a prizefight, with the clock ticking down; an agitated, uncertain crowd; a lot of money on the table; and a ref capable of stopping the match at any moment. This year will be at once both no different and a completely different beast. With ever-recent uncertainty surrounding appropriations, continuing-resolution (CR) risk, evolving Federal Acquisition Regulation (FAR) language, the tightening screws of cyber attestations, industry supply-chain and acquisition changes, and grant closeouts that always take longer than you’d think, September is not a month for contractor improvisation. It’s a month when a dedicated corner team, a game plan, and crisp execution all are paramount.Continue Reading And in This Corner … the Sweet Science of Federal Contracting’s Year-End
On June 6, 2025, President Trump issued a new executive order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” (EO), signaling the construction of a fortified cyber defense across federal operations. This directive updates the nation’s digital stronghold, modernizing risk management, defending against quantum and artificial intelligence (AI) threats, and drawing sharper lines in the battle against foreign cyber adversaries. For technology companies and federal suppliers, this is a clarion call to reinforce their digital walls and sharpen their defenses. Agencies will soon build these secure-by-design principles into every contract and procurement decision. In this era of fortress-building, failing to meet these standards not only will leave your gates unguarded but also could bar you from the entire federal marketplace. The EO may read like ordinary policy, but don’t be misled: It’s a direct command for companies to strengthen their cyber defenses or be locked out of federal opportunities altogether.Continue Reading Building the Cyber Fortress: New Cybersecurity Executive Order Targets Quantum, AI, and Supply Chain Security
The Department of Defense (DoD) is revving its engines again—this time to rocket past its own software acquisition drag. Launched via an April 24 memo from Acting DoD CIO Katie Arrington, the DoD’s Software Fast Track (SWFT) Initiative entered a 90‑day sprint to redefine Accelerating the Authority to Operate (ATOs), aiming to replace the outdated Risk Management Framework (RMF) with AI‑enabled, continuous compliance workflows. Officially live on June 1, 2025, SWFT isn’t a fully cleared runway—it’s a mission in motion, with Requests for Information (RFIs) out and industry poised to respond. But the real turbulence won’t be technical—it’ll be cultural: Can Pentagon policy and personnel move at Top Gun pace?Continue Reading The Need for Speed: DoD’s “Software Fast Track” Targets Bureaucracy at Mach 2
The California Privacy Protection Agency (CPPA) recently fined clothing retailer Todd Snyder almost $350,000 for two types of consumer privacy errors. Due to technical errors during a 40-day period, it was impossible for Todd Snyder website users to request to opt out of having their information sold or shared. When users clicked the button for the Cookie Preferences Center, the consent banner would appear but instantly disappear, thus making it impossible for anyone to actually opt out. For those who were able to actually access the preferences center, Todd Snyder over-collected information from its users who wanted to opt out of having their information sold or shared. Todd Snyder’s data request form required users to verify their identity by submitting a photograph of themselves holding their identity document, even when they wanted to opt out.Continue Reading Check Your Process or Pay Your Fine: Recent 6-Figure Fines from the California Privacy Protection Agency
Zachary Myers, the former United States Attorney for the Southern District of Indiana, has officially joined McCarter & English’s Indianapolis office as a partner in the Business Litigation group. He will also serve as a co-leader of the firm’s multidisciplinary Cybersecurity & Data Privacy team. Zach brings extensive experience in high-stakes litigation and cybersecurity. As part of his practice, he will counsel clients in navigating federal government issues, including congressional inquiries and regulatory matters.Continue Reading Former US Attorney Zach Myers Joins McCarter & English
On April 15, 2025, the Department of Defense (DoD) released official guidance on Organizationally Defined Parameters (ODPs) appearing in the newly published NIST SP 800-171 Revision 3. At the same time, the DoD reaffirmed that contractors must continue complying with Revision 2 thanks to a previously issued class deviation. What does this mean in plain terms? The DoD is slowly pulling back the curtain on the next major shift in cybersecurity compliance. Still, the full prestige hasn’t happened yet.Continue Reading The “Prestige”: DoD Unveils NIST SP 800-171 Revision 3, Organizationally Defined Parameters
WASHINGTON (March 25, 2025) – McCarter & English today announced that Erin Prest, former FBI Privacy & Civil Liberties Officer and Deputy General Counsel has joined the firm’s cybersecurity team as a partner in the firm’s Washington, DC office. Prest joins following an exemplary 18-year career at the FBI, where she oversaw the agency’s data security and privacy protection practices, its responses to breaches and cybersecurity events impacting FBI information, and provided guidance to FBI executives to protect the civil liberties of individuals under investigation. As Deputy General Counsel, she also oversaw the legal guidance related to criminal investigative activities, crisis response, procurement, criminal history information, and DNA matters among others.Continue Reading McCarter & English Welcomes Erin Prest Former Privacy & Civil Liberties Officer and Deputy General Counsel of FBI to Cybersecurity and Data Privacy Practice
Amid the chaos of the past few weeks—sweeping executive orders, relentless cost-cutting, and an air of uncertainty that lingers like smoke after a fire—federal contractors have been left reeling, straining to hear what comes next through the deafening noise. In this storm, predicting the future is as futile as fortune-telling. And yet beneath the shouts of change and upheaval, one truth remains, a whisper through the screams—some things, especially those that serve the government’s interests, are not going anywhere.Continue Reading Whisper Through the Screams: DOJ Commits to False Claims Act Enforcement in 2025
In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶