Investigations, Enforcement, & Compliance Alerts

On April 15, 2025, President Trump issued two Executive Orders directed at streamlining government procurement.

Cybersecurity requirements for contractors doing business with the U.S. federal government are nothing new. 

On March 14, 2025, in a late Friday decision, a panel of judges from the U.S. Court of Appeals for the Fourth Circuit ruled that, for the time being, the Trump Administration is permitted to enforce Executive Orders (EOs) 14151 (Ending Radical and Wasteful Government DEI Programs and Preferencing) and 14173 (Ending Illegal Discrimination and Restoring Merit-Based Opportunity), which prohibit Diversity, Equity, and Inclusion (DEI) (also referred to as Diversity, Equity, Inclusion, and Accessibility, or DEIA in the EOs) efforts within the federal government and by federal contractors, respectively.

On February 15, 2025, the acting administrator of the United States General Services Administration (GSA), Stephen Ehikian, announced on X (formerly Twitter) that the GSA issued several new deviations from the Federal Acquisition Regulation (FAR) intended to implement key Trump Executive Orders that aim to end illegal discrimination, restore merit-based opportunity, and eliminate the forced use of paper straws in procurement.

On February 5, 2025, U.S. Attorney General Pam Bondi issued two memoranda to all Department of Justice (DOJ) employees outlining the DOJ’s new policies and directives concerning diversity, equity, inclusion, and accessibility (DEI) initiatives. The recent directives come just two weeks after President Trump issued Executive Order 14173 (Ending Illegal Discrimination and Restoring Merit-Based Opportunity) (DEI EO), which reflect the new administration’s broader efforts to curtail DEI policies and initiatives within both the public and private sectors.

The early days of the Trump Administration have caused nothing less than a complete shake-up of the federal procurement system, with impacts on federal contractors, subcontractors, and recipients of federal financial assistance, such as grants and loans. Through a series of Executive Orders and Agency Memoranda issued by the heads of the Office of Management and Budget (OMB), General Services Administration (GSA), Department of State, and others, the government is suspending work and, in some cases, terminating federal awards. For example, GSA issued a complete “Acquisition Pause,” the State Department issued a pause on U.S. foreign assistance funded by or through the State Department and U.S. Agency for International Development (USAID) and is actively terminating contracts and grants, and other agencies, including Department of Energy, Veterans’ Affairs, Department of Housing and Urban Development, and National Institute of Health are issuing stop-work orders and/or termination of contracts and grants, in whole or in part.

On January 15, 2025, the Federal Acquisition Regulation (FAR) Council issued a proposed cybersecurity rule to implement the National Archives and Records Administration’s (NARA) Controlled Unclassified Information (CUI) Program across all federal agencies.  This Proposed Rule (Proposed Rule) will impose requirements on all federal contractors that are substantially similar to those that DOD contractors and subcontractors have wrestled with for many years.

On January 21, 2025, President Trump issued a sweeping executive order titled “Ending Illegal Discrimination and Restoring Merit-Based Opportunity” (EO). The EO targets diversity, equity, inclusion, and accessibility (DEI) programs in the public and the private sectors. The EO signals that organizations receiving federal funds, whether through government contracts or otherwise, may be liable under the False Claims Act (FCA)—one of the government’s most powerful anti-fraud enforcement tools providing for treble damages and steep penalties—if they maintain what the EO refers to as “illegal” DEI programs that violate federal anti-discrimination laws. Significantly, the EO includes provisions that are likely to make it easier to establish FCA violations.

On January 27, 2025, the White House published Memorandum M-25-13, titled “Temporary Pause of Agency Grant, Loan, and Other Financial Assistance Programs.” In an unprecedented move, the initial Memo appeared to suspend all funding for all federal grants, cooperative agreements, noncash contributions or donations of property, direct appropriations, food commodities, other financial assistance, loans, loan guarantees, interest subsidies, and insurance that may be implicated by his executive orders. Amidst a national outcry in response to the memorandum, OMB released a subsequent Memorandum on January 28, 2025, in which OMB appeared to walk back the broad freeze on most federal financial assistance. We summarize here the details of the Memos well as the rights and remedies of recipients that may be affected by this action.

On December 16, 2024, the European Union (EU) adopted a fifteenth package of restrictive measures against Russia. This new package introduces a range of measures aimed at tightening restrictions on Russia’s military and industrial capabilities, curbing circumvention of existing sanctions, and enhancing protections for European businesses operating in increasingly complex environments.

Since well before the November 6 election, President-elect Trump and his team have been discussing the imposition of tariffs on certain trade partners. The scope of possibilities range from all imports being subject to a 10% to 20% additional tariff, to the imposition of a 60% tariff on imports from China, to tariffs on vehicles from Mexico reaching as high as 100% to 200%.

Recent enforcement actions targeting a CEO, CFO, and an audit committee chair underscores the SEC's focus on gatekeeper accountability.

The Securities and Exchange Commission recently announced charges and million-dollar penalties against four companies for allegedly making materially misleading disclosures regarding cybersecurity risk and intrusions relating SolarWinds hack.

On October 22, 2024, the Department of Justice announced a False Claims Act (FCA) settlement related to a government contractor’s failure to adhere to certain cybersecurity requirements. Specifically, Pennsylvania State University (Penn State) has agreed to pay US$1.25M to resolve allegations that it violated the FCA by failing to comply with cybersecurity requirements in fifteen contracts or subcontracts involving the Department of Defense (DOD) or the National Aeronautics and Space Administration (NASA). The DOJ announcement is available here: https://www.justice.gov/opa/pr/pennsylvania-state-university-agrees-pay-125m-resolve-false-claims-act-allegations-relating.

It is no longer a secret that the U.S. Department of Justice (DOJ) has recently, and in some ways radically, increased its enforcement of the Foreign Agents Registration Act (FARA or the Act) and related foreign influence and lobbying laws that require adequate disclosure and transparency about domestic activities performed on behalf of foreign governments, companies, nonprofits, and other foreign actors. The uptick in recent prosecutions centered around improper foreign influence has been highlighted by the latest indictment of New York Mayor Eric Adams for allegedly receiving bribes and soliciting illegal campaign contributions from foreign sources tied to Turkey. He’s the third politician in just the last year who has been charged with crimes involving foreign influence operations—in the case of New Jersey Senator Bob Menendez, it was Egypt, and for Texas Congressman Henry Cuellar, it was Azerbaijan and a Mexican bank.

On October 16, 2024, the New York Department of Financial Services (DFS) released an important industry guidance letter aimed at addressing the novel, complex cybersecurity risks associated with artificial intelligence (AI).

On September 25, 2024, the Securities and Exchange Commission (the SEC) announced settled charges against 25 entities and individuals for late beneficial-ownership and insider-transaction reports. The SEC had levied penalties on these filers because of failures to timely report information about their holdings and transactions in public-company stock. Without admitting or denying the charges, 2 public companies, 13 other entities, and 10 individuals agreed to cease committing and causing violations and pay civil penalties. The civil penalties ranged from $10,000 to $200,000 for individuals, and $40,000 to $750,000 for the entities involved, including $200,000 each for two public companies that were charged with contributing to filing failures by certain corporate insiders and failing to report their insiders’ filing delinquencies.

The Securities and Exchange Commission (SEC) recently charged a public company with violations of Regulation Fair Disclosure (“Regulation FD”) stemming from social media posts by the company’s CEO. These charges are evidence of a trend toward increased Regulation FD enforcement by the SEC.

Last month, the U.S. Department of Defense (DOD) published a Proposed Rule setting out planned revisions to the Defense Federal Acquisition Regulations (DFARS) to implement the requirements of the Cybersecurity Maturity Model Certification program (CMMC 2.0) proposed in December 2023.[1] CMMC 2.0 is a framework for verifying a DOD contractor’s implementation of cybersecurity measures that the DOD requires to protect sensitive unclassified information including Controlled Unclassified Information (CUI), and Federal Contract Information (FCI). The Proposed Rule revises the DFARS to reference the CMMC 2.0 requirements that were proposed in December 2023. This includes changes to the existing CMMC clause at DFARS 252.204-7021, the creation of a new solicitation provision to accompany DFARS 252.204-7021 which will provide notice of the CMMC 2.0 requirement, the establishment of a plan for a phased rollout of the Proposed Rule, and the addition of certain new definitions. The Proposed Rule’s comment period ends on October 15, 2024.

The U.S. Department of Justice (DOJ) recently updated its Evaluation of Corporate Compliance Programs (ECCP) to reflect emerging challenges in corporate compliance.