Investigations, Enforcement, & Compliance Alerts

The annual False Claims Act (FCA) recovery statistics issued by the U.S. Department of Justice for Fiscal Year 2024, coupled with the Trump administration’s focus on the elimination of waste, fraud, and abuse in government spending and apparent intentions to rely on the FCA to pursue other administration priorities, signal a likely increase in FCA investigations and actions throughout 2025 and beyond.

On January 15, 2025, the Federal Acquisition Regulation (FAR) Council issued a proposed cybersecurity rule to implement the National Archives and Records Administration’s (NARA) Controlled Unclassified Information (CUI) Program across all federal agencies.  This Proposed Rule (Proposed Rule) will impose requirements on all federal contractors that are substantially similar to those that DOD contractors and subcontractors have wrestled with for many years.

The Securities and Exchange Commission recently announced charges and million-dollar penalties against four companies for allegedly making materially misleading disclosures regarding cybersecurity risk and intrusions relating SolarWinds hack.

On October 22, 2024, the Department of Justice announced a False Claims Act (FCA) settlement related to a government contractor’s failure to adhere to certain cybersecurity requirements. Specifically, Pennsylvania State University (Penn State) has agreed to pay US$1.25M to resolve allegations that it violated the FCA by failing to comply with cybersecurity requirements in fifteen contracts or subcontracts involving the Department of Defense (DOD) or the National Aeronautics and Space Administration (NASA). The DOJ announcement is available here: https://www.justice.gov/opa/pr/pennsylvania-state-university-agrees-pay-125m-resolve-false-claims-act-allegations-relating.

On October 16, 2024, the New York Department of Financial Services (DFS) released an important industry guidance letter aimed at addressing the novel, complex cybersecurity risks associated with artificial intelligence (AI).

The Department of Defense (DOD) is expected to finalize a new rule by the end of 2023 that will significantly enhance the Cybersecurity Maturity Model Certification (CMMC) framework and related cybersecurity requirements for defense contractors.