On August 15, 2024, the Department of Defense (DoD) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule. The CMMC 2.0 program provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection

On May 7, 2024, the Biden Administration released the second version of the National Cybersecurity Strategy Implementation Plan as well as the first Report on the Cybersecurity Posture of the United States. These actions reflect the Administration’s continued focus on enhancing the cybersecurity of critical infrastructure and software as well as its work to

On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

The deviation relates to contractors’ compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which is currently undergoing a revision. The deviation changes the requirement that contractors

Last month, two key members of Congress released a draft of the American Privacy Rights Act (“APRA”), comprehensive legislation that would change the landscape of consumer privacy law in the United States. If passed, APRA would create a national standard governing the collection, use, and disclosure of consumer personal information. It would also preempt a

On March 27, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) within the US Department of Homeland Security released a much-anticipated notice of proposed rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Under the proposed rule, covered entities will have 72 hours to report to CISA a “covered

On March 6, 2024, New Hampshire Governor Chris Sununu signed SB 255 into law, making the Granite State the latest to enact a comprehensive privacy law—the 15th state, if you count Florida’s privacy law of narrower applicability.

New Hampshire’s privacy law goes into effect January 1, 2025 and applies to persons that conduct business in

On February 28, 2024, President Joe Biden issued Executive Order (“EO”) 14117, empowering the Department of Justice (DOJ) to regulate the export of certain consumer data, in order to prevent certain countries’ governments from obtaining bulk sets of especially sensitive personal data. The EO, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United

As we previewed in our prior Legal Update, the Federal Trade Commission (“FTC”) warned businesses of its stance on the use and collection of biometric information in a May 2023 policy statement. Now, an enforcement action filed earlier this week offers insight into the potential consequences for businesses that do not comply with the

On December 20, 2023, the Federal Trade Commission (“FTC”) issued a Notice of Proposed Rulemaking (“NPRM”) that would make significant changes to the Children’s Online Privacy Protection Rule (“COPPA Rule”), which implements the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The proposed rule would make a number of changes intended to expand the COPPA