Tag Archives: Beth Burgin Waller

Defense Department Unveils Final Rule for CMMC 2.0 Program: The Time Is Now for Defense Contractors To Get Compliant

by Beth Burgin Waller, Anthony Mazzeo, and Patrick Austin

Photos of the authors

Left to right: Beth Burgin Waller, Anthony Mazzeo, and Patrick Austin. (photos courtesy of authors)

If you work for a defense contractor or subcontractor responsible for handling controlled unclassified information (CUI) and/or federal contract information (FCI), the U.S. Department of Defense posted the final rule for the highly anticipated Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0 or the Final Rule).  Issuance of the Final Rule (full text available here in PDF format) likely means DoD will begin implementing new, stringent cybersecurity standards for defense contractors at some point in early-to-mid 2025.   

Continue reading

DOD’s CMMC 2.0 Program Takes Step Forward with Release of Contract Rule Proposal

by Beth Burgin Waller and Patrick J. Austin

Photos of authors.

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The United States Department of Defense (DoD) took another big step on the path to instituting its highly anticipated Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0). Once finalized, CMMC 2.0 will establish and govern cybersecurity standards for defense contractors and subcontractors.

On August 15, 2024, DoD submitted a proposed rule that would implement CMMC 2.0 in the Defense Federal Acquisition Regulation Supplement (DFARS). The proposed DFARS rule effectively supplements DoD’s proposed rule published in December 2023 by providing guidance to contracting officers, setting forth a standard contract clause to be used in all contracts covered by the CMMC 2.0 program, DFARS 252.204-7021, and setting forth a standard solicitation provision that must be used solicitations for contracts covered by the CMMC 2.0 program, DFARS 252.204-7YYY (number to be added when the rule is finalized).

There is a 60-day comment period for the DFARS proposed rule, meaning individuals have until October 15, 2024, to provide public feedback on the proposal.

Continue reading

Biden National Security Memorandum Bolsters CISA Role for Cybersecurity Oversight in Critical Infrastructure

by Beth Burgin Waller and Patrick J. Austin

Photos of authors

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The Biden Administration recently rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.

NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive — Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.

Continue reading

Proposed Federal Cyber Incident Reporting Rule Adds Hefty Federal Reporting Requirements to Critical Infrastructure Sector and Large Businesses

 by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

The federal Cybersecurity and Infrastructure Security Agency (CISA) released a draft of its proposed rule detailing how covered entities operating in critical infrastructure sectors report cyberattacks and ransomware payments to the federal government. The proposed rule states that entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours after an entity reasonably believes a cyber incident has occurred and report ransom payments within 24 hours after a payment is made.  The proposed Cyber Rule – hundreds of pages as drafted – adds significant requirements for those required to make a report, including a requirement that the entity preserve materials used to create the report (such as the threat actor’s ransom note, logs, and forensic artifacts) for two years.  As proposed, the Rule applies to large businesses and the critical infrastructure sector alike. Failure to comply can result in an entity being subpoenaed and ultimately referred to the Department of Justice for noncompliance.   

The proposed rule is scheduled to be published on the Federal Register on April 4, 2024. An unpublished version of the proposed rule may be accessed here (pdf).

Continue reading

EU AI Act Will Be World’s First Comprehensive AI Law

by Beth Burgin Waller, Patrick J. Austin, and Ross Broudy

Photos of authors

Left to right: Beth Burgin Waller, Patrick J. Austin, and Ross Broudy (photos courtesy of Woods Rogers Vandeventer Black PLC)

On March 13, 2024, the European Union’s parliament formally approved the EU AI Act, making it the world’s first major set of regulatory ground rules to govern generative artificial intelligence (AI) technology. The EU AI Act, after passing final checks and receiving endorsement from the European Council, is expected to become law in spring 2024, likely May or June.

The EU AI Act will have a phased-in approach. For example, regulations governing providers of generative AI systems are expected to go into effect one year after the regulation becomes law, while prohibitions on AI systems posing an “unacceptable risk” to the health, safety, or fundamental rights of the public will go into effect six months after the implementation date. The complete set of regulations in the EU AI Act are expected to be in force by mid-2026.

Continue reading

CPPA’s Regulatory Enforcement Restored: It’s Time to Get Compliant

 by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

For businesses subject to California Consumer Privacy Act (CCPA), privacy compliance just became urgent. A California appellate court agreed on February 9, 2024 with the California Privacy Protection Agency (CPPA) that there is no statutory requirement for a one-year gap between approval of privacy regulations and enforcement of those regulations. Overturning a stay of enforcement at the trial court level, the California appellate court held that CCPA regulations can be enforceable upon finalization. This means for businesses subject to the CCPA, there is no ramp-up period between new regulations being finalized and the agency enforcing those new regulations.

Continue reading

FCC Updates and Expands Data Breach Notification Rules

by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

The updated data breach notification rules broaden the definition of what is considered a breach and expand the scope of who must be notified when a data breach occurs.

The Federal Communications Commission (FCC or Commission) voted to adopt new and expanded data breach notification requirements that apply to telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). The updated rules now include personally identifiable information (PII), as opposed to just customer proprietary network information (CPNI). This means carriers must provide notice when a consumer’s PII is breached.

The new data breach notification rules will go into effect approximately 30 days after publication in the Federal Register. Below is an overview of the new rules.

Continue reading