Government Contracts & Investigations Blog

Latest from Government Contracts & Investigations Blog

To kick off the New Year (and as is now tradition, since we put out a similar Recap & Forecast last year), Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2024 Recap (highlighting major updates and including links to the resources we put out over the past year) and a 2025 Forecast (previewing what we expect to see in 2025). This Recap & Forecast covers the following six high-interest topic areas relating to cybersecurity and data protection:
Continue Reading Governmental Practice Cybersecurity and Data Protection: 2024 Recap & 2025 Forecast Alert

Cell phone and laptop searches do happen but they are relatively rare. Although the Fourth Amendment right to be free of unreasonable searches and seizures is drastically reduced at a port of entry, as are expectations of privacy, U.S. Customs & Border Protection (“CBP”) has internal protocols requiring Officers to have some basis for the search. Below, we dive into the CBP protocols and what to expect if you are selected for a search. 
Continue Reading Will CBP Search Your Laptop and Cell Phone at the Port of Entry?

On October 29, 2024, the Department of Justice (DOJ) published its Proposed Rule outlining prohibitions and restrictions on certain transactions involving bulk U.S. sensitive personal data and U.S. Government-related data. As you may recall from our previous article, this rule stems from recent Executive Order (EO) 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Proposed Rule has potential implications for any business that collects, retains, or deals in data on U.S. persons or certain other data relating to the U.S. Government. Here, we discuss some of the
Continue Reading Data, Deals, and Diplomacy, Part II: Big Obligations for Big Data

On October 22, 2024, the Department of Justice (“DOJ”) announced that Pennsylvania State University (“Penn State”) has agreed to pay $1,250,000 to settle a False Claims Act (“FCA”) case brought against the University approximately two years ago. The whistleblower in the case, former chief information officer of the Penn State Applied Research Laboratory, alleged that Penn State failed to comply with cybersecurity requirements in fifteen contracts and/or subcontracts with the Department of Defense (“DoD”) and National Aeronautics and Space Administration (“NASA”) between 2018 and 2023.
Continue Reading Update – Penn State to Pay Up for Cyber-Related FCA Case

On October 15, 2024, the Department of Defense (“DoD”) published the final version of its Cybersecurity Maturity Model Certification (“CMMC”) rule in Title 32 of the Code of Federal Regulations (the “Final Rule”). (Reminder, there are two CMMC rulemakings going on in parallel. This Final Rule updates DoD national security regulations while the other rulemaking effort under Title 48 will update the Defense Federal Acquisition Regulation (“DFARS”) and trigger requirements for DoD contractors.)
Continue Reading Countdown to Compliance: DoD Finalizes the CMMC Program Rule

While most contractors think of the Government Accountability Office and Court of Federal Claims (or even the agency) when considering whether to challenge a government contract award, there are additional options for small business set-asides – small business size and status protests. The government, recognizing the importance of small businesses to the American economy, provides small businesses certain preferences in government contracting, including only allowing eligible small businesses to compete for certain contracts (referred to as small business set-asides). But in order to be eligible for this exclusive federal marketplace (that was worth more than $178 billion dollars in
Continue Reading Keep Your Eyes on the Size: Small Business Size Protests

One forum to raise a protest against the award of a contract is at the agency responsible for the procurement, pursuant to the procedures set forth in Federal Acquisition Regulation (“FAR”) 33.103. The procedures require that a protester submit a protest to the agency that details the legal and factual grounds for the protest; describes the resulting prejudice to the protester; establishes that the protester is an interested party; requests a ruling by the agency; demonstrates timeliness; and includes a request for relief.
Continue Reading Government Contractors Beware: The Trap of the Unintended Agency-Level Protest and Timeliness Implications

In the high-stakes realm of False Claims Act (FCA) litigation per-claim penalties can reach daunting levels that dwarf even treble damages. A recent ruling from the Eighth Circuit Court provides valuable guidance on the limits of penalties under the Constitution’s Excessive Fines Clause (Clause). In Grant ex rel. United States v. Zorn the Eighth Circuit provides clarity applying the Clause in FCA litigation, specifically identifying when a penalty for purely economic loss offenses might be considered excessive. Of relevance, the Court held that:
Continue Reading There Are Limits! Reining In FCA Penalties Pursuant to the Excessive Fines Clause

It’s been a hot summer so far but Federal Risk and Authorization Program (“FedRAMP”) is just starting to heat up. In June, FedRAMP (the Federal government’s program for security authorizations for cloud solutions) released the final Emerging Technology Prioritization Framework, which outlines the prioritization of certain artificial intelligence capabilities. In mid-July, FedRAMP announced its Agile Delivery pilot program, which is a new process for reviewing significant changes without the need for advanced approval. FedRAMP also announced a new technical documentation hub (automate.fedramp.gov) that focuses on provided support to cloud service providers in the development of digital authorization packages. Lastly, just
Continue Reading Summer Heat Ramping Up: FedRAMP Releases Final OMB Memo and Announces Update on Roadmap Progress, Automation Site Launch, and the Agile Delivery Pilot Launch

On June 28, 2024, in a landmark decision, the Supreme Court overruled the four decade old case Chevron v. Natural Resources Defense Council. This pivotal decision should spur businesses to recalibrate their existing relationship with federal agencies. Indeed, we have already seen industry groups begin to use the overruling to influence agency rulemaking, signaling a future of significant shifts in the regulatory landscape. For those operating in regulated industries—including government contractors, and particularly those navigating the complex world of cybersecurity regulation—understanding the implications of the decision is crucial.
Continue Reading Navigating the New Cybersecurity Regulatory Landscape Post-Chevron

On June 17, 2024, the Department of Justice (“DOJ”) announced the latest settlement under its Civil Cyber-Fraud Initiative (“CCFI”) (previously discussed here).[1] The settlement resulted in a total of $11,300,000 in payments from two consulting companies (Guidehouse, Inc., the prime contractor, which paid $7,600,000; and Nan Kay and Associates, the subcontractor, which paid $3,700,000) to resolve allegations the two companies violated the False Claims Act by failing to meet cybersecurity requirements in federally-funded contracts.
Continue Reading Latest Cyber-Related FCA Settlement Underscores the Breadth of DOJ’s Civil Cyber-Fraud Focus

For companies in the U.S. that hold certain personal data and U.S. Government-related data, rules stemming from recent Executive Order (“EO”) 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” may create obstacles and new compliance obligations. Under this EO, the Attorney General is charged with issuing regulations to either outright prohibit or impose restrictions on transactions involving bulk sensitive personal data or U.S. Government-related data when such transactions involve a “country of concern.”
Continue Reading Data, Deals, and Diplomacy: How the Bulk Data Executive Order Will Shape Future Contracts and Security Practices

On May 3, 2024, the FAR Council published an advanced notice of proposed rulemaking (the “Advanced Notice”) seeking to implement Section 5949 of the James M. Inohfe National Defense Authorization Act for Fiscal Year 2023 prohibition on procuring certain covered semiconductor products and services. The Congressional prohibition does not go into effect until December 2027, but the FAR Council was directed to promulgate regulations by December 2025. Though this only is an Advanced Notice at this time, the publication provides government contractors with information crucial to developing compliant infrastructures and preparing for the forthcoming rule’s publication. Interested parties
Continue Reading FAR Council Releases Rulemaking on Prohibitions for Semiconductors