The inexorable expansion of the False Claims Act (“FCA”) to cover virtually all types of cybersecurity breaches and violations – to include allegedly poor practices and failure to fully adhere to security controls – continues. At one time, an organization might have thought that it was unlikely to face a potential FCA investigation and litigation relating to its cybersecurity practices. That day is long past. Two recent FCA settlements illustrate the expansion: one is the first cybersecurity FCA settlement relating to healthcare Quality System Regulations (“QSR”) and the other involves the first settlement with a defense contractor that also pulls…
Continue Reading The Expanding Scope of FCA-Cybersecurity Liability

The Federal Acquisition Regulation (FAR), the bedrock of Federal procurement, is undergoing an unprecedented (some would say Revolutionary) overhaul. The Sheppard Mullin Government Contracts Team has created an online resource to help the Federal procurement community stay informed of the proposed changes.
Continue Reading Sheppard Mullin’s Government Contracts Team Launches Revolutionary FAR Overhaul Tracker

On April 3, 2025, OMB released two new memorandums on artificial intelligence (“AI”) as directed by Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence. (As a reminder, President Trump issued Executive Order (EO) 14179 on January 23, 2025 after rescinding President Biden’s AI Executive Order (EO 14110)).
Continue Reading All American AI: New OMB Memos Set Priorities for Federal AI Use and Acquisition

Last month, the federal government announced a major overhaul of the Federal Risk and Authorization Management Program (“FedRAMP”) called “FedRAMP 20x” (we discussed the initiative here). FedRAMP 20x is moving forward fast – with new authorizations, community engagement efforts, standards documents, and the Phase One pilot program. (More information about the Phase One pilot program is available here.)…
Continue Reading FedRAMP 20x – Update on Significant Change Process and Assessment Scope Standards

On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the initiative kicks off, we expect major changes to speed up and streamline that authorization path that likely will be welcomed by industry partners and cloud service providers participating in the program. Below are key points based on the recent FedRAMP 20x announcement.
Continue Reading FedRAMP 20x – Major Overhaul Announced to Streamline the Security Authorization Process for Government Cloud Offerings

In the ever-evolving world of cybersecurity, even organizations that meet stringent security standards can be victims of sophisticated cyberattacks. A notable example of this is the December 8, 2024 cybersecurity incident involving the U.S. Department of the Treasury and its third-party cloud service provider, BeyondTrust. This incident underscores some critical lessons for entities (both government agencies and private sector) that rely on third-party cloud service providers (“CSPs”).
Continue Reading Looking Beyond FedRAMP – Lessons from the U.S. Treasury Cybersecurity Incident

With President Donald Trump commencing his second term, significant changes are anticipated across global industries. His series of sweeping executive actions have already sparked pushback and legal challenges.
Continue Reading Tracking the New Administration’s Executive Actions Changes

To kick off the New Year (and as is now tradition, since we put out a similar Recap & Forecast last year), Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2024 Recap (highlighting major updates and including links to the resources we put out over the past year) and a 2025 Forecast (previewing what we expect to see in 2025). This Recap & Forecast covers the following six high-interest topic areas relating to cybersecurity and data protection:…
Continue Reading Governmental Practice Cybersecurity and Data Protection: 2024 Recap & 2025 Forecast Alert

On October 29, 2024, the Department of Justice (DOJ) published its Proposed Rule outlining prohibitions and restrictions on certain transactions involving bulk U.S. sensitive personal data and U.S. Government-related data. As you may recall from our previous article, this rule stems from recent Executive Order (EO) 14117 on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The Proposed Rule has potential implications for any business that collects, retains, or deals in data on U.S. persons or certain other data relating to the U.S. Government. Here, we discuss some of the…
Continue Reading Data, Deals, and Diplomacy, Part II: Big Obligations for Big Data

One forum to raise a protest against the award of a contract is at the agency responsible for the procurement, pursuant to the procedures set forth in Federal Acquisition Regulation (“FAR”) 33.103. The procedures require that a protester submit a protest to the agency that details the legal and factual grounds for the protest; describes the resulting prejudice to the protester; establishes that the protester is an interested party; requests a ruling by the agency; demonstrates timeliness; and includes a request for relief.
Continue Reading Government Contractors Beware: The Trap of the Unintended Agency-Level Protest and Timeliness Implications

The proposed rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal Acquisition Regulation Supplement (“DFARS”) was published in the Federal Register on August 15, 2024 and will have a 60-day comment period (through October 15, 2024).
Continue Reading The CMMC Rule To Update the DFARS is Here!

In the high-stakes realm of False Claims Act (FCA) litigation per-claim penalties can reach daunting levels that dwarf even treble damages. A recent ruling from the Eighth Circuit Court provides valuable guidance on the limits of penalties under the Constitution’s Excessive Fines Clause (Clause). In Grant ex rel. United States v. Zorn the Eighth Circuit provides clarity applying the Clause in FCA litigation, specifically identifying when a penalty for purely economic loss offenses might be considered excessive. Of relevance, the Court held that:…
Continue Reading There Are Limits! Reining In FCA Penalties Pursuant to the Excessive Fines Clause

It’s been a hot summer so far but Federal Risk and Authorization Program (“FedRAMP”) is just starting to heat up. In June, FedRAMP (the Federal government’s program for security authorizations for cloud solutions) released the final Emerging Technology Prioritization Framework, which outlines the prioritization of certain artificial intelligence capabilities. In mid-July, FedRAMP announced its Agile Delivery pilot program, which is a new process for reviewing significant changes without the need for advanced approval. FedRAMP also announced a new technical documentation hub (automate.fedramp.gov) that focuses on provided support to cloud service providers in the development of digital authorization packages. Lastly, just…
Continue Reading Summer Heat Ramping Up: FedRAMP Releases Final OMB Memo and Announces Update on Roadmap Progress, Automation Site Launch, and the Agile Delivery Pilot Launch