Interview transcript
Terry Gerton I know you have tracked federal cybersecurity programs for years, 2025 seems to be a year to look back on and really draw some lessons from. What’s top of mind for you?
Townsend Bourne It is, I think, as you mentioned, me and my team, we’ve been following these things for years now. 2025 was interesting and I think two things really are top of mind in our group and reflective of the types of matters we worked on in 2025. And the first I think will come as a surprise to no one, it’s the DOD’s CMMC program, the Cybersecurity Maturity Model Certification Program, which now is officially in effect for contractors as of November 10th of this year. I mean, that means it can start appearing in DOD solicitations and contracts. So that’s a big one. The second key area that I think 2025 really showed us kind of where we’re headed was in the enforcement area, and particularly under DOJ’s Civil Cyber Fraud Initiative, we saw the number of settlements and the rate of public settlement announcements increase, which I would expect to continue into 2026 and beyond.
Terry Gerton Well, let’s take those maybe in order and dig into CMMC first. What’s been the biggest pain point for contractors as they’ve begun to face the fact that they now have to be in compliance?
Townsend Bourne It’s a great question. I think what we’re seeing is pain points kind of — again, two things. On the CMMC level two side, which is the level for protection of controlled, unclassified information. So information that requires heightened security due to a law, regulation or government policy. That’s really kind of been what we’ve seen a lot of the discussion and the guidance and the chatter on, so the security control is required for level two. What we’re seeing a lot of now, I think, is people realizing that there’s also a level one, which is security protections for federal contract information. There’s been a requirement in the FAR for years and years now to have basic security in place for federal contact information, and I think most companies have that in place just by virtue of some of the systems that they’re using and the security measures they take as a business. But once you get to CMMC, there are requirements to do a self-assessment against those basic security controls, and then affirm annually that the company is meeting those. So the challenge there really comes in identifying where your organization has federal government data. CUI sometimes is a little bit easier where you’re getting it marked. Although it is also challenging to identify CUI if the company’s creating it or in other situations, federal contract information is not going to be marked 99% of the time. So there’s a bit of a challenge I think we’re seeing, to understand level one and how the self-assessment is going to be interpreted and how companies can really be confident that they’ve identified the information that needs to be encompassed in that level one assessment.
Terry Gerton That’s really great insight and I appreciate that. There’s also been some concern with the CMMC that small businesses were going to be really adversely affected, that this was really raising the table stakes for them. Are you seeing that begin to play out yet?
Townsend Bourne Somewhat, yes. I know DoD has released some resources and guidance aimed at small businesses, but they have been adamant that the program, there’s no exemption for small businesses. The program is meant to protect this type of information, so it’s expected that businesses, regardless of size, are going to have the appropriate controls in place. We’ve frankly seen some businesses decide to exit the DoD market. Not a ton, but I have seen just based on my own personal experience, some companies decide they’re not going to go forward with a CMMC level two certification or even a full assessment. So that’s a tricky situation as well, because you kind of have to think about, what did they have in place before this, because there are DFARS requirements that were in place before CMMCs to protect controlled unclassified information. So there’s a winding down that has to happen if companies are going to go that route. But yes, we’ve seen a bit of an impact there on companies deciding that they don’t want to incur the extra time and cost that comes with CMMC and particularly Level two.
Terry Gerton I’m speaking with Townsend Bourne. She’s a partner at Shepherd Mullen. The other big topic you mentioned was enforcement around civil cyber fraud. So tell us more about what you’re seeing there.
Townsend Bourne So all this will be based on public settlements, obviously, but we’re seeing the number, again, I think in 2025, there were at least six, maybe seven public settlement announcements. We saw a lot of those actually focused on companies that work for the [defense industrial base (DIB)], that work for DOD, directly relating to the FAR provision I mentioned on basic safeguarding, DOD’s regulations for controlled, unclassified information, requirements for DOD contractors to use authorized cloud service providers — those types of issues that really do show that DOJ and the federal government is very adamant about enforcement of these regulations. So, the DOJ’s civil cyber fraud initiative is a bit broader than just DOD, obviously, but we’re seeing that as a focus area, which I think will continue into next year and like I said, beyond.
Terry Gerton That brings me to another question because a lot of what you’re talking about here is compliance, making sure that you’re checking all the boxes and filling out all the forms. But are we seeing agencies and contractors really tackle risk reduction? What are they doing systematically, functionally to really reduce cyber risk?
Townsend Bourne It’s a great question and a lot of the time, unfortunately, it takes an incident or an investigation to really get people to wake up to this, but we are seeing, particularly in the area of sharing data overseas or particularly with some DOD opportunities, expectations that data is either going to stay in the U.S. or only be accessible by U. S. Persons or U.S. Citizens, where that might be a requirement or it also might be more of an expectation. We’re seeing some measures put in place to ensure that some of those supply chain risks and other security risks are accounted for, even if they might not necessarily be a direct requirement in the regulations. So I think people are starting to take, at least some of our clients we’ve seen, are taking a conservative approach to how they’re defining some of this government data, the boundaries that they’re keeping it in — those types of actions to make sure that they can support their reasonable approach to data security where we’ve seen in some cases some investigations and particularly where you’ve got whistleblowers potentially bringing allegations of non-compliance with these regulations. Companies really want to be in a position to show that they’ve documented and actually reviewed their policies and are taking a reasonable approach where, a lot of this is, there’s gray areas throughout this when you’re talking about compliance. So, in my experience companies will tend to take the more conservative approach to make sure that they don’t run afoul of the DOJ’s Civil Cyber Fraud Initiative or have an incident which can create a lot of additional cost and headaches for an organization if they’re not protected against those types of threats and other incidents.
Terry Gerton It’s really clear from your responses that so much happened in 2025. As you think about pulling that all together and looking forward, what are you expecting for 2026? Are some of these trends going to continue? Are there going to be new initiatives? What do you think?
Townsend Bourne It’s a great question. So I thought about this before I jumped on with you today and kind of looking into the crystal ball. I think CMMC is going to help in that as we get into the various phases, companies will have to do those assessments and provide those affirmations. So there will be kind of a baseline level of compliance that, assuming the companies did a reasonable job, the third party assessors are doing a good job. There should be a comfort level and hopefully reduce the potential for fraud and investigations where you’ve got third parties coming in and doing these audits. So I think that will help. I haven’t heard anything definitive on agencies outside of DOD adopting a similar approach to the CMMC program, but I think it could be something depending on how the CMMC rollout and the success of the program that other agencies might want to adopt. As I already mentioned, I think enforcement is going to increase, and — this is my prediction, my own personal prediction — we’re going to see more in the cloud space. FedRAMP, which is the federal government’s authorization program for cloud service offerings, has been going through huge changes, and I think we’re seeing a little bit more focus on cloud service providers, the security they have in place with regards to data access. And there actually was an indictment announced this week by DOJ against an individual for fraud relating to the security of a cloud environment. So I think that might be an area we see a little bit more increased focus going into 2026.
Terry Gerton Alright, so if you wanted to give contractors one hot tip for 2026, what would that be?
Townsend Bourne Oh, that’s a great question. Not sure if it’s a hot tip, but guidance, not legal advice, would be just to make sure that you’ve got people in your organization that have the background for this stuff and you have the documentation in place to be able to support what you’re doing. Because I think, again, enforcement and making sure that your people understand what you are doing so that they don’t make mistakes will be very important.
The post 2025 reshaped federal cybersecurity, from new mandates to tougher compliance rules first appeared on Federal News Network.