Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as self‑attestation. That world is now decisively over, with the GSA following a path similar, but not identical, to the DoD’s CMMC requirements.
The Genesis Mission: A New Executive Order Aims to Transform U.S. Innovation with AI
Key point: The President’s latest Executive Order establishes the Genesis Mission and aspires to use AI to accelerate scientific discovery in sectors such as biotech, quantum, nuclear power, and semiconductors.
Massachusetts and California Legislative Activity: Data Privacy and AI Legislation
Key point: Recent legislative efforts in Massachusetts, seeking to add another comprehensive data privacy law to the national patchwork of state laws, and in California enacting a law to regulate AI development, occurred this week when the Massachusetts Senate unanimously sent Senate Bill 2608 to the state House, and California enacted the nation’s second substantive state law regulating AI.
The Defense Department’s Cybersecurity Requirements Go Live
Key point: Beginning November 10, 2025, DoD contracting officers will begin adding Cybersecurity Maturity Model Certification (CMMC) requirements to solicitations, and contracting officers “shall not award a contract, task order, or delivery order to a [contractor] that does not have a current CMMC status at the CMMC level required by the solicitation.”
EU Court Upholds Data Privacy Framework Despite Challenge: Implications for Transatlantic Data Transfers
Key point: The European General Court has upheld the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework, confirming that the United States ensures an adequate level of protection for personal data transfers.
OIRA Completes its Review of the DFARS CMMC Proposed Rule: Is Your Company CMMC Certified, or Will It be Excluded from Future Awards?
Key point: CMMC took another step towards reality, with OIRA clearing for publication the DFARS proposed rule that will add CMMC requirements as a condition of award for new contracts.
Colorado Delays AI Act Compliance: What Lawyers and Business Leaders Need to Know
Key point: During Colorado’s legislative special session, which aimed to address budgetary shortfalls resulting from this year’s federal appropriations act, lawmakers approved a delay in the Colorado AI Act’s effective dates.
CISA 2015: Congress Faces Fast-Approaching Deadline to Reauthorize a Critical Cybersecurity Law
Key point: With the Cybersecurity Information Sharing Act of 2015 (CISA 2015) scheduled to sunset on September 30, 2025, Congress will need to act quickly to renew the law and maintain, if not improve, the liability protections for industry when sharing cyber threat indicators and defensive measures.
Colorado Proposes New Privacy Act Rules to Clarify Protections for Minors and Limit Compulsive Online Features
Key point: Colorado’s Department of Law is soliciting public comments through September 5, 2025, on revised privacy rules to protect minors’ personal data and online privacy.
On July 29, the Colorado Department of Law issued a notice of proposed rulemaking to revise the state’s privacy rules following the legislature’s 2024 amendments to the Colorado Privacy Act (“CPA”). The revised rules include new protections for the personal data of minors and are currently open to public comment. Written comments should be submitted via the CPA rulemaking comment portal by September 5, 2025. Additional comments may be submitted at a public hearing scheduled for September 10, 2025.
The Coast Guard’s Maritime Cybersecurity Rule Takes Effect
Key point: The US Coast Guard’s new cybersecurity rule will transform the security standards and reporting requirements for vessels and marine facilities nationwide over the next three years.
On July 16, 2025, the US Coast Guard’s (USCG) final rule, Cybersecurity in the Marine Transportation System, codified at 33 C.F.R. § 101.600 et seq., went into effect. The final rule establishes cybersecurity requirements for the critical infrastructure owners and operators (CI/OO) of regulated entities (e.g., U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities regulated under the Maritime Transportation Security Act of 2002). See 90 Fed. Reg. 6298 (Jan. 17, 2025). These entities were already required to have a Vessel or Facility Security Plan (VSP/FSP) as defined by 33 C.F.R. §§ 104-106. Under the final rule, the CI/OO for these entities have incident reporting obligations, must develop Cybersecurity and Cyber Incident Response Plans, and designate a Cybersecurity Officer charged with implementing the plans. The regulation will be introduced in stages over the next three years, with certain provisions taking effect immediately.