Enforcement & Regulatory Trends – Publications
Enforcement & Regulatory Trends – Publications
https://www.morganlewis.com/pubs/2026/03/cybersecurity-privacy-2026-enforcement-regulatory-trends
Publish Date: 2026-03-04 12:43:00
Source Domain: www.morganlewis.com
UNITED STATES
A New Federal Playbook for Cyber Risk
CMMC Final Rule
The US Department of Defense’s final Cybersecurity Maturity Model Certification rule, issued in November 2025, marked a significant shift in federal cybercompliance by formally tying contract eligibility to demonstrated cybersecurity maturity across three levels aligned to the sensitivity of federal contract information and controlled unclassified information. The rule’s audit and certification requirements extend through the defense industrial base via contractual flow-downs, increasing exposure for subcontractors and suppliers.
Inaccurate certifications or representations regarding cybersecurity posture now carry heightened risk under the False Claims Act, even where no cyber incident has occurred, placing renewed emphasis on documentation, internal controls, and audit readiness.
DOJ Data Security Program
In parallel, the US Department of Justice implemented its Data Security Program pursuant to Executive Order 14117, restricting certain data transactions involving “countries of concern.” The program distinguishes between prohibited and restricted transactions involving sensitive personal data and US government–related data, imposing security, governance, and recordkeeping obligations on covered entities.
This framework reflects a growing national security overlay in cybersecurity regulation, requiring organizations to reassess cross-border data flows, vendor relationships, and cloud architectures through both privacy and geopolitical risk lenses.
Incident Reporting Momentum – CIRCIA and Sector-Specific Rules
Federal momentum around incident reporting accelerated in 2025, amplified by the Cyber Incident Reporting for Critical Infrastructure Act and implementing rulemaking efforts at the Cybersecurity and Infrastructure Security Agency. Adding onto existing sector-specific reporting regimes, proposed rules would require covered entities to report substantial…
