On August 15, 2024, the Department of Defense (DoD) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule. The CMMC 2.0 program provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection
Inside Cybersecurity & Privacy Law
Exploring the evolution of cybersecurity and privacy law
Blog Authors
Latest from Inside Cybersecurity & Privacy Law
New EU Cyber Rules: Implementation of NIS2 in the EU Member States
The Network and Information Security 2 Directive (EU) 2022/2555 (“NIS2”) entered into force on 16 January 2023. NIS2 sets cyber rules for organizations whose services are considered essential or important for maintaining critical societal and economic activities, such as ensuring the flow of energy or financial transactions. As a Directive, NIS2 must be transposed into…
Hong Kong PCPD Issues Model Personal Data Protection AI Framework
The rapid development of Artificial Intelligence (AI) has generated much excitement over the past two years. Since the public launch of Open AI’s ChatGPT on 30 November 2022, generative AI and its capabilities have been at the forefront of the public consciousness, with AI making headlines on a daily basis.
However, the advancement and increased…
Changes to the UK GDPR Shelved (For Now)
With the announcement of UK General Election for Thursday 4 July 2024, the Data Protection and Digital Information Bill has not completed the legislative process before the end of the current parliamentary session and will therefore not become law.
The Bill would reform the UK’s data protection regime reducing some of the regulatory burden on…
White House Releases National Cybersecurity Strategy Implementation Plan, Version 2
On May 7, 2024, the Biden Administration released the second version of the National Cybersecurity Strategy Implementation Plan as well as the first Report on the Cybersecurity Posture of the United States. These actions reflect the Administration’s continued focus on enhancing the cybersecurity of critical infrastructure and software as well as its work to…
US DOD Issues Class Deviation Delaying DFARS Implementation of Upcoming NIST SP 800-171, Revision 3
On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
The deviation relates to contractors’ compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which is currently undergoing a revision. The deviation changes the requirement that contractors…
Chairs of House and Senate Commerce Committees Announce Consumer Privacy Legislation
Last month, two key members of Congress released a draft of the American Privacy Rights Act (“APRA”), comprehensive legislation that would change the landscape of consumer privacy law in the United States. If passed, APRA would create a national standard governing the collection, use, and disclosure of consumer personal information. It would also preempt a…
UK GDPR and the Price of Non-Compliance: ICO Issues New Guidance on Calculating Fines
The Information Commissioner’s Office (the “ICO”) has clarified the methods it will use to calculate the fines it will issue for breaches of data privacy law in the UK by publishing its latest Data Protection Fining Guidance (the “Guidance”) on 18 March 2024.
The ICO oversees compliance with the UK data protection law, including the Data Protection…
Proposed Rule Issued to Implement Cyber Incident Reporting for Critical Infrastructure Act
On March 27, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) within the US Department of Homeland Security released a much-anticipated notice of proposed rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Under the proposed rule, covered entities will have 72 hours to report to CISA a “covered…
The UK Online Safety Regime: Five Months On
When the UK Online Safety Act (the “Act”) became law on 26 October 2023, it had established one of the most comprehensive online safety regulatory frameworks in the world. The Act’s intention is to make the use of online services for individuals in the United Kingdom, especially children, safer. It introduces a long list of…