Terry Gerton Reflects on Federal Cybersecurity Programs in 2025
Terry Gerton inquired about key takeaways from 2025, emphasizing the importance of drawing lessons from the year. What insights do you have, Townsend?
Townsend Bourne expressed that 2025 was particularly noteworthy, highlighting two significant themes. The first, unsurprisingly, involves the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program, which is now implemented for contractors as of November 10 this year. Its inclusion in DOD solicitations and contracts marks a pivotal development.
The second theme centers on enforcement, especially under the Department of Justice’s Civil Cyber Fraud Initiative. The year witnessed a rise in settlements and public announcements, a trend anticipated to persist into 2026 and beyond.
Challenges Faced by Contractors with CMMC Compliance
Terry Gerton probed deeper into the CMMC’s ramifications for contractors. What primary challenges have emerged in navigating compliance?
Townsend Bourne noted that contractors grapple with two primary pain points. On the CMMC Level 2 front, which safeguards controlled unclassified information (CUI), discussions have surged regarding necessary security controls.
Many are realizing the existence of Level 1, which pertains to basic safeguards for federal contract information—this has been mandated in the FAR for years. While many businesses have rudimentary security measures in place, the transition to CMMC necessitates rigorous self-assessment.
The crux of the challenge lies in pinpointing where federal data resides. Identifying CUI can often be straightforward when clearly marked, but more convoluted in situations where companies generate such data. In contrast, federal contract information frequently remains unmarked, complicating compliance further.
Impact on Small Businesses
Terry Gerton addressed concerns about small businesses potentially suffering due to CMMC’s heightened requirements. Is this unfolding?
Townsend Bourne affirmed this concern, acknowledging that while the DOD has provided guidance for small businesses, there are no exemptions. The program’s aim is to ensure that businesses, regardless of scale, implement robust controls.
Some entities have indeed opted to withdraw from the DOD sector entirely, influenced by the demanding nature of CMMC Level 2 certification. This development raises questions about prior protections under DFARS regulations, which existed before the CMMC framework.
Hence, a phasing-out period becomes necessary for companies opting out, though the extent of this trend remains minimal.
Enforcement of Civil Cyber Fraud Regulations
Terry Gerton shifted the conversation to the burgeoning enforcement landscape surrounding civil cyber fraud. What trends are evident?
Townsend Bourne revealed that 2025 saw at least six public settlements, predominantly targeting companies within the defense industrial base.
These actions were closely related to FAR provisions on safeguarding information, as well as DOD regulations regarding the use of authorized cloud service providers.
The Department of Justice’s focused initiative on civil cyber fraud is broad, yet explicitly targets violations linked to DOD requirements, a trend anticipated to escalate in the coming year.
Proactive Risk Reduction Measures
Terry Gerton inquired whether contractors and agencies are taking systematic steps towards risk reduction, beyond mere compliance.
Townsend Bourne contended that although incidents often spur heightened awareness, there are emerging practices aimed at mitigating risks, especially concerning international data handling and DOD collaborations.
Expectations now often dictate that data remain within U.S. jurisdiction or be accessible solely by U.S. citizens. Some organizations are adopting conservative strategies regarding their government data, enacting boundaries to enhance security.
Such measures aim to substantiate their commitment to data protection, particularly in light of potential whistleblower allegations regarding compliance lapses.
Looking Ahead to 2026
Terry Gerton asked for predictions concerning trends and new initiatives for 2026 based on 2025’s developments.
Townsend Bourne predicted that as CMMC progresses, organizations will engage in self-assessments, establishing a fundamental level of compliance. If executed well, this process may diminish occurrences of fraud and investigations, facilitated by third-party audits.
While no definitive changes in compliance approaches outside DOD have emerged, the success of the CMMC rollout may inspire similar adaptations in other agencies.
Enthusiasm about increased enforcement persists, particularly relating to clouds, as FedRAMP undergoes considerable evolution, and attention coalesces around cloud providers’ security protocols. Recent indictments related to cloud environment fraud signal that increased scrutiny is likely on the horizon.
Advice for Contractors in 2026
Terry Gerton sought a crucial piece of advice for contractors heading into 2026.
Townsend Bourne recommended that organizations ensure they have knowledgeable personnel and meticulous documentation in place. As enforcement intensifies, it becomes imperative that staff comprehend the nuances of compliance to avert potential errors.
Source link: Federalnewsnetwork.com.
