In the meantime, enactment of the CCPA, CPRA and other copycat state data privacy laws may add momentum to efforts at the federal level to find a comprehensive law that enhances privacy rights for individuals and lessens the compliance burden on businesses. While we can hope for a comprehensive federal data privacy and security law businesses must be prepared for the multiple consumer requests for data access or deletion and implement reasonable data security programs to avoid the likely lawsuits to come under the CCPA private right of action. Congress has had difficulty getting any legislation passed, which does not bode well for any comprehensive federal data privacy or breach notification laws. In the absence of a comprehensive federal data breach notification or other federal data privacy and security law, businesses will have to continue to consider the patchwork of state and federal laws discussed in this Guide. What Government Contractors Should Know About the New Cybersecurity Maturity Model Certification (CMMC) Rule The Department of Defense (DoD)’s final rule for the Cybersecurity Maturity Model Certification (CMMC) was published in September 2025 and became effective November 10, 2025, officially making CMMC a mandatory requirement for defense contractors handling sensitive information, with a phased rollout over three years to mandate various levels (1, 2, 3) of cybersecurity compliance, including assessments, before contract awards. The CMMC Program is designed to ensure that federal contractors have implemented safeguards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC sets up a new compliance framework for DoD contractors and subcontractors that process FCI or CUI. The requirements include: • robust assessments against the security control standards in FAR 52.204-21 and NIST SP 800-171;
61
Made with FlippingBook - Online Brochure Maker