Broadside
Subscribe →

Watch hub·enforcement · cmmc · nist-800-171 · dfars

CMMC Enforcement Watch

Civil Cyber-Fraud Initiative settlements, qui tam unsealings, and the slow turn from voluntary to mandatory.

Updated ·RSS ↗

Enforcement of cybersecurity requirements has accelerated through the Department of Justice's Civil Cyber-Fraud Initiative. This hub tracks settled and pending False Claims Act actions, GAO bid-protest decisions touching cyber clauses, and DCMA/DIBCAC findings as they become public.

What changed in the last 30 days

  • nist-800-171/trade-press

    NIST plans two AI incident response guidance streams under Trump action plan

    NIST is developing two work streams on AI incident response following a July 2025 White House action plan directive. The first would update existing cybersecurity incident response guidelines to address attacks on AI systems. The second would create recommendations for responding to harms caused by AI systems, including misuse and malfunction. NIST sought feedback at a May 14 workshop and plans to scope the work to the most severe harms, affecting organizations that deploy AI systems and their users.

  • far/trade-press

    GAO finds gaps in federal agencies' China-linked equipment searches

    The Government Accountability Office reviewed six federal agencies' compliance with Section 899 of the FY2019 NDAA, which prohibits procurement of telecommunications and video surveillance equipment from China-linked companies. The May 19 report found that the Departments of Defense and Energy each identified covered devices in recent searches, while DHS, DOJ, State, and Treasury reported none. GAO flagged that each search method (IT network scans, procurement record reviews, physical searches) has limitations, and agencies reported difficulties including limited supply-chain visibility and lack of authoritative subsidiary data.

  • stateramp/regulator

    GovRAMP Policy Papers Push OMB-Led Reciprocity for Cybersecurity Frameworks

    GovRAMP released two publications on April 16 calling for harmonization of overlapping federal and state cybersecurity frameworks built on NIST SP 800-53. The policy white paper identifies OMB-led reciprocity anchored in shared baselines as the highest-impact near-term action. State, local, tribal, and territorial governments are most affected by duplicated compliance efforts and delayed procurement. No rulemaking is proposed; the publications are recommendations intended to support coordinated execution under existing authority.

  • stateramp/regulator

    GovRAMP working group maps StateRAMP controls to CMMC Levels 1 and 2

    GovRAMP's Framework Harmonization Working Group met April 13 to align GovRAMP requirements with CMMC Levels 1 and 2, identifying shared foundational controls and a new federal overlay for low, moderate, and high impact levels. Providers operating across federal, defense, and state/local markets would be affected by any resulting mutual-recognition pathways. GovRAMP said it will next examine how its authorization can satisfy the FedRAMP Equivalency provision for CMMC and plans to address FedRAMP 20x alignment at a future working group session.

  • nist-800-171/trade-press

    NIST to release AI cybersecurity framework draft this summer

    NIST plans to publish a draft cybersecurity framework profile for AI systems this summer, according to Victoria Pillitteri, manager of NIST's Security Engineering and Risk Management Group. The guidance will include control overlays for predictive, agentic, and generative AI systems, with the predictive AI overlay arriving this summer and agentic guidance due in late summer to early fall. NIST aims to finalize all guidance by 2027. Organizations adopting AI should track the draft for baseline cybersecurity controls that may affect vendor and supply chain security requirements.

  • nist-800-171/trade-press

    Draft executive order sets 2030-2031 PQC deadlines for federal agencies, contractors

    A White House draft executive order would require federal agencies to migrate digital signatures for high-impact systems to post-quantum cryptography (PQC) by Dec. 31, 2031, and key establishment to PQC by Dec. 31, 2030, according to sections viewed by Nextgov/FCW. Covered contractors working with federal agencies face a 2030 deadline to comply with NIST-developed PQC standards. National security systems are excluded from the mandate. The order is expected to be released as soon as this week, a source told Nextgov/FCW.

  • nist-800-171/standards

    CIS warns of authentication bypass in pac4j-jwt JWT library

    CIS published an advisory about a vulnerability in pac4j-jwt (JwtAuthenticator) that could allow an unauthenticated remote attacker to bypass authentication and impersonate any user, including an administrator. The flaw affects Java applications using the pac4j security framework for JSON Web Token validation. Organizations using pac4j-jwt should review the CIS advisory and assess impact on their systems, particularly where JWT-based authentication supports compliance with NIST SP 800-171 access control and authentication requirements.

  • nist-800-171/standards

    Fortinet vulnerabilities allow arbitrary code execution across 16 products

    CIS published an advisory on multiple vulnerabilities in Fortinet products including FortiOS, FortiManager, FortiAnalyzer, and FortiClientEMS. The most severe could let an attacker execute arbitrary code under the affected service account. Organizations covered under NIST SP 800-171 and 800-172 that use these products should apply patches and validate that affected systems are not out of compliance with security control requirements. CIS did not publish a specific CVE list or patch timeline in this advisory; further review of Fortinet security bulletins is advised.

Open questions

  • 01How many CCFI cases reference NIST 800-171 compliance representations as the predicate?
  • 02Are settlements moving toward higher dollar figures over time?
  • 03When does the first criminal referral connected to CMMC misrepresentation appear?

Sources we watch