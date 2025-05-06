This week, the Trump Administration reached the 100-day mark—a significant milestone in any presidential term wherein key administrative priorities and objectives are promulgated.

This week, the Trump Administration reached the 100-day mark—a significant milestone in any presidential term wherein key administrative priorities and objectives are promulgated. Perhaps unsurprisingly, cybersecurity stands out as an area of heightened focus and attention.

In this Alert, we discuss major cyber developments at the Department of Justice, the Securities and Exchange Commission, the Department of Defense, the Department of Homeland Security and the Federal Communications Commission. While it is still early days, recent developments suggest that regulators will sustain enforcement efforts for existing cybersecurity standards as new compliance and security requirements come into effect.

Department of Justice

In the first 100 days, the Department of Justice (DOJ) has continued to leverage civil fraud enforcement tools, most notably the False Claims Act (FCA), to advance cybersecurity standards in critical systems.

In 2021, the Biden Administration established the Civil Cyber-Fraud Initiative to encourage the use of the FCA to enforce federal contractors' cybersecurity obligations.1 The new DOJ leadership has yet to express its views on that initiative, but cases filed in prior years and the ability of qui tam whistleblowers to initiate suits will fortify the FCA as a critical cyber tool.

Speaking at the Federal Bar Association's annual Qui Tam Conference in February, Deputy Assistant Attorney General for the Commercial Litigation Branch Michael Granston said the DOJ plans to “continue to aggressively enforce the False Claims Act,” consistent with the Trump Administration's broader goals to reduce government waste.2 While the speech highlighted the Administration's potential use of the FCA to address foreign trade priorities (as described at length in another WilmerHale Client Alert), relators' attorneys will remain focused on the FCA as a critical cyber tool.

In February, the DOJ settled alleged FCA violations with Health Net Federal Services, LLC (HNFS) and its parent company for over $11 million in connection with cybersecurity violations—the largest FCA settlement for cyber-related violations since the DOJ established the Civil Cyber-Fraud Initiative.3 The United States claimed that HNFS had falsely certified compliance with cybersecurity requirements in a contract with the Department of Defense (DoD) to administer the Defense Health Agency's TRICARE health benefits program by, among other things, failing to scan for known vulnerabilities and remedy security flaws on its networks and systems, ignoring reports from third-party and internal security audits, and falsely attesting that it was in compliance with certain NIST security controls.4

In late March, defense contractor MORSECORP Inc. agreed to pay $4.6 million to settle allegations that it violated the FCA by submitting claims for payment on contracts with the Departments of the Army and Air Force despite allegedly knowing that it had not complied with those contracts' cybersecurity requirements governing, among other things, the use of third-party cloud service providers and safety controls to prevent network exploitation.5

And just this week, DOJ announced that RTX Corporation, Raytheon and other entities had agreed to pay $8.4 million in connection with allegations that Raytheon violated the FCA for failure to institute mandatory cybersecurity controls on an internal system used to perform unclassified work on several DoD contracts between 2015 and 2021.6

It is too early to tell whether these settlements reflect the unfinished business of the prior administration or an enduring commitment to cyber-fraud enforcement in the Trump Administration. But new opportunities for expanded FCA enforcement, including both qui tam actions and government-initiated enforcement, will inevitably emerge as new cybersecurity requirements come into effect.

DOJ's new data transfer rules go into effect this year.

As described in a WilmerHale Client Alert, companies seeking to engage in certain transfers of bulk data abroad are now subject to new regulations, including new cybersecurity standards and reporting requirements, administered and enforced by the DOJ's National Security Division (NSD).

On January 8, 2025, the DOJ published its final Rule implementing Biden's February 28, 2024 Executive Order Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (DOJ Rule).7 As a result of this new DOJ Rule, US persons are for the first time restricted, and in some cases categorically prohibited, from engaging in certain covered data transactions that may result in one of six “countries of concern” or a “covered person” gaining access to broad categories of US sensitive personal data and government data.

Restricted transactions involving vendor, employment and investment agreements may be permitted in certain circumstances but are now subject to certain “security requirements” to mitigate risk. These “security requirements,” independently published in January 2025 by the US Cybersecurity and Infrastructure Security Agency (CISA) and incorporated by reference into the final DOJ Rule, include cybersecurity policies and practices, physical and logical access controls, data masking and minimization, encryption, and the use of privacy-enhancing technologies.8

Portions of the DOJ Rule came into effect on April 8, 2025, and the NSD issued much-anticipated guidance on the Rule's implementation on April 11. As we described in another WilmerHale Client Alert, NSD has indicated that although it will not “prioritize civil enforcement actions” over the next 90 days for those US persons engaging “in good faith efforts to comply with or come into compliance with the Data Security Program,” it will nonetheless focus on “egregious, willful violations.”9 At the end of this 90-day period, the NSD expects that entities should be “in full compliance,” though certain affirmative obligations, including auditing requirements for restricted transactions and reporting obligations for restricted or rejected prohibited transactions, do not come into effect until October 2025.