On Aug. 15, the U.S. Department of Defense issued a proposed rule, Assessing Contractor Implementation of Cybersecurity Requirements, which seeks to implement contractual requirements for DOD contracts related to the recently proposed Cybersecurity Maturity Model Certification 2.0 Program. As currently proposed, the rule raises serious concerns regarding a lack of clear definitions and flexibility for federal contractors on DOD projects.

On April 4, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a proposed rule on Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements. The rule, in alignment with the CIRCIA Act (signed into law as part of the Consolidated Appropriations Act of 2022), imposes new cyber incident and ransom payment reporting requirements for companies deemed to have responsibility for critical infrastructure.