Whistleblower News & Articles

Home > Whistleblower News & Articles > Key Takeaways from CS2 on Cybersecurity, NIST SP 800-171, and CMMC

Related Content

Bruce Judge Selected to Lawdragon 500 Leading Global Cyber Lawyers

Whistleblower Law Collaborative proudly announces that Lawdragon has named Bruce Judge as one of 500 Leading Global Cyber Lawyers.  It...

Early Takeaways From DOJ’s Civil Cyber-Fraud Initiative

Cyber fraud has become an increasing concern in recent years. In November 2021, the Department of Justice (DOJ) launched the...

Penn State $1.25 Million Cybersecurity Fraud Settlement Yields $250,000 Whistleblower Award

The Department of Justice recently announced a landmark Penn State cybersecurity fraud settlement, with the university agreeing to pay $1.25...

Largest-Ever Cybersecurity False Claims Act Settlement – $11.3 million

According to a recent government Press Release, Guidehouse Inc, headquartered in McLean, Virginia, and Nan McKay & Assoc. (Nan McKay),...

Key Takeaways from CS2 on Cybersecurity, NIST SP 800-171, and CMMC

May 29, 2025

The CS2 conference in Reston, Virginia was an essential event for government contractors faced with cybersecurity compliance challenges. The two-day program provided invaluable information on compliance with NIST SP 800-171, CMMC, and other cybersecurity requirements. The sessions led by Whistleblower Law Collaborative (WLC) member Bruce C. Judge and by James Gillooley from the Department of Defense (DoD) offered particularly critical insights into the evolving cybersecurity requirements within the Defense Industrial Base (DIB).

Bruce C. Judge: Legal Ramifications of Cybersecurity Non-Compliance

Bruce Judge, a founding member of WLC and a Lawdragon 500 Leading Global Cyber Lawyer, delivered a presentation titled “The Risks of Playing Through the Whistle: Whistleblowers, the False Claims Act, and the DOJ’s Expanding Civil Cyber-Fraud Initiative.” His keynote session illuminated the growing emphasis the Department of Justice (DOJ) places on cybersecurity compliance within the DIB.

Mr. Judge, a former DOJ prosecutor, provided a unique legal perspective on the risks of non-compliance with NIST SP 800-171 and the evolving CMMC framework. In addition, he covered the increasing use of the False Claims Act (FCA) to hold contractors accountable for failing to meet required cybersecurity standards. Finally, Mr. Judge explained the financial rewards paid to individual whistleblowers who report cybersecurity fraud to DOJ.

Mr. Judge’s presentation was particularly timely given DOJ’s recent $4.6 million settlement with MORSECORP, Inc. This landmark case, brought by a WLC client, is the first major FCA settlement based on cybersecurity gaps involving a defense contractor.  It serves as a stark reminder of the substantial financial repercussions for contractors who misrepresent their cybersecurity practices and policies, especially concerning compliance with NIST SP 800-171.

James Gillooley on DFARS: Addressing the Cybersecurity Compliance Gap

The session led by DoD IT Management Specialist James Gillooley focused on DFARS (Defense Federal Acquisition Regulation Supplement) compliance, a cornerstone of cybersecurity for DIB contractors. Reflecting on the numerous questions he received, Mr. Gillooley shared on LinkedIn:

While speaking at Cloud Security and Compliance Series – CS2 Reston I was approached with numerous questions about DFARS Clause 252.204-7012. What struck me most wasn’t just the volume of questions but their nature… Many were focused on the fundamental application and basic requirements of DFARS. This highlighted a critical gap: even though these requirements have been in place for years, there’s still widespread uncertainty around their practical implications.

Compliance isn’t simply about checking boxes; compliance is the starting point for building a strong cybersecurity posture, it’s about maintaining trust, ensuring operational resilience, and safeguarding our national security interests.

Mr. Gillooley stressed that adhering to DFARS is more than a bureaucratic exercise. It is the bedrock of a robust cybersecurity posture. Compliance, particularly with NIST SP 800-171, is vital for safeguarding sensitive government data, and protecting national security interests.

He outlined key DFARS clauses impacting DIB cybersecurity:

  • DFARS 252.204-7012: Mandating the protection of CUI in accordance with NIST SP 800-171 and requiring incident reporting – foundational elements of DIB cybersecurity.
  • DFARS 252.204-7019 & 7020: Obligating contractors to perform cybersecurity self-assessments and submit their scores via the Supplier Performance Risk System (SPRS).
  • DFARS 252.204-7021: Introducing the Cybersecurity Maturity Model Certification (CMMC), which involves third-party verification of cybersecurity compliance.

Key Takeaways on Cybersecurity from CS2

The CS2 conference provided invaluable insights into the critical landscape of cloud cybersecurity and compliance. The presentations underscored the importance of understanding and implementing robust cybersecurity measures. Specifically, adhering to standards like NIST SP 800-171, and preparing for the evolving requirements of CMMC. These sessions left attendees with a clearer understanding of the current cybersecurity challenges and the increasing accountability within the DIB.