May 29, 2025
The CS2 conference in Reston, Virginia was an essential event for government contractors faced with cybersecurity compliance challenges. The two-day program provided invaluable information on compliance with NIST SP 800-171, CMMC, and other cybersecurity requirements. The sessions led by Whistleblower Law Collaborative (WLC) member Bruce C. Judge and by James Gillooley from the Department of Defense (DoD) offered particularly critical insights into the evolving cybersecurity requirements within the Defense Industrial Base (DIB).
Bruce Judge, a founding member of WLC and a Lawdragon 500 Leading Global Cyber Lawyer, delivered a presentation titled “The Risks of Playing Through the Whistle: Whistleblowers, the False Claims Act, and the DOJ’s Expanding Civil Cyber-Fraud Initiative.” His keynote session illuminated the growing emphasis the Department of Justice (DOJ) places on cybersecurity compliance within the DIB.
Mr. Judge, a former DOJ prosecutor, provided a unique legal perspective on the risks of non-compliance with NIST SP 800-171 and the evolving CMMC framework. In addition, he covered the increasing use of the False Claims Act (FCA) to hold contractors accountable for failing to meet required cybersecurity standards. Finally, Mr. Judge explained the financial rewards paid to individual whistleblowers who report cybersecurity fraud to DOJ.
Mr. Judge’s presentation was particularly timely given DOJ’s recent $4.6 million settlement with MORSECORP, Inc. This landmark case, brought by a WLC client, is the first major FCA settlement based on cybersecurity gaps involving a defense contractor. It serves as a stark reminder of the substantial financial repercussions for contractors who misrepresent their cybersecurity practices and policies, especially concerning compliance with NIST SP 800-171.
The session led by DoD IT Management Specialist James Gillooley focused on DFARS (Defense Federal Acquisition Regulation Supplement) compliance, a cornerstone of cybersecurity for DIB contractors. Reflecting on the numerous questions he received, Mr. Gillooley shared on LinkedIn:
While speaking at Cloud Security and Compliance Series – CS2 Reston I was approached with numerous questions about DFARS Clause 252.204-7012. What struck me most wasn’t just the volume of questions but their nature… Many were focused on the fundamental application and basic requirements of DFARS. This highlighted a critical gap: even though these requirements have been in place for years, there’s still widespread uncertainty around their practical implications.
…
Compliance isn’t simply about checking boxes; compliance is the starting point for building a strong cybersecurity posture, it’s about maintaining trust, ensuring operational resilience, and safeguarding our national security interests.
Mr. Gillooley stressed that adhering to DFARS is more than a bureaucratic exercise. It is the bedrock of a robust cybersecurity posture. Compliance, particularly with NIST SP 800-171, is vital for safeguarding sensitive government data, and protecting national security interests.
He outlined key DFARS clauses impacting DIB cybersecurity:
The CS2 conference provided invaluable insights into the critical landscape of cloud cybersecurity and compliance. The presentations underscored the importance of understanding and implementing robust cybersecurity measures. Specifically, adhering to standards like NIST SP 800-171, and preparing for the evolving requirements of CMMC. These sessions left attendees with a clearer understanding of the current cybersecurity challenges and the increasing accountability within the DIB.