Posts

Showing posts with the label 2026-07-10 Digest

FedRAMP 2026 is not a compliance update — it’s a new operating model

FedRAMP’s 2026 rule changes are significant, but the most important thing about them is not what they require — it’s about what they signal.  The federal government is telling the cloud market that point-in-time compliance is no longer sufficient. What agencies need now is continuous visibility into whether the controls protecting federal data are actually working every day, not just at assessment time. That is the right shift and it is one that many providers are not yet ready to make. For years, FedRAMP compliance has been understood primarily as a documentation challenge consisting of system security plans, assessment packages, monthly scans, plans of action and milestones. Those elements still matter, but the new model is built around continuous evidence and not static documentation. This changes the rhythm of how cloud security will work. Evidence needs to be current and vulnerability data needs to be actionable in near-real time. Ownership of risk needs to be clearly assign...

CMMC Cybersecurity Rules Are Rolling Into Defense Contracts

US defense contractors are now encountering CMMC cybersecurity requirements in their contracts. Ambika Biggs of Hirschler reviews the program’s structure, the levels at which contractors may self-certify and where inaccurate certifications have drawn False Claims Act scrutiny from the Justice Department. A US government focus on cybersecurity is not new. DFARS 252.204-7012 , which is included in defense contracts involving controlled unclassified information (CUI), became effective in 2016. However, after a defense department inspector general report in 2019 found that defense contractors were not consistently implementing security requirements to protect CUI, the defense department developed the cybersecurity maturity model certification (CMMC) program to assess implementation of cybersecurity requirements by defense contractors and subcontractors.  A final rule was published in November 2020 and became effective in 2024; the department began incorporating CMMC program requirem...

New Jersey will charge fees to employers with low-income workers on Medicaid, and other states could follow suit

New Jersey employers whose workers are on Medicaid health coverage instead of workplace insurance will soon have to pay a new fee. Other states are considering it, too. Democratic lawmakers and governors see it as a way to help pay for the joint federal and state insurance program that covers low-income residents as federal policy changes are expected to make the program more expensive for states and may lead to a reduction in the number of people with coverage. New Jersey Gov. Mikie Sherrill signed a measure Tuesday night to charge employers that have at least 50 workers covered by Medicaid , and the state budget she approved earlier in the week counts on raising $145 million this year from the program. Under the plan, companies will be billed for each employee and employee's dependents receiving Medicaid, the joint state-federal insurance program . The fees per person would start at $325 a year for companies with 50 to 249 Medicaid beneficiaries and top out at $725 annually for ...

Virginia’s New Pay Transparency Law: What Employers With Virginia Employees Need to Know Now

Effective July 1, 2026, Virginia has enacted a new pay transparency law requiring employers with Virginia employees to disclose compensation ranges and follow new restrictions on salary history. The law applies broadly and creates both enforcement risk and private litigation exposure. Employers with employees in Virginia should act now to ensure compliance with the new pay transparency law. What the Virginia Law Requires Set and disclose good ‑ faith pay ranges in postings. Employers must disclose the wage, salary, or wage/salary range in each public and internal posting for each job, promotion, transfer, or other employment opportunity, and must set that range in good faith. Do not seek or rely on salary history. Employers may not seek an applicant’s wage or salary history, rely on it in considering the person for employment, or rely on it to set pay upon hire with a limited exception: If the candidate voluntarily discloses their salary history, without prompting after an initial o...