CMMC Rules, Bosch $43M Export Fine & EEOC Shift (07/06/2026)
- › CMMC requirements are flowing into defense contracts, and an inaccurate self-certification carries False Claims Act exposure, including treble damages.
- › Bosch paid more than $43 million for illegally exporting products and software to Huawei.
- › The EEOC rescinded two long-standing policy documents that guided employers on voluntary affirmative action.
- › The Texas Hearing Institute reported a breach affecting more than 29,000 residents, starting the HIPAA notification clock.
- › Each of today's stories creates a new obligation or a new liability to plan around.
Today’s compliance stories each create a new obligation or a new liability. CMMC cybersecurity requirements are flowing into defense contracts, and an inaccurate self-certification now carries False Claims Act exposure. Bosch paid more than $43 million for export-control violations. And the EEOC withdrew guidance employers have relied on for years.
Top Compliance Alerts
1. CMMC Requirements Land in Defense Contracts
Cybersecurity Maturity Model Certification (CMMC) requirements are rolling into defense contracts, and an inaccurate self-certification can expose a contractor to False Claims Act liability, including treble damages and whistleblower suits (Corporate Compliance Insights). This turns a security checkbox into a financial and legal one: the assessment you sign becomes a representation the government can sue over.
Operator Note: Do not self-certify from memory. Run a gap assessment against the CMMC level named in your contract first, because the penalty for getting it wrong is now treble damages.
2. Bosch Pays $43 Million for Illegal Huawei Exports
Bosch agreed to pay more than $43 million in penalties and disgorgement for illegally exporting products and software to Huawei in violation of US export controls (JD Supra). Export control is the area most companies underestimate, because the rules sit outside the security and privacy teams that usually own risk. One mis-shipped product line can carry an eight-figure price.
3. EEOC Rescinds Affirmative Action Guidance
On June 29, the EEOC voted to rescind two long-standing policy documents that guided employers on voluntary affirmative action programs (JD Supra). When an agency withdraws guidance employers built their policies around, the obligation does not vanish, it just loses its map. Any program that leaned on those documents needs a fresh review with counsel.
4. Texas Hearing Institute Reports 29,000-Person Breach
The Texas Hearing Institute notified the Texas Attorney General of a data breach affecting more than 29,000 residents (HIPAA Journal). Under HIPAA and state law, a breach is more than a security event. It starts a reporting clock and can trigger enforcement. The obligation begins the moment you discover it, so the legal notification steps belong inside your incident plan, written in before you need them.
Additional Compliance Alerts
Regulatory Updates
- SEC names a new COO: The SEC appointed Paul Knight as Chief Operating Officer to oversee agency operations. SEC
- FCA proposes new SIPP asset rules: The UK’s FCA proposed a new regime for handling pension scheme money and assets within self-invested personal pensions. JD Supra
The Axe Report is a daily briefing from Grab The Axe. Need help assessing your organization’s security posture? Take our free Human Attack Surface Score assessment.
A leader defined by a 'bias for action,' Dusten specializes in physical security assessments that impact profitability and facility resilience.
View Profile →Media Inquiries
For expert commentary, interview requests, or high-res assets regarding this announcement, initialize the terminal.