As the year came to a close, the Kharon Brief asked a range of industry leaders to assess 2025’s biggest storylines and what’s coming in 2026 in sanctions, risk and compliance.
Deborah Curtis is a partner at Arnold & Porter and a former senior leader at the U.S. Department of Justice, the Commerce Department’s Bureau of Industry and Security, and the Central Intelligence Agency.
Looking back: The defining feature of national security enforcement in 2025 was the unprecedented speed with which White House policy priorities moved from announcement to action, with Treasury designations and criminal prosecutions deployed to test and enforce those changes almost immediately. Two structural developments reinforced this shift.
First, the creation of the Trade Fraud Task Force signaled a more aggressive, intelligence-driven approach to customs fraud, country-of-origin manipulation and tariff evasion—particularly where trade fraud functions as a workaround to export controls or sanctions. Second, NSPM-7, aimed at countering domestic terrorism and organized political violence, expanded the national-security lens inward. It increased scrutiny of advocacy activity, funding flows, and the conduct of tax-exempt and nonprofit organizations where the government perceives risks of foreign influence or “material support” to terrorism.
Together, these developments made 2025 the year it became unmistakable that national security enforcement now spans both international economic conduct and domestic organizational activity, reaching supply chains, corporate governance, nonprofit operations and public-facing advocacy organizations alike. This signals a world where enforcement risk is no longer confined to traditional “bad actors.”
Looking ahead: For years, DOJ has promised to hold individuals accountable for corporate misconduct, yet senior managers often watched their companies settle while they walked away untouched. That dynamic is ending.
A sharper enforcement pattern is emerging in which DOJ is putting criminal teeth into, among other laws, the False Claims Act (FCA). Companies increasingly are turning over facts, documents and witnesses to DOJ—often following whistleblower allegations, internal audits and voluntary self-disclosures—only for DOJ to leverage that cooperation to pursue criminal charges against the individuals involved. The government is no longer satisfied with recovering money; it is using FCA theories as a gateway to wire fraud, major fraud against the United States and obstruction prosecutions.
A recently announced cybersecurity-related fraud prosecution illustrates the shift. Through that case, DOJ announced that violations of government contracting requirements like FedRAMP and DoD’s Risk Management Framework are not technical or contractual failures but intentional schemes to defraud the government, particularly where certifications, audit results or security controls are said to be knowingly false. When companies resolve these matters through civil payments, individual executives may now be left standing alone in the criminal arena.
As 2026 approaches, senior managers must recognize that the civil-criminal divide is collapsing and that false compliance representations—particularly in areas that are administration priorities, such as tariffs, China-premised restrictions or cybersecurity requirements—now carry real personal risk.
Deborah Curtis is a partner at Arnold & Porter and a former senior leader at the U.S. Department of Justice, the Commerce Department’s Bureau of Industry and Security, and the Central Intelligence Agency.
Looking back: The defining feature of national security enforcement in 2025 was the unprecedented speed with which White House policy priorities moved from announcement to action, with Treasury designations and criminal prosecutions deployed to test and enforce those changes almost immediately. Two structural developments reinforced this shift.
First, the creation of the Trade Fraud Task Force signaled a more aggressive, intelligence-driven approach to customs fraud, country-of-origin manipulation and tariff evasion—particularly where trade fraud functions as a workaround to export controls or sanctions. Second, NSPM-7, aimed at countering domestic terrorism and organized political violence, expanded the national-security lens inward. It increased scrutiny of advocacy activity, funding flows, and the conduct of tax-exempt and nonprofit organizations where the government perceives risks of foreign influence or “material support” to terrorism.
Together, these developments made 2025 the year it became unmistakable that national security enforcement now spans both international economic conduct and domestic organizational activity, reaching supply chains, corporate governance, nonprofit operations and public-facing advocacy organizations alike. This signals a world where enforcement risk is no longer confined to traditional “bad actors.”
Looking ahead: For years, DOJ has promised to hold individuals accountable for corporate misconduct, yet senior managers often watched their companies settle while they walked away untouched. That dynamic is ending.
A sharper enforcement pattern is emerging in which DOJ is putting criminal teeth into, among other laws, the False Claims Act (FCA). Companies increasingly are turning over facts, documents and witnesses to DOJ—often following whistleblower allegations, internal audits and voluntary self-disclosures—only for DOJ to leverage that cooperation to pursue criminal charges against the individuals involved. The government is no longer satisfied with recovering money; it is using FCA theories as a gateway to wire fraud, major fraud against the United States and obstruction prosecutions.
A recently announced cybersecurity-related fraud prosecution illustrates the shift. Through that case, DOJ announced that violations of government contracting requirements like FedRAMP and DoD’s Risk Management Framework are not technical or contractual failures but intentional schemes to defraud the government, particularly where certifications, audit results or security controls are said to be knowingly false. When companies resolve these matters through civil payments, individual executives may now be left standing alone in the criminal arena.
As 2026 approaches, senior managers must recognize that the civil-criminal divide is collapsing and that false compliance representations—particularly in areas that are administration priorities, such as tariffs, China-premised restrictions or cybersecurity requirements—now carry real personal risk.
