Posts

Showing posts with the label DOD

Government Contracting in 2026- Key Legal & Compliance Risks

  As federal agencies continue to navigate budget constraints, geopolitical uncertainty, workforce shortages, and rapid technological change, government contractors entering 2026 face an increasingly complex legal and enforcement environment. Recent case law, agency guidance, and enforcement activity reflect a clear trend: Contractors are being held to higher standards of documentation, transparency, and internal controls across the procurement lifecycle. Below are six legal issues government contractors should be actively monitoring — and preparing for — in 2026. 1.  Heightened Scrutiny of Responsibility Determinations and Contractor Integrity Agencies are paying closer attention to contractor “responsibility,” particularly with respect to ethics, compliance systems, financial viability, and past performance. Responsibility determinations — long considered largely discretionary — are increasingly shaped by issues that extend well beyond the instant procurement. Recent litiga...

They’re Here! The Cybersecurity Maturity Model Certification Requirements for DoD Solicitations and Contracts Are Live. What Does This Mean for Your Organization?

  This alert serves to remind contractors of the much-ballyhooed Cybersecurity Maturity Model Certification (CMMC) and updates our previous articles on   the Department of Defense’s (DoD) proposed CMMC Program rule   and   DoD’s issuance of a new final rule , codified at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 (contract clause) and 252.204-7025 (solicitation provision). The new DFARS rule implements the CMMC Program’s requirements into DoD contracts over the course of a three-year phase-in period. This week, as of November 10, 2025, Phase 1 of this rule’s rollout has finally become effective, with significant implications for defense contractors. As discussed in our prior articles, the new CMMC rule will apply to defense contracts involving contractor information systems handling federal contract information (FCI) or controlled unclassified information (CUI) only . There is a significant exception for contracts solely for the acquisiti...

Recent DOJ Settlements Highlight Risks for Subcontractors Handling Sensitive Government Information

On September 30, the U.S. Department of Justice (DOJ) announced an $875,000 settlement with a university over failures to comply with the data security obligations in certain contracts with the Air Force and the Defense Advanced Research Projects Agency (DARPA) . This announcement, along with several other recent settlement announcements by the DOJ and its  Civil-Cyber Fraud Initiative , highlights the contract compliance risks for government contractors and subcontractors who handle sensitive government information and yet fail to comply with the federal government’s cybersecurity requirements.   The university’s case and several like it involve compliance with the requirements of  DFARS 252.204-7012  (Safeguarding Covered Defense Information and Cyber Incident Reporting). This DFARS clause is a federal regulation that establishes minimum standards for how defense contractors and subcontractors must protect sensitive government information and report cybersecur...

New Requirements for DoD Consulting Contractors

Bottom Line Up Front On October 24, 2025, the Department of Defense (DoD)  DFARS Case 2024-D007  (“the final rule”) goes into effect, which amends the Defense Federal Acquisition Regulation Supplement (DFARS) to address national security concerns that may arise when a company provides consulting services to both the DoD and a foreign adversary . Going forward, a company that is providing or seeking to provide management, scientific, and technical consulting services to the DoD must now certify that neither it, nor its affiliates or subsidiaries, are providing consulting services to covered foreign entities. If they cannot make this certification, the company will need to have an approved conflict-of-interest mitigation plan in order to be awarded a DoD contract. The final rule and the DFARS amendment are intended to ensure that contractors advising the DoD are not simultaneously involved in activities that could negatively impact U.S. national security interests. Covered For...

DoD Finalizes Cybersecurity Maturity Model Certification Rule: What Defense Contractors Need to Know

Image
On September 10, 2025, the U.S. Department of Defense (DoD) published a  final rule  that will shake up cybersecurity compliance for DoD contractors. T he new rule formally incorporates the Cybersecurity Maturity Model Certification (CMMC) program into nearly all DoD contracts through the Defense Federal Acquisition Regulation Supplement (DFARS) . This move has far-reaching implications for employers across the defense industrial base. Quick Hits Beginning November 2025, the DoD will issue contracts requiring contractors to comply with CMMC cybersecurity standards and conduct third-party or self-assessments, depending on the sensitivity of the information they handle. In addition to achieving and maintaining the CMMC level specified in each solicitation or contract, the final rule will require contractors to flow down the appropriate requirements to subcontractors, and to document and publish the results of assessments. While the rule will be phased in over three years, emplo...

DOD Issues Final DFARS Rule for Cybersecurity Maturity Model Certification Program

WHAT:  The U.S. Department of Defense (DOD) has published the  final rule  amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements for the Cybersecurity Maturity Model Certification Program (CMMC). The final rule at long last sets a starting date for phasing in the CMMC program. WHEN:   DOD issued the final rule on September 10, 2025, so it will take effect on November 10, 2025. That effective date will mark the first day of the three-year phase-in effort that DOD previously prescribed in the  earlier final rule  (which we summarized  here ) establishing the CMMC program requirements in Title 32 of the Code of Federal Regulations.  See  32 CFR § 170.3(e). During the first year of the phase-in plan, the following will be applicable: For new contracts, DOD intends to require at least a self-assessment as a condition of award. DOD retains the discretion to require a third-party certificatio...