On April 15, 2025, the Department of Defense (DoD) released official guidance on Organizationally Defined Parameters (ODPs) appearing in the newly published NIST SP 800-171 Revision 3. At the same time, the DoD reaffirmed that contractors must continue complying with Revision 2 thanks to a previously issued class deviation. What does this mean in plain terms? The DoD is slowly pulling back the curtain on the next major shift in cybersecurity compliance. Still, the full prestige hasn’t happened yet.Continue Reading The “Prestige”: DoD Unveils NIST SP 800-171 Revision 3, Organizationally Defined Parameters

On February 26, 2025, the White House issued another Executive Order (EO) that will have major implications for Federal government contractors across numerous industries and agencies. The new EO, entitled Implementing the President’s “Department of Government Efficiency” Cost Efficiency Initiative, requires every agency to work with that agency’s DOGE Team Lead (i.e., the leader of the DOGE Team at each agency, as defined in Executive Order 14158) to, among other things, conduct a review of covered contracts and grants, set up guidance for new contracts aimed at promoting efficiency and the Trump administration’s priorities, and build a system to track and justify payments made to contractors. What does that mean for you? Consider the below.Continue Reading New EO Demands Agencies Conduct Review of All Covered Contracts and Grants, Terminate or Modify To Reduce Spending, and Set Up System To Track and Justify All Future Payments

Amid a flurry of executive orders starting his second administration, President Donald Trump issued an order entitled “Ending Illegal Discrimination and Restoring Merit-Based Opportunity” (the “Order”) on January 21, 2025. The Order will have an immediate impact on federal contractors and subcontractors currently subject to the affirmative action obligations concerning women and minorities under now-revoked Executive Order 11246 dated September 24, 1965 (and the subsequent executive orders that refined these obligations). It also signals a significant change in the focus of federal enforcement of equal opportunity laws. The Order does NOT, however, change any of the substantive federal law regarding employment discrimination. Under Title VII of the Civil Rights Act of 1964, it remains illegal for employers to make employment decisions on the basis of race, color, religion, sex, or national origin. Other federal and state statutes prohibit making employment decisions on various other bases, including age, disability, genetic make-up, etc.; none of these substantive laws have been changed. So what has changed?Continue Reading DEI, Discrimination, Affirmative Action and More: How the Recent Executive Order Impacts Private Employers

After years of anticipation, the Federal Acquisition Regulation (FAR) Council has announced the arrival of its proposed rule to enhance the safeguarding of Controlled Unclassified Information (CUI) in federal contracts (the Proposed Rule). Published in the Federal Register on January 15, 2025 (90 FR 4278), the Proposed Rule (stemming from FAR Case 2017-016) has been a long time coming and is intended to establish a government-wide standard for managing sensitive information, ensuring CUI uniformity and consistency across all agencies and federal contracts.Continue Reading They Did It. They Really Did It! The Arrival of the FAR CUI Proposed Rule

On January 8, 2025, in UNICA-BPA JV, LLC, the U.S. Government Accountability Office (GAO) sustained a protester’s challenge to its elimination from the competition for failing to have an active System for Award Management (SAM) registration at the time of its initial proposal submission. The GAO sustained the protest because the protester’s registration was in fact active at the time it submitted its final proposal revision (FPR) even though it was inactive at the time of initial proposal submission. The facts of the case are straightforward:Continue Reading What Happens When Uncle Sam Doesn’t Understand SAM? The Case of the Lucky Protester . . .

The US Department of Justice Antitrust Division (DOJ or Division) recently released a revised Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Guidance). The Guidance reflects how the Division assesses the effectiveness and adequateness of a company’s antitrust compliance program. The Guidance offers insight into the Division’s evaluations of antitrust compliance programs at the charging and the sentencing stages of a criminal prosecution but is equally applicable to civil compliance. Adherence to the Guidance improves the chances a company can receive leniency and reduces the risk of prosecution should a violation occur.Continue Reading Antitrust Corporate Compliance Programs: Late 2024 Changes Mean Companies Should Revisit Their Programs Early in 2025

In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require

Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final

Johnny, rosin up your bow and play your fiddle hard
’Cause Hell’s broke loose in Georgia and the Devil deals the cards
And if you win, you get this shiny fiddle made of gold
But if you lose the Devil gets your soul
~ The Charlie Daniels Band

Some might say there’s little difference between dealing with the devil and being a federal contractor. And for the unwary or unprepared, that may not be far off. Federal contracting comes with a litany of “fine print” that would make “Old Scratch” proud. However, as most savvy contractors recognize, it’s all hiding in plain sight, with the devil in the details. Take, for example, the cybersecurity requirements found in the Federal Acquisition Regulations (FAR) at 52.204-21 and the Department of Defense (DoD) FAR Supplement (DFARS) at 252.204-7012, -7019, and -7020. These requirements have been the topic of countless articles, trainings, webinars, whole conferences, etc., so it is surprising while simultaneously not surprising that they form the basis of a federal False Claims Act (FCA) claim the Department of Justice (DOJ) recently filed in its complaint in intervention.Continue Reading DOJ Went Down to Georgia: Lessons Learned from Recent Cybersecurity Enforcement Actions