Defense Industrial Base

Subscribe to Defense Industrial Base via RSS

Following a tumultuous start to fiscal year 2026, including a government shutdown that lasted 43 days, the National Defense Authorization Act for fiscal year 2026 (NDAA 2026), Pub. L. 119-60, was passed by Congress and signed into law on December 18, 2025. NDAA 2026 is a critical legislative act, setting acquisition reforms and policies and authorizing appropriations and funding levels for the Department of Defense (DoD). With $900.6 billion in funding for the DoD, NDAA 2026 contains a plethora of acquisition reform provisions and critical updates impacting defense contractors. Title XVIII of NDAA 2026 significantly increased certain acquisition thresholds, including triggers for the Truthful Cost or Pricing Data Act (formerly the Truth in Negotiations Act) and Cost Accounting Standards application, which you can read about here. Additionally, NDAA 2026 increases the thresholds for noncompetitive acquisitions and when information technology requirements qualify as a major system.Continue Reading FY2026 NDAA: Major Increases to Critical Acquisition Thresholds

The FY2026 National Defense Authorization Act (NDAA) became law on December 18, 2025, enacting a tidal wave of the Trump administration’s priorities with respect to Department of Defense (DoD) procurement. One key priority reflected in the NDAA is reducing compliance burdens so that (i) established DoD contractors are incentivized to pursue awards and (ii) more companies opt in to being a DoD contractor to grow the industrial base. Importantly, Section 1804 and Section 1806 of the NDAA take action on this priority by raising the dollar thresholds for complex domains of government contracting: the Cost Accounting Standards (CAS) and submission of certified cost or pricing data. While these changes are welcome developments, companies should be cognizant that a steady stream of compliance requirements remains even with these increased thresholds.Continue Reading Swept Away: FY2026 NDAA Updates to CAS and Certified Cost or Pricing Data Thresholds

Drumroll, please. On November 7, 2025, the Department of Defense (DoD) released three memoranda signaling changes to its approach to procurement and Foreign Military Sales/Direct Commercial Sales in the years to come: “Unifying the Department’s Arms Transfer and Security Cooperation Enterprise to Improve Efficiency and Enable Burden-Sharing”; “Reforming the Joint Requirements Process to Accelerate Fielding of Warfighting Capabilities”; and “Transforming the Defense Acquisition System into the Warfighting Acquisition System to Accelerate Fielding of Urgently Needed Capabilities to Our Warriors.” The latter memorandum appends the DoD’s Acquisition Transformation Strategy (the Strategy), which is aimed at dramatically reforming how the DoD’s acquisition system operates with an eye toward increasing the speed and flexibility of DoD procurements and the acquisition workforce. This document begins the march toward sunsetting the existing Defense Acquisition System in favor of what is envisioned to be a more rapid and effective system designed to provide the DoD with the capabilities it needs to meet its mission requirements.Continue Reading The Drumbeat of Progress: DOD’s Acquisition Transformation Strategy

The DoD has finally crossed the CMMC finish line, but for contractors, the race is just beginning. With the Final Rule effective Nov. 10, award eligibility will hinge on a “current” CMMC status in SPRS, backed by annual affirmations and strict compliance. The next two months are critical for getting race-ready. In this Featured Comment

Government procurement is essential to modern governance. But when firms rig bids, allocate markets, or otherwise collude, taxpayers pay more, honest competitors are shut out, and trust erodes. In recent months, US agencies have continued to emphasize the importance of fair competition in government procurement, scrutinizing regulations that may favor incumbents or unfairly limit competition and expanding whistleblower options.Continue Reading Rigging the Game? Antitrust Risks in the Public Contracting Arena

In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require

Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final

For just shy of a decade, the Defense Industrial Base (DIB) has had to operate under rules dictating the safeguarding of Controlled Unclassified Information, along with a strict 72-hour notification requirement if/when/should a “cyber incident” occur. For the uninitiated, these are the requirements found in the Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. And for a large swath of government contractors, these requirements have been more bane than benefit, as many have struggled to meet the DFARS’ stringent requirements.

Well, critical infrastructure industry, welcome to the party! Soon, companies involved in all sectors of critical infrastructure will need to comply with new federal reporting requirements for cybersecurity incidents and ransom payments after President Joe Biden signed The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act) into law on March 15, 2022. Tied to an omnibus appropriations package, the Act requires entities involved in critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and any paid ransom demands within 24 hours. While these new reporting obligations will not become effective until CISA promulgates rules to further define requirements, as the DIB’s effort has demonstrated, it would be wise to examine best practices in incident response plans to begin sooner rather than later.Continue Reading Critical Infrastructure Industry Drafted: Welcome to the Cyber War