Regulations

Subscribe to Regulations via RSS

The US Department of Justice’s (DOJ) new Data Security Program (DSP), designed to protect sensitive information and national security-related data from misuse by foreign actors, took full effect on October 6, 2025. The program introduces new restrictions on how companies handle and share sensitive US personal data and government-related data, especially when certain foreign entities are involved. With enforcement underway, companies should understand who is covered, what activities are restricted, and what compliance measures are required. Failure to comply with the rules can result in civil or criminal penalties.Continue Reading DOJ Launches New Data Security Program—What Your Company Needs to Know

The DoD has finally crossed the CMMC finish line, but for contractors, the race is just beginning. With the Final Rule effective Nov. 10, award eligibility will hinge on a “current” CMMC status in SPRS, backed by annual affirmations and strict compliance. The next two months are critical for getting race-ready. In this Featured Comment

As we have previously covered in this blog, as a result of President Trump’s executive order, Restoring Common Sense to Federal Procurement, the Federal Acquisition Regulation (FAR) is undergoing an extensive and unprecedented rewrite. While many of us were enjoying the relaxation of summer days (drifting away to summer nights), the Trump administration has been busy issuing rolling updates to the FAR, which are poised to dramatically reshape the federal acquisition landscape. On August 14, 2025, the FAR Council told us more (told us more) by issuing draft revisions to FAR Parts 4, 8, 12, and 40. The revisions to FAR Part 12 are particularly noteworthy, as they go to the heart of the executive order’s policy statement that the federal procurement system should be “agile, effective, and efficient” and that “undue barriers” should be removed from federal procurement.Continue Reading Summer Sun, Something’s Begun, But (Oh, Oh) Those FAR Part 12 Rewrites

Ding ding.” – Apollo Creed,
Rocky III

September 30. All (most?) federal years end the same way, at least on paper—like a prizefight, with the clock ticking down; an agitated, uncertain crowd; a lot of money on the table; and a ref capable of stopping the match at any moment. This year will be at once both no different and a completely different beast. With ever-recent uncertainty surrounding appropriations, continuing-resolution (CR) risk, evolving Federal Acquisition Regulation (FAR) language, the tightening screws of cyber attestations, industry supply-chain and acquisition changes, and grant closeouts that always take longer than you’d think, September is not a month for contractor improvisation. It’s a month when a dedicated corner team, a game plan, and crisp execution all are paramount.Continue Reading And in This Corner … the Sweet Science of Federal Contracting’s Year-End

For those who grew up gripping a joystick and dodging alien fire in Defender, riding ostriches through floating platforms in Joust, or crossing a hectic freeway in Frogger, winning wasn’t about memorizing rules; it was about adapting fast, reading the patterns, and leveling up. That same urgency now applies to federal information and communication technology (ICT) contractors. A sweeping overhaul of FAR Part 39 has just been released, and while it may not blink and beep like a cabinet in a darkened arcade, it’s just as demanding. There’s no attract mode here. The game has already started.Continue Reading FAR 2.0 Part 39 in Arcade Mode—How Federal IT Acquisition Just Hit Reset

Over the past few months, the second Trump administration has taken quick actions to suspend and terminate federal awards predating the transition of power. Many of these actions have resulted in the termination of “federal financial assistance”—specifically, grants and cooperative agreements. Organizations that have seen their grants and cooperative agreements terminated have pushed back through the courts with varying success, contending that agencies have acted arbitrarily in violation of the Administrative Procedure Act (APA). While there are many cases, this post provides an overview of three recent decisions in this rapidly developing landscape:Continue Reading In the Wake of High-Profile Terminations of Grants and Cooperative Agreements, Courts Begin to Weigh In

After years of anticipation, the Federal Acquisition Regulation (FAR) Council has announced the arrival of its proposed rule to enhance the safeguarding of Controlled Unclassified Information (CUI) in federal contracts (the Proposed Rule). Published in the Federal Register on January 15, 2025 (90 FR 4278), the Proposed Rule (stemming from FAR Case 2017-016) has been a long time coming and is intended to establish a government-wide standard for managing sensitive information, ensuring CUI uniformity and consistency across all agencies and federal contracts.Continue Reading They Did It. They Really Did It! The Arrival of the FAR CUI Proposed Rule

On January 8, 2025, in UNICA-BPA JV, LLC, the U.S. Government Accountability Office (GAO) sustained a protester’s challenge to its elimination from the competition for failing to have an active System for Award Management (SAM) registration at the time of its initial proposal submission. The GAO sustained the protest because the protester’s registration was in fact active at the time it submitted its final proposal revision (FPR) even though it was inactive at the time of initial proposal submission. The facts of the case are straightforward:Continue Reading What Happens When Uncle Sam Doesn’t Understand SAM? The Case of the Lucky Protester . . .

In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require