Regulations

Subscribe to Regulations via RSS

Over the past few months, the second Trump administration has taken quick actions to suspend and terminate federal awards predating the transition of power. Many of these actions have resulted in the termination of “federal financial assistance”—specifically, grants and cooperative agreements. Organizations that have seen their grants and cooperative agreements terminated have pushed back through the courts with varying success, contending that agencies have acted arbitrarily in violation of the Administrative Procedure Act (APA). While there are many cases, this post provides an overview of three recent decisions in this rapidly developing landscape:Continue Reading In the Wake of High-Profile Terminations of Grants and Cooperative Agreements, Courts Begin to Weigh In

After years of anticipation, the Federal Acquisition Regulation (FAR) Council has announced the arrival of its proposed rule to enhance the safeguarding of Controlled Unclassified Information (CUI) in federal contracts (the Proposed Rule). Published in the Federal Register on January 15, 2025 (90 FR 4278), the Proposed Rule (stemming from FAR Case 2017-016) has been a long time coming and is intended to establish a government-wide standard for managing sensitive information, ensuring CUI uniformity and consistency across all agencies and federal contracts.Continue Reading They Did It. They Really Did It! The Arrival of the FAR CUI Proposed Rule

On January 8, 2025, in UNICA-BPA JV, LLC, the U.S. Government Accountability Office (GAO) sustained a protester’s challenge to its elimination from the competition for failing to have an active System for Award Management (SAM) registration at the time of its initial proposal submission. The GAO sustained the protest because the protester’s registration was in fact active at the time it submitted its final proposal revision (FPR) even though it was inactive at the time of initial proposal submission. The facts of the case are straightforward:Continue Reading What Happens When Uncle Sam Doesn’t Understand SAM? The Case of the Lucky Protester . . .

In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require

Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final

Sequels are rarely better than the films that precede them, and yet, sometimes a story is just too compelling to be limited to just one film. At the tail end of a summer full of Hollywood sequels, the Department of Defense (DoD) released a long-gestating sequel of its own. On August 15, 2024, DoD published a Proposed Rule that would revise the DoD Federal Acquisition Regulation Supplement (DFARS) to implement Cybersecurity Maturity Model Certification (CMMC) 2.0 into DoD contracts in the near(ish) future. This follows a December 2023 Proposed Rule, discussed here, establishing the CMMC 2.0 requirements in broad strokes. In this latest Proposed Rule, DoD proposes several changes to the DFARS that would do the following:Continue Reading CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?

On August 7, 2024 the Federal Communications Commission (FCC) adopted a new Notice of Proposed Rule Making (NPRM) proposing regulations that prohibit the use of AI in automated dialing or artificial or pre-recorded voice calls absent the prior written consent of the call recipient, unless otherwise exempted by the FCC. The action was taken under

On June 2, 2023, the FAR Council issued an Interim Rule to implement the prohibition on having or using TikTok or any successor application or service developed or provided by ByteDance Limited (covered application). Importantly, the prohibition applies not only to Government-issued devices but encompasses contractor and contractor employee-owned devices (e.g., employee devices used as part of a bring-your-own-device program) as well. The Interim Rule took immediate effect and requires new FAR clause FAR 52.204-27, Prohibition on a ByteDance Covered Application, to be included in solicitations issued on or after June 2, 2023. In addition, solicitations issued before the effective date were required to be amended by July 3, 2023, provided that award of the resulting contract(s) occurs on or after the effective date. Existing indefinite-delivery, indefinite-quantity contracts were required to be modified to include the new clause by July 3, 2023, to apply to future orders. Finally, if exercising an option or modifying an existing contract to extend the period of performance, contracting officers must include the clause. In short, this clause will soon be in most if not all Federal government contracts. Contractors should take action now to ensure that they are prepared to comply with these requirements and that employees are familiar with and trained regarding the prohibition.Continue Reading TikTok Dances Off of Contractor IT Devices—Interim Rule Prohibits ByteDance Limited Applications