Defense Industrial Base

The Department of Defense’s proposed rule implementing Section 847 of the FY 2020 NDAA could fundamentally reshape how foreign ownership, control, or influence (FOCI) is monitored across the defense industrial base. Through proposed DFARS Part 240, the rule would extend recurring FOCI disclosure, National Industrial Security System (NISS) reporting, and Defense Counterintelligence and Security Agency (DCSA) oversight far beyond the traditional facility-clearance context and into ordinary government contracting. For foreign-owned contractors, allied-country suppliers, private equity sponsors, and federal subcontractors, the proposal signals the emergence of a permanent compliance regime built around continuous visibility rather than one-time vetting.

Friends, Romans, contractors, lend me your ears;
I come to disclose your owners, not to debar them.
The FOCI that contractors do is oft assessed;
The clearances are oft interred with their bones.
So let it be with allies. The honorable rule
Hath told you that we treat all foreigners alike;
If it be so, it is a grievous form,
And grievously hath the SF-328 answered it.

The speech may be a little ridiculous, but in its way, it’s also a little accurate. The proposed DFARS rule implementing Section 847 of the FY 2020 NDAA is not unkind to allies. It is, as was Mark Antony, scrupulously polite to them, right up to the moment it asks them to register as suspects.

Continue Reading Section 847 and the New Era of DOD Continuous FOCI Monitoring

Given recent world events and their attendant economic shocks, 2026 looks to be another year of supply chain gyration. Government contractors, besides having to cope with such shocks, must add semiconductors to the list of supply chain concerns. Semiconductors, as the U.S. Government states in a new proposed rule (2026-03065 (91 FR 7223)), are the “tiny electronic devices” essential to “consumer electronics, automobiles, data centers, critical infrastructure, and virtually all military systems.” Indeed, semiconductors “power tools as simple as a power adapter and as complex as a fighter jet or a smartphone. They are also essential building blocks of the technologies that will shape our future, including artificial intelligence, biotechnology, and clean energy.”

Continue Reading Semiconductors: Another Link to Ever-Extending Curation of the Federal Supply Chain

In every crisis, half the room runs in circles while the other half picks up a clipboard and starts taking stock. The Anthropic-Pentagon dispute is that crisis, and defense contractors are deciding which half they want to be in.

The short version: The government designated a FedRAMP-authorized, facility-cleared American AI company a national security supply chain threat, via social media, after the company refused to remove safety restrictions on autonomous weapons and mass surveillance. Anthropic sued days later, with the Pentagon’s own officials on the record stating the designation was “ideologically driven” with “no evidence of supply chain risk.”

Continue Reading Don’t Panic! How Federal Contractors Should Navigate the Anthropic Designation

The FY2026 National Defense Authorization Act (NDAA) became law on December 18, 2025, enacting a tidal wave of the Trump administration’s priorities with respect to Department of Defense (DoD) procurement. One key priority reflected in the NDAA is reducing compliance burdens so that (i) established DoD contractors are incentivized to pursue awards and (ii) more companies opt in to being a DoD contractor to grow the industrial base. Importantly, Section 1804 and Section 1806 of the NDAA take action on this priority by raising the dollar thresholds for complex domains of government contracting: the Cost Accounting Standards (CAS) and submission of certified cost or pricing data. While these changes are welcome developments, companies should be cognizant that a steady stream of compliance requirements remains even with these increased thresholds.

Continue Reading Swept Away: FY2026 NDAA Updates to CAS and Certified Cost or Pricing Data Thresholds

Drumroll, please. On November 7, 2025, the Department of Defense (DoD) released three memoranda signaling changes to its approach to procurement and Foreign Military Sales/Direct Commercial Sales in the years to come: “Unifying the Department’s Arms Transfer and Security Cooperation Enterprise to Improve Efficiency and Enable Burden-Sharing”; “Reforming the Joint Requirements Process to Accelerate Fielding of Warfighting Capabilities”; and “Transforming the Defense Acquisition System into the Warfighting Acquisition System to Accelerate Fielding of Urgently Needed Capabilities to Our Warriors.” The latter memorandum appends the DoD’s Acquisition Transformation Strategy (the Strategy), which is aimed at dramatically reforming how the DoD’s acquisition system operates with an eye toward increasing the speed and flexibility of DoD procurements and the acquisition workforce. This document begins the march toward sunsetting the existing Defense Acquisition System in favor of what is envisioned to be a more rapid and effective system designed to provide the DoD with the capabilities it needs to meet its mission requirements.

Continue Reading The Drumbeat of Progress: DOD’s Acquisition Transformation Strategy

The DoD has finally crossed the CMMC finish line, but for contractors, the race is just beginning. With the Final Rule effective Nov. 10, award eligibility will hinge on a “current” CMMC status in SPRS, backed by annual affirmations and strict compliance. The next two months are critical for getting race-ready. In this Featured Comment

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require

Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.

Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final

For just shy of a decade, the Defense Industrial Base (DIB) has had to operate under rules dictating the safeguarding of Controlled Unclassified Information, along with a strict 72-hour notification requirement if/when/should a “cyber incident” occur. For the uninitiated, these are the requirements found in the Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. And for a large swath of government contractors, these requirements have been more bane than benefit, as many have struggled to meet the DFARS’ stringent requirements.Continue Reading Critical Infrastructure Industry Drafted: Welcome to the Cyber War