Regulations

Subscribe to Regulations via RSS

The US Department of Justice’s (DOJ) new Data Security Program (DSP), designed to protect sensitive information and national security-related data from misuse by foreign actors, took full effect on October 6, 2025. The program introduces new restrictions on how companies handle and share sensitive US personal data and government-related data, especially when certain foreign entities are involved. With enforcement underway, companies should understand who is covered, what activities are restricted, and what compliance measures are required. Failure to comply with the rules can result in civil or criminal penalties.Continue Reading DOJ Launches New Data Security Program—What Your Company Needs to Know

The DoD has finally crossed the CMMC finish line, but for contractors, the race is just beginning. With the Final Rule effective Nov. 10, award eligibility will hinge on a “current” CMMC status in SPRS, backed by annual affirmations and strict compliance. The next two months are critical for getting race-ready. In this Featured Comment

As we have previously covered in this blog, as a result of President Trump’s executive order, Restoring Common Sense to Federal Procurement, the Federal Acquisition Regulation (FAR) is undergoing an extensive and unprecedented rewrite. While many of us were enjoying the relaxation of summer days (drifting away to summer nights), the Trump administration has been busy issuing rolling updates to the FAR, which are poised to dramatically reshape the federal acquisition landscape. On August 14, 2025, the FAR Council told us more (told us more) by issuing draft revisions to FAR Parts 4, 8, 12, and 40. The revisions to FAR Part 12 are particularly noteworthy, as they go to the heart of the executive order’s policy statement that the federal procurement system should be “agile, effective, and efficient” and that “undue barriers” should be removed from federal procurement.Continue Reading Summer Sun, Something’s Begun, But (Oh, Oh) Those FAR Part 12 Rewrites

For those who grew up gripping a joystick and dodging alien fire in Defender, riding ostriches through floating platforms in Joust, or crossing a hectic freeway in Frogger, winning wasn’t about memorizing rules; it was about adapting fast, reading the patterns, and leveling up. That same urgency now applies to federal information and communication technology (ICT) contractors. A sweeping overhaul of FAR Part 39 has just been released, and while it may not blink and beep like a cabinet in a darkened arcade, it’s just as demanding. There’s no attract mode here. The game has already started.Continue Reading FAR 2.0 Part 39 in Arcade Mode—How Federal IT Acquisition Just Hit Reset

Over the past few months, the second Trump administration has taken quick actions to suspend and terminate federal awards predating the transition of power. Many of these actions have resulted in the termination of “federal financial assistance”—specifically, grants and cooperative agreements. Organizations that have seen their grants and cooperative agreements terminated have pushed back through the courts with varying success, contending that agencies have acted arbitrarily in violation of the Administrative Procedure Act (APA). While there are many cases, this post provides an overview of three recent decisions in this rapidly developing landscape:Continue Reading In the Wake of High-Profile Terminations of Grants and Cooperative Agreements, Courts Begin to Weigh In

In Part I of this series we introduced readers to what Controlled Unclassified Information (CUI) is understood to consist of under the CUI Program at 32 CFR pt. 2002, differentiating and safeguarding CUI, CUI Program Authority and Control, and CUI policy as promulgated under the U.S. Department of Defense CUI Program. (See 66 GC ¶

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program will become operational at some point in fiscal year 2025. In October, the DOD issued a Final Rule to address evolving cybersecurity requirements and cyber threats while defining the security controls that DOD intends defense contractors and subcontractors to implement. The program will require

Over the course of the past few years, gallons of ink have been spilled addressing the seemingly ever-pending US Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program. After keeping us waiting for years, it finally arrived when, on October 15, 2024, DoD published its Final Rule to establish the CMMC Program. See 89 Fed. Reg. 83092 (Oct. 15, 2024). Effective December 16, 2024, the Rule will require certain defense contractors to have implemented security measures to achieve a particular CMMC level necessary to safeguard Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a condition of contract award. Codified at 34 C.F.R. Part 170, the CMMC Program will be augmented by a separate proposed acquisition rule to add a new 48 C.F.R. Part 204, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address procurement considerations related to the CMMC Program, including allowing DoD to require a specific CMMC level in a solicitation or contract. See 89 Fed. Reg. 66327 (Aug. 15, 2024) or our analyses here and here. The date when that DFARS clause will become final is still unclear, but most suspect it will be soon.Continue Reading A Standard on Many Levels: A Look at CMMC 2.0 in Final

Sequels are rarely better than the films that precede them, and yet, sometimes a story is just too compelling to be limited to just one film. At the tail end of a summer full of Hollywood sequels, the Department of Defense (DoD) released a long-gestating sequel of its own. On August 15, 2024, DoD published a Proposed Rule that would revise the DoD Federal Acquisition Regulation Supplement (DFARS) to implement Cybersecurity Maturity Model Certification (CMMC) 2.0 into DoD contracts in the near(ish) future. This follows a December 2023 Proposed Rule, discussed here, establishing the CMMC 2.0 requirements in broad strokes. In this latest Proposed Rule, DoD proposes several changes to the DFARS that would do the following:Continue Reading CMMC and DFARS 252.204-7021—Is the Sequel Better than the Original?