This article was originally published on October 8, 2025 on Law360 and is republished here with permission.
The U.S. Department of Defense released the final rule implementing the Cybersecurity Maturity Model Certification on Sept. 9.[1] Through the program, the DOD seeks to enhance protections for sensitive information.
Defense contractors’ efforts to ramp up their CMMC
Shutdown, again. This advisory helps contractors manage operations during this period.
Contractors should closely monitor their customer and regulatory agencies’ websites for shutdown guidance, as agencies like DoD, DOJ, and others have already issued instructions.[1] Each agency may have slightly different responses, so staying informed is crucial. Contractors should be particularly mindful of: (1) when contractors must halt work, (2) what work and costs are reimbursable during the shutdown, (3) cost-saving measures that comply with labor laws, and (4) the impact of future administrative delays on commercial operations.
On September 10, the U.S. Department of Defense (DOD) posted its final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program for defense acquisitions.[1] This new rule (acquisition rule) updates the Defense Federal Acquisition Regulation Supplement (DFARS) and imposes new cybersecurity requirements on defense contractors who handle (store, process, or transmit) sensitive information during contract performance.
In keeping with President Donald Trump’s affinity for issuing executive orders (EO) — 139 in total, Nos. 14147–14285, between Jan. 20, 2025, and April 24, 2025 — he recently issued EO 14265, “Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base.” In a nutshell, the Department of Defense (DoD) is directed to take aggressive steps to deregulate the procurement process and to exploit existing reform initiatives to achieve a more efficient and nimble procurement process. The order focuses on four major deregulatory priorities, the collective effect of which will, in theory, constitute a “comprehensive overhaul” of the current defense acquisition system. In no particular order, the four priorities are:
Just two months into President Donald Trump’s second term, contractors have been whipsawed by a flurry of executive orders, Department of Government Efficiency (DOGE) directives, and agency actions. This has brought an era of chaos, confusion, and uncertainty to the government marketplace as contractors endeavor to figure out what all of this means, day to day as they proceed with contract performance.
Government Contracting and Cyber/Privacy Attorneys at Troutman Pepper Locke LLP discuss the U.S. Justice Department’s efforts to combat cybersecurity fraud and some best practices for government contractors seeking to mitigate noncompliance risks.
Since 2016, the federal government has implemented numerous procurement regulations and associated contract clauses to address cybersecurity by requiring contractors to adopt various controls and standards to protect sensitive, unclassified information, and to harden information technology (IT) systems to make them more resilient to all manner of cyber hacks. The easy part (not that it was at all easy) was developing the controls and standards – NIST SP 800-171 (currently up to Rev. 3), and contract clauses (most notably, FAR 52.204-21, and DFARS 252.204-7012, 7019, 7020, 7021, and others). The difficult part is getting contractors to take seriously the obligation to invest in cybersecurity.
This blog post was republished in the October 2024 edition of Surety Bond Quarterly.
Did the 2023 update to the Davis-Bacon and Related Acts, which apply to contractors and subcontractors performing on certain federally funded or assisted contracts, appropriately modernize or unduly expand the Davis Bacon Act’s (DBA) prevailing wage rule?[1] Following the Department of Labor’s (DOL) enactment of a final resolution on August 23, 2023 (final rule),[2] interested parties immediately challenged the final rule, seeking a preliminary injunction. The parties argued that specified portions of § 5.2 and the entirety of § 5.5(e) in the final rule exceed the DOL’s authority under the DBA and will result in undue hardship and irreparable harm for government contractors in the construction industry.
In 2024, the landscape of state attorneys general (AGs) is poised for significant change, with numerous elections and regulatory actions reshaping priorities and enforcement strategies. This dynamic environment reflects the critical role AGs play in addressing key issues across various sectors, from environmental regulations and consumer protection to health care and privacy. As state AGs continue to influence policy and legal frameworks, their actions will have far-reaching implications for businesses and consumers alike. Troutman Pepper’s State AG team is pleased to provide you with this mid-year review summarizing the activities in this regulatory space over the past six months.
On December 22, 2023, the National Defense Authorization Act for Fiscal Year 2024, Pub. L. No. 118-31, 137 Stat. 136 (2023) (NDAA 2024) went into effect. Among other things, NDAA 2024 includes a provision phasing out self-certification of service-disabled veteran-owned small businesses (SDVOSB) and requiring Small Business Administration (SBA) certification of SDVOSB program eligibility, not unlike the requirements for the HUBZone program. SDVOSBs and prime contractors, who seek to work with them to bid on and perform contracts set aside for SDVOSBs, should take note of these changes, which become effective October 1, 2025.