Register Here
Wednesday, February 11 • 11:20 a.m. – 12:20 p.m. ET
Ronald Reagan Building and International Trade Center
1300 Pennsylvania Ave NW
Washington, DC 20004
Troutman Pepper Locke is proud to sponsor Pub K’s Government Contracts Annual Review Conference in Washington, D.C. Hilary Cairnie will be a panelist on the “Investigations & Audits” session
This article was originally published on October 8, 2025 on Law360 and is republished here with permission.
The U.S. Department of Defense released the final rule implementing the Cybersecurity Maturity Model Certification on Sept. 9.[1] Through the program, the DOD seeks to enhance protections for sensitive information.
Defense contractors’ efforts to ramp up their CMMC
Shutdown, again. This advisory helps contractors manage operations during this period.
Contractors should closely monitor their customer and regulatory agencies’ websites for shutdown guidance, as agencies like DoD, DOJ, and others have already issued instructions.[1] Each agency may have slightly different responses, so staying informed is crucial. Contractors should be particularly mindful of: (1) when contractors must halt work, (2) what work and costs are reimbursable during the shutdown, (3) cost-saving measures that comply with labor laws, and (4) the impact of future administrative delays on commercial operations.
On September 10, the U.S. Department of Defense (DOD) posted its final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program for defense acquisitions.[1] This new rule (acquisition rule) updates the Defense Federal Acquisition Regulation Supplement (DFARS) and imposes new cybersecurity requirements on defense contractors who handle (store, process, or transmit) sensitive information during contract performance.
In keeping with President Donald Trump’s affinity for issuing executive orders (EO) — 139 in total, Nos. 14147–14285, between Jan. 20, 2025, and April 24, 2025 — he recently issued EO 14265, “Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base.” In a nutshell, the Department of Defense (DoD) is directed to take aggressive steps to deregulate the procurement process and to exploit existing reform initiatives to achieve a more efficient and nimble procurement process. The order focuses on four major deregulatory priorities, the collective effect of which will, in theory, constitute a “comprehensive overhaul” of the current defense acquisition system. In no particular order, the four priorities are:
Just two months into President Donald Trump’s second term, contractors have been whipsawed by a flurry of executive orders, Department of Government Efficiency (DOGE) directives, and agency actions. This has brought an era of chaos, confusion, and uncertainty to the government marketplace as contractors endeavor to figure out what all of this means, day to day as they proceed with contract performance.
Government Contracting and Cyber/Privacy Attorneys at Troutman Pepper Locke LLP discuss the U.S. Justice Department’s efforts to combat cybersecurity fraud and some best practices for government contractors seeking to mitigate noncompliance risks.
Introduction
The National Defense Authorization Act (NDAA) for 2025 includes a mandate that contractors furnish information and documentation to enable the military to modify and repair equipment and systems. Not surprisingly, industry is pushing back on that mandate. On September 25, Senator Elizabeth Warren (D-MA) sent a letter to various industry associations, questioning their motives to prevent a right-to-repair requirement that the Senate included in its proposed defense budget for fiscal year (FY) 2025. Warren also sent a separate letter to Secretary of Defense Lloyd Austin, expressing concern about contractual restrictions that void contractor warranties when third parties perform repairs and that prevent access to operations, maintenance, integration, and training data.
Since 2016, the federal government has implemented numerous procurement regulations and associated contract clauses to address cybersecurity by requiring contractors to adopt various controls and standards to protect sensitive, unclassified information, and to harden information technology (IT) systems to make them more resilient to all manner of cyber hacks. The easy part (not that it was at all easy) was developing the controls and standards – NIST SP 800-171 (currently up to Rev. 3), and contract clauses (most notably, FAR 52.204-21, and DFARS 252.204-7012, 7019, 7020, 7021, and others). The difficult part is getting contractors to take seriously the obligation to invest in cybersecurity.
This blog post was republished in the October 2024 edition of Surety Bond Quarterly.
Did the 2023 update to the Davis-Bacon and Related Acts, which apply to contractors and subcontractors performing on certain federally funded or assisted contracts, appropriately modernize or unduly expand the Davis Bacon Act’s (DBA) prevailing wage rule?[1] Following the Department of Labor’s (DOL) enactment of a final resolution on August 23, 2023 (final rule),[2] interested parties immediately challenged the final rule, seeking a preliminary injunction. The parties argued that specified portions of § 5.2 and the entirety of § 5.5(e) in the final rule exceed the DOL’s authority under the DBA and will result in undue hardship and irreparable harm for government contractors in the construction industry.