This article was originally published on October 8, 2025 on Law360 and is republished here with permission.
The U.S. Department of Defense released the final rule implementing the Cybersecurity Maturity Model Certification on Sept. 9.[1] Through the program, the DOD seeks to enhance protections for sensitive information.
Defense contractors’ efforts to ramp up their CMMC
The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) recently implemented the long-anticipated 50% ownership standard (or Affiliates Rule) to extend the licensing requirements under the Export Administration Regulations (EAR) to non-listed parties that are 50% or more owned by certain listed parties. This replaces the previous “legally distinct” standard that BIS had applied, which did not directly extend these restrictions to non-listed affiliates.
Shutdown, again. This advisory helps contractors manage operations during this period.
Contractors should closely monitor their customer and regulatory agencies’ websites for shutdown guidance, as agencies like DoD, DOJ, and others have already issued instructions.[1] Each agency may have slightly different responses, so staying informed is crucial. Contractors should be particularly mindful of: (1) when contractors must halt work, (2) what work and costs are reimbursable during the shutdown, (3) cost-saving measures that comply with labor laws, and (4) the impact of future administrative delays on commercial operations.
On September 10, the U.S. Department of Defense (DOD) posted its final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program for defense acquisitions.[1] This new rule (acquisition rule) updates the Defense Federal Acquisition Regulation Supplement (DFARS) and imposes new cybersecurity requirements on defense contractors who handle (store, process, or transmit) sensitive information during contract performance.
On August 28, 2025, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) published a rule relaxing certain restrictions on Syria under the Export Administration Regulations (EAR). But unlike the much broader lifting of U.S. sanctions on Syria, which we previously discussed, BIS has retained significant parts of the longstanding restrictive export control regime on Syria.
On May 23, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued Syria General License 25 (GL 25), effectively lifting most sanctions imposed under the Syrian Sanctions Regulations (SSR) (31 C.F.R. Part 542). This move, foreshadowed by President Trump on May 13 during a speech in Riyadh, aims to support Syria’s economic recovery and reconstruction following the collapse of Bashar al-Assad’s regime in December 2024. Accompanied by a set of frequently asked questions issued on May 28, GL 25 reflects a broader U.S. strategy to foster stability and align with the new Syrian government’s efforts for a “fresh start” and to rebuild.
On May 8, the Treasury Department announced a plan to introduce a new Known Investor portal as a key component of the “fast-track” process for investments by U.S. allies and partners under review by the Committee on Foreign Investment in the United States (CFIUS). This plan was previewed in the America First Investment Policy Memorandum, discussed in more detail here.
The Treasury Department has taken initial steps to implement the Trump administration’s “total elimination” policy directed at certain drug trafficking cartels. Most recently, on May 1, Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an alert advising about a rising trend of oil smuggling from Mexico across the U.S. border led by several cartels.
There are unprecedented risks and opportunities emerging for companies in the energy sector as the Trump administration’s priorities start to come into focus. Many of those are well-known to the industry. Here’s one that’s not: the Information and Communications Technology and Services (ICTS) rules, administered by the Commerce Department’s Bureau of Industry and Security (BIS).
The new Department of Justice (DOJ) Data Security Program (DSP) took effect on April 8. For an overview of the DSP, see our earlier advisory and recent update.