From 2025 upheaval to 2026 strategy: Key regulatory risks and opportunities for government contractors

2025 has been an exceptionally active year for U.S. government contractors and grant recipients. The combination of executive orders, regulatory changes and legislative updates that have reshaped procurement, industrial policy and compliance requirements across multiple sectors has left even the most experienced contractors and grant recipients navigating uncertainty about which legal requirements apply and how to align internal processes effectively. The Federal Acquisition Regulation (FAR) has been significantly revised, with over 500 provisions removed and many more slated for retirement, while the Department of Defense’s implementation of CMMC 2.0 as of November 10 has raised the bar for cybersecurity compliance. At the same time, Buy American content thresholds for critical items have increased to 65 percent through 2028, with further increases anticipated in 2029, impacting supply chain planning and risk management.

For senior legal, compliance and executive teams at energy, infrastructure, technology, defense and private-capital-backed companies, these developments create both opportunity and risk at an unprecedented scale. This alert provides a single, clear overview of the major 2025 developments, offers a forward-looking perspective on what to expect in 2026, and includes a practical action list for legal and compliance teams to assess, align and act.

Key Developments in 2025

CMMC 2.0 Becomes Contractual Reality

The final DoD rule integrating CMMC 2.0 into DFARS is perhaps the most consequential shift of 2025 for defense and technology contractors. Under the new regime, each system that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must be registered in the SPRS (Supplier Performance Risk System) with a unique "CMMC Unique Identifier (UID)," and contractors must maintain a "current" CMMC status for the life of the contract. This finality removes much of the ambiguity that many contractors had operated under; "current" now explicitly means no material change in compliance under 32 CFR Part 170.

Critically, the rule allows conditional certification for Levels 2 and 3, but only for up to 180 days while a contractor remediates identified gaps via a Plan of Action & Milestones (POA&M). That window is both a relief and a risk: it gives firms breathing room to fix issues, but also sets up a ticking clock that, if mismanaged, could expose them to serious compliance and contractual risk. Annual affirmations in SPRS are required, meaning that contractors must constantly revalidate their status. Subcontractors are fully in scope: the flow-down obligations require them to submit their own compliance attestations.

From a risk perspective, this raises the False Claims Act (FCA) stakes considerably. Contractual certification and repeated affirmations create a stronger factual basis for FCA liability because false statements are easier to detect, and the government could argue that noncompliance constitutes a breach of a material certification. For legal teams, this isn't just a compliance exercise, it's a potential litigation and reputational exposure point. Strategically, companies that are not yet CMMC-ready need to treat this as a make-or-break issue for future DoD work. Waiting until the last minute could backfire; capacity at third-party assessors (C3PAOs) is likely to be constrained and failing to close POA&Ms in time might jeopardize contract performance or renewal.

Standardizing CUI Safeguards Across Government Contracts

The FAR Council's proposed rule to extend CUI safeguarding obligations to all federal contractors has drawn strong reactions, and for good reason. Under the proposal, contractors with CUI in non-federal systems would be required to implement all 110 controls of NIST SP 800 171 Rev. 2, not just a subset. This is not a light lift. Many companies outside the DoD ecosystem have not built security programs to these standards, meaning compliance will likely require significant investment. The eight-hour incident-reporting requirement is particularly controversial. Under the proposal, contractors would have to notify their contracting officer of any suspected or confirmed "CUI incident" (including unmarked or mismarked CUI) within eight hours of discovery. Several public commentators have already pushed back, highlighting how difficult this could be for smaller companies or subcontractors lacking mature incident response programs.

There is also a financial risk: under proposed terms, if a contractor is found to be at fault for a CUI incident, it may be liable for government response and mitigation costs, in addition to other remedies. This is a meaningful shift; it attaches real financial accountability to failure, and not just reputational or regulatory risk. From a strategic lens, the rule signals that cybersecurity is being "normalized" across procurement, beyond DoD, which could fundamentally alter risk models. Legal and compliance teams should proactively map how CUI flows through their systems, assess incident response maturity, and evaluate whether to submit detailed comments on the rule. This is a key moment to influence the final contours or at least prepare for operational realities.

Heightened Enforcement: Cybersecurity & FCA Liability

The integration of CMMC 2.0 into contract terms, combined with mandatory UID registration and affirmations, significantly raises enforcement risk. Legal analysts have warned that contractors who misstate compliance, or fail to remediate critical deficiencies, may face civil FCA exposure. This is more than theoretical: the government has increasingly used FCA as a tool to enforce cybersecurity requirements, and CMMC's formal certification plus annual attestations only amplify that risk. On the regulatory front, the FDA continues to escalate its cybersecurity expectations for medical devices. For connected or network-enabled devices, companies are increasingly required to maintain threat models, issue Software Bills of Materials (SBOMs), and document their risk-management processes. While not directly a contracting issue, noncompliance here may feed into procurement risk, especially in contracts that emphasize system security and resilience. The practical implication is that life sciences and tech companies cannot silo cybersecurity within product or engineering functions. Legal and compliance teams must treat cybersecurity certifications as core contractual obligations, ensuring that product roadmaps, regulatory submissions and contractual commitments are aligned. Failure to do so could trigger both regulatory enforcement and contracting liability.

Procurement Reform & FAR Overhaul

The procurement landscape in 2025 reflects more than incremental reform. It is shifting toward a fundamentally more discretionary, commercial-style acquisition model. The White House and the FAR Council have pursued an aggressive agenda to remove non-statutory rules, streamline acquisition parts and provide contracting officers with more flexibility in structuring deals. According to regulatory guidance, over 500 FAR provisions may be eliminated or retired, with a third of non-essential content under review. This reform movement is not just about compliance reduction: it is about repositioning procurement to reward agility, innovation and risk-sharing. For contractors, this means traditional compliance playbooks may be less relevant. Instead, success may hinge on the ability to negotiate more creative contract terms, such as performance-based payments, modular procurement, or even "right-to-repair" clauses.

But this flexibility comes with hidden risks. With greater contracting officer discretion, companies may encounter unexpected clause variations, bespoke performance metrics and less protective boilerplate. Risk allocation may no longer follow neat templates, and legal and business development teams will need to co-develop customized strategies early in the capture process. Without proactive alignment between BD, legal and operations, companies could find themselves locked into onerous tradeoffs or legacy-style risk in a supposedly modern procurement regime.

Domestic Sourcing & Supply Chain Security

In 2025, supply chain risk moved front and center as a national security issue. The Biden Administration's Quadrennial Supply Chain Review underscores how critical materials, from semiconductors to rare-earth elements, are being redefined as strategic resources. The Buy American regime has been strengthened: domestic content thresholds for key procurements increased to 65% for 2024-2028, with a further rise to 75% coming by 2029. This tightening policy is more than symbolic: it changes the cost calculus for global supply chains. Contractors that continue to rely heavily on foreign-sourced components may face price premiums, certification burdens and risk of non-qualification. For many, re-engineering the supply chain, whether through U.S.-based joint ventures, near-shoring or domestic partnership, will be a survival imperative.

On the opportunity side, these shifts represent a moment for industrial mobilization. Companies that invest in U.S. production capacity now may benefit from preferential procurement, price preferences or even demand-signal programs that tie procurement to industrial strategy. Legal, compliance and operations teams must work together to build industrial playbooks, document content origin, and evaluate waiver or exception strategies. The winners will be those that can integrate sourcing strategy with compliance and capture planning, rather than treating domestic procurement as a cost burden.

Labor, DEI & Affirmative Action Policy Reversal

The federal landscape surrounding DEI-related obligations remains unsettled, creating significant operational and enforcement uncertainty for contractors and grant recipients. While Executive Order 14173 directs agencies to incorporate a certification that contractors do not operate unlawful DEI programs, implementation has not been uniform. Several agencies, including DOE, have issued class deviations instructing contracting officers to revise clauses in new solicitations and modified contracts, while others have not yet acted or are constrained by pending litigation. The Labor Department's ability to enforce the certification requirement is currently limited by a preliminary injunction, and neither the FAR Council nor OFPP has issued a government-wide definition of what constitutes a "DEI program" for certification purposes. This leaves contractors in a challenging position: the certification language, when included, is expressly tied to material compliance under the False Claims Act, yet the scope of the underlying requirement remains ambiguous. In this environment, it is critical that contract managers immediately flag to legal and compliance teams any solicitation, task order or modification that includes DEI-related representations or certifications. Teams should seek written clarification from contracting officers regarding the definition, scope and applicability of any DEI-related requirement before signing or submitting representations. Maintaining contemporaneous documentation of these communications and internal decision-making will be essential to establishing a good-faith compliance posture and defending against future FCA theories that may arise once the regulatory picture becomes clearer.

Strategic Capital Deployment: Energy, Critical Minerals & Private Capital Opportunity

With the U.S. government signaling a major industrial-policy pivot, companies in the energy, infrastructure, clean-tech, critical-minerals and private-capital sectors should pay close attention: in 2025, the Department of Energy and its Loan Programs Office (LPO) projected more than $11 billion of Title 17 loan authority to be obligated in FY 2025 and has committed to scaling up to $16 billion in FY 2026. As a result, private-capital-backed firms and industrial operators are facing a once-in-a-generation opportunity to co-invest alongside federal capital in domestic critical minerals, advanced battery manufacturing and energy infrastructure. But this is not a simple funding bonanza; the compliance overlay is deep and complex. These capital flows come with grant conditions, procurement requirements, domestic content thresholds and even ESG-linked performance triggers. Legal and compliance teams therefore must build governance frameworks that bridge grant management, industrial-base goals and commercial contracting, rather than treating each area in isolation. Moreover, companies should assess long-term "mobilization risk": grants may require scale-up obligations, and procurement agreements may include industrial-base sourcing commitments or "on-shore" content mandates. Without aligning legal risk, operations and investment planning, companies run the risk of stranded assets, regulatory non-compliance, or worse, reputational losses. The most sophisticated firms will not just comply but will turn compliance into a driver of strategic capacity building.

Critical Government Contracting Headwinds for FY 2026

For Chief Legal Officers, in house counsel and Board members overseeing federal contractors and grant recipients, the prospect of major legislative reform projected for 2026 demands proactive risk modeling. Although originally associated in commentary with the "One Big Beautiful Bill Act" (OBBBA), the proposed cost accounting reforms, specifically raising the Cost Accounting Standards (CAS) applicability threshold from roughly $2 million to as much as $35 million, are being driven by OMB's broader procurement policy agenda. These changes could dramatically reshape the company's compliance investment, BD strategy and legal risk profile. On one hand, many mid sized contractors may benefit from reduced CAS exposure; on the other, those close to the new threshold risk a sudden need to overhaul their accounting systems. Legal and finance teams should begin modeling various scenarios now – simulating financial impact, mapping existing cost-accounting practices, and evaluating whether current ERP or financial systems can segregate and allocate costs in line with potential new rules. Only by anticipating these shifts can companies avoid compliance shocks and gain a tactical advantage as the rules evolve.

A second defining element for 2026 is the administration's sustained directive to streamline the Federal Acquisition Regulation (FAR), signaling a major shift toward a leaner, more flexible regulatory environment. While this is not full deregulation, the FAR overhaul expressly targets non statutory compliance burdens, directing agencies to remove or retire provisions that are not essential to sound procurement. The reform does not eliminate the government's right to audit or a contractor's obligations under statutes like the Truth in Negotiations Act; instead, it places more onus on contractors to justify their cost proposals and maintain defensible pricing. At the same time, there is a clear push for greater pricing transparency and faster acquisition cycles, which may elevate risk for post award adjustments and False Claims Act exposure if cost and pricing data are not rock solid. Compounding this, the Department of Defense is increasingly favoring Other Transaction Authority (OTA) agreements, a flexible mechanism exempt from many FAR rules, for prototype and innovation work. Legal and compliance teams must therefore build capacity to negotiate and operate under OTA terms, carefully protect intellectual property and data rights, and model potential audit and post-termination exposure. In this new environment, teams should stress-test their pricing models, ensure that financial systems can support more dynamic cost validation, and develop IP strategies that reflect the unique risks and opportunities of faster, non FAR based acquisition pathways.

Finally, the integration of artificial intelligence (AI) into mission-critical government systems continues to raise significant legal and compliance risk. A July 2025 executive order requires future procurement of large language models (LLMs) to adhere to "Unbiased AI Principles," including ideological neutrality, A July 2025 executive order requires future procurement of large language models (LLMs) to adhere to 'Unbiased AI Principles,' including ideological neutrality, and directs agencies to include contract terms enabling termination for non-compliance and recovery of any associated decommissioning costs. Counsel should be prepared to negotiate tailored warranty and indemnification provisions to address the risks of AI-generated errors, bias or unintended behavior, especially where those outcomes could trigger performance failure or liability. Moreover, as policymakers and the DoD explore risk-assurance frameworks for AI-enabled systems, compliance teams should proactively develop internal AI governance mechanisms (e.g., risk management frameworks and oversight committees) to document decisions, define risk thresholds and support future contract negotiations. While not yet explicitly tied to cybersecurity rules like CMMC 2.0, emerging practices and academic models suggest that lifecycle risk, including training-data security, system validation and continuous assurance, may soon become a core expectation for AI contracting programs.

Practical Next Steps for Legal & Compliance Teams

Given the breadth and complexity of regulatory developments in 2025 and the anticipated changes for 2026, legal and compliance teams cannot rely on static policies or past practices. Contractors and grant recipients must take a proactive, structured approach to identify risk, validate controls and ensure alignment between operational, legal and strategic objectives. The following action items provide clear steps that leaders can take to prepare for heightened enforcement, evolving contract requirements and emerging industrial, cybersecurity and AI-related obligations.

1. Perform a CMMC readiness analysis: Map all business systems, identify which handle FCI or CUI, and determine the minimum CMMC level required. Conduct a gap assessment against NIST 800 171 and CMMC controls, then draft a detailed Plan of Action & Milestones (POA&M) with timelines, owners and resources. Engage a certified third-party assessment body (C3PAO) early and consider submitting test assessments so that you are ready before the first contracts requiring certification arrive.

2. Develop robust CUI policies and incident-response protocols: Update your internal compliance playbook to include all relevant NIST SP 800-171 Rev. 2 controls. Train your teams on handling, marking and reporting CUI internally, and run regular tabletop exercises to validate your capacity to report incidents within the proposed eight-hour window. Insert triggers and workflows for escalation and map how CUI flows across subcontractors and third parties. Ensure your incident-response teams are well aligned with contracting offices so that all potential CUI incidents are handled promptly.

3. Audit your supply chain for domestic content and sourcing risk: Inventory all critical components and map their origin to assess whether they meet current and future Buy American thresholds. Engage with suppliers early to understand their capacity and build sourcing strategies that include U.S.-based production, fallback sourcing and waiver pathways. Develop internal documentation and certification systems to track origin compliance and simulate potential audits by agencies. Coordinate with procurement, operations and legal to ensure your supply-chain playbook is ready for both demand risk and compliance scrutiny.

4. Reevaluate workforce diversity, DEI and affirmative action programs: Conduct a full policy audit of current DEI, affirmative action and workforce certification programs in light of executive order changes. Identify which certifications or compliance structures can be retired, revised or replaced, but also evaluate reputational risk and stakeholder expectations. Communicate a clear, updated workforce strategy to internal teams, subcontractors and external stakeholders. Document your decision-making process and policy changes thoroughly, and consider convening a steering committee to ensure alignment between legal, HR and senior leadership.

5. Align capital deployment strategy with industrial and grant opportunities: Map federal capital sources relevant to your business (e.g., DOE LPO, infrastructure grants, DPA programs) and assess which ones align with your strategic priorities. Develop a framework that integrates grant compliance, procurement risk, ESG metrics and industrial strategy into your deal structures. Establish governance mechanisms (e.g., steering committees, cross-functional working groups) to ensure that legal, finance, operations and ESG teams are working together. Prepare for joint ventures or co-investment strategies that blend private capital with federal support, and codify clear compliance playbooks for each path.

6. Adapt procurement negotiation strategies to the new FAR regime: Train your business development, capture and legal teams on the implications of the FAR overhaul and deviations. Develop playbooks for non-traditional contract structures (e.g., performance-based, modular, right-to-repair) and negotiation tactics for inserting favorable risk-sharing terms. Run internal scenario planning to test how reduced boilerplates might affect delivery, warranty and pricing. Create governance frameworks to ensure that flexible contracts do not undermine compliance or contractual risk.

7. Institutionalize future-focused governance on AI, ESG and industrial risk: Form a cross-functional steering committee that includes legal, compliance, procurement, technology and ESG leaders, tasked with monitoring and responding to emerging regulatory trends, especially in AI governance and sustainability. Begin building an AI risk-management framework now that addresses validation, explainability, bias and supplier oversight. Integrate sustainability metrics (e.g., GHG emissions, resilience, domestic content) into your compliance and investment planning. Regularly review strategy as rulemaking unfolds, so your organization can adapt rather than react.

Conclusion

The changes and regulatory momentum of 2025 are more than incremental adjustments; they reflect a fundamental reordering of how the U.S. government procures, invests and regulates. For contractors and grant recipients across energy, technology, infrastructure, private capital and defense, success requires integrating legal and compliance insight directly into strategic decision-making. The actions taken now around cybersecurity readiness, supply chain compliance, procurement and contracting strategies, capital deployment, and protest preparedness will not only shape your risk exposure but will determine your ability to compete and thrive in a federal marketplace that has been transformed in scope, speed and complexity.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}