GSA Issues New Framework for Protecting CUI in Contractor Systems

Michael Joseph Montalbano ●

Last month the General Services Administration’s (“GSA”) Office of the Chief Information Security Officer (“OCISO”) issued CIO-IT Security-21-112 Rev. 1, a procedural guide governing how Controlled Unclassified Information (“CUI”) must be protected when it resides in nonfederal contractor systems. Although styled as internal process guidance rather than a regulation, the document establishes a detailed approval framework that will determine which contractors are eligible for GSA contracts that include CUI.

Background and Scope

The guide, which implements GSA’s approach to safeguarding CUI, uses National Institute of Standards and Technology (“NIST”) SP 800-171, Revision 3, selected enhanced requirements from NIST SP 800-172, and selected privacy controls from NIST SP 800-53, Revision 5. It applies where CUI is resident in a contractor system that is not operated on behalf of the federal government, and therefore is not subject to the Federal Information Security Modernization Act or the Federal Risk and Authorization Management Program (“FedRAMP”). Use of this process requires coordination with OCISO and approval by the GSA Chief Information Security Officer. GSA intends to eventually incorporate these requirements into applicable contracts and solicitations.

Continue reading “GSA Issues New Framework for Protecting CUI in Contractor Systems”

DOJ Announces Record-Breaking False Claims Act Recoveries in FY 2025: What the Stats Portend for 2026

Jennifer A. Short and Oliver E. Jury ●

Jennifer A. Short headshot image

Fiscal Year (“FY”) 2025 yielded a historic high of over $6.8 billion in False Claims Act (“FCA”) settlements and judgments, underscoring the Department of Justice’s (“DOJ”) aggressive enforcement. DOJ’s annual report, released January 16, 2026, showed that healthcare fraud matters again dominated the lion’s share of the moneys recovered, accounting for more than $5.7 billion, and reaffirming the sector’s centrality to FCA priorities. Qui tam lawsuits also retained an outsized influence, representing approximately $5.3 billion in recoveries for both intervened ($3.0 billion) and declined ($2.3 billion) cases. On the flip side, that means the government recovered some $1.5 billion without the aid of an underlying whistleblower complaint. The pipeline of new cases looks robust moving forward: whistleblowers filed a record 1,297 new qui tam suits, and DOJ opened 401 new investigations.

Continue reading “DOJ Announces Record-Breaking False Claims Act Recoveries in FY 2025: What the Stats Portend for 2026”

Prioritizing the Warfighter in Defense Contracting—What Does the New EO Mean for Contractors?

Scott Arnold 

President Trump issued an Executive Order (“EO”) on January 7, 2025, that seeks improved performance of defense contracts and enhanced contractor investments in production capacity through measures that would impose limits on executive compensation when contractor performance or investment levels are deemed inadequate. The EO, Prioritizing the Warfighter in Defense Contracting, appears predicated on the belief that “after years of misplaced priorities, traditional defense contractors have been incentivized to prioritize investor returns over the Nations’s warfighters.” To address this, the EO states that “[m]ajor defense contractors will no longer conduct stock buy-backs or issue dividends at the expense of accelerated procurement and increased production capacity.” While the desire to improve defense contract performance is understandable, the attempt to do so through regulation of executive compensation is unprecedented.

What Does the EO Require?

The EO sets forth two key mechanisms through which the new priorities will be implemented.

Continue reading “Prioritizing the Warfighter in Defense Contracting—What Does the New EO Mean for Contractors?”

Preliminary Takeaways as DoD Seeks to Redesign the Defense Acquisition System for Wartime Speed

Oliver E. Jury ●

During a speech before key players in the defense industrial base on Friday, November 7, Secretary Hegseth announced plans for a sweeping transformation of the Defense Acquisition System, redesignating it as the Warfighting Acquisition System (“WAS”) and elevating speed-to-field as the organizing principle. The reforms would concentrate authority, expand competition and modularity, adopt commercial-first pathways, modernize contracting and training, and streamline oversight—all aimed at accelerating capability delivery and scaling industrial capacity for surge. While much will depend on how these announced changes are implemented, in this post we highlight key aspects of the changes and identify potential impacts to monitor. Secretary Hegseth’s full recorded remarks are available on C-SPAN’s website.

Redesignation and Organizing Principle

Acquisition is to be treated as a warfighting function, with every process required to justify its value to timely capability delivery. The WAS will reframe success around time-to-capability rather than exhaustive specification compliance.

Potential impact: Companies should expect solicitations and evaluations to prioritize schedule credibility and operational outcomes, reshaping win strategies toward demonstrable speed and adaptability.

Continue reading “Preliminary Takeaways as DoD Seeks to Redesign the Defense Acquisition System for Wartime Speed”

BIS Rescinds 2024 Firearms Export Controls, Reduces Regulatory Burdens on U.S. Firearms Industry

Anthony Rapa and Patrick F. Collins ●

The U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final rule on September 30, 2025, rescinding the 2024 interim final rule (“Firearms IFR”) under the Export Administration Regulations (“EAR”) that had imposed new export license requirements and restrictions on firearms, ammunition, and related items. The new rule restores export controls for these items to their pre-May 2024 status, with the exception of maintaining certain new Export Control Classification Numbers (“ECCNs”). The action is intended to reduce regulatory burdens on U.S. firearms exporters while maintaining appropriate controls to protect national security and foreign policy interests.

Background

BIS issued the Firearms IFR on April 30, 2024, tightening controls on commercial firearms, ammunition, and related items under the EAR. It created four new ECCNs for semi-automatic rifles, pistols, shotguns, and certain parts (0A506-0A509) on the Commerce Control List (“CCL”). It also applied broad crime-control licensing worldwide, shortened license validity to one year, curtailed certain license exceptions, and adopted presumptions of denial for non-government end users in 36 high-risk destinations.

The Firearms IFR followed a 2023 licensing pause and policy review that identified significant diversion and misuse of U.S.-origin guns abroad. BIS used the Firearms IFR to act swiftly while soliciting public comment on further refinements.

Continue reading “BIS Rescinds 2024 Firearms Export Controls, Reduces Regulatory Burdens on U.S. Firearms Industry”

E‑Verify, FAR 52.222‑54, and Renewed FCA Risk: What Contractors Need to Know

Jennifer A. Short, and Oliver E. Jury ●

Jennifer A. Short headshot image

The current administration’s focus on immigration played out in a recent False Claims Act (“FCA”) matter in which a federal contractor was alleged to have billed for unauthorized workers in violation of FAR 52.222‑54 (Employment Eligibility Verification, “E-Verify”).

On September 18, 2025, the Department of Justice (“DOJ”) announced that Bayonne Drydock and Repair Corporation (“Bayonne”) agreed to pay $4,043,810.56 to resolve allegations that unauthorized workers worked on Bayonne’s Navy contracts over multiple years.

According to DOJ’s press release, in 2016, the Department of Homeland Security (“DHS”) sent a “Notice of Suspect Documents” to a subcontractor controlled by Bayonne’s Risk Manager, questioning the work authorization of certain subcontractor employees. While the Risk Manager terminated the unauthorized employees, she re-hired some of them through another subcontractor that she controlled. Bayonne’s settlement agreement with DOJ asserts that between 2016 and 2020, Bayonne billed the government for the work of approximately 52 unauthorized employees working for entities owned or controlled by Bayonne’s Risk Manager. The settlement agreement also confirmed that the Risk Manager pled guilty to criminal charges stemming from her role with Bayonne and its subcontractors.

Continue reading “E‑Verify, FAR 52.222‑54, and Renewed FCA Risk: What Contractors Need to Know”

U.S. Department of State Eases Military Drone Export Review Policy

Anthony Rapa and Patrick F. Collins ●

The U.S. Department of State (“State”) announced an update to its miliary drone export review policy on September 15, 2025, pursuant to which advanced unmanned aerial systems (“UAS”) will be subject to an export control policy similar to that of crewed aircraft, rather than more restrictive review applicable to missiles. Key takeaways include:

1. Policy Shift: Drones Reviewed Like Fighter Jets, Not Missiles

State announced that pursuant to the policy change, it will consider requests to export UAS similarly to how it reviews requests to export crewed fighter aircraft, rather than as missile systems. This marks a departure from the longstanding application of the Missile Technology Control Regime (“MTCR”) to exports of certain UAS, which imposed a strong presumption against the transfer of large, weaponizable drones due to their range and payload capabilities and provided for rigorous review of other UAS transfers.

Continue reading “U.S. Department of State Eases Military Drone Export Review Policy”

Where Grant Litigation Stands After the Supreme Court’s Jurisdictional Ruling in NIH

Dominique L. Casimir

The Supreme Court issued a fractured, 4-1-4 ruling on its emergency docket in National Institutes of Health v. American Public Health Association, No. 25A103, 606 U.S. ____ (2025) (per curiam) (“NIH”) on August 21, 2025.

The Court’s ruling left behind a complex legal landscape, because four justices wrote that a district court has jurisdiction to hear both a challenge to agency guidance alleged to be arbitrary and capricious, and challenges to grant terminations based on that guidance. Four other justices wrote that the entire case (i.e., both the challenge to the agency guidance and the challenge to grant terminations based on that guidance) belongs in the Court of Federal Claims. In the end, the outcome was controlled by a single justice (Justice Barrett), who decided the jurisdictional issue in a manner inconsistent with the views of eight justices. In her controlling concurrence, Justice Barrett ruled that a district court has jurisdiction to hear a challenge to agency guidance, but lacks jurisdiction to hear challenges to grant terminations based on that guidance because grant termination challenges are subject to the Tucker Act and therefore belong in the Court of Federal Claims.

Two lower opinions handed down since NIH show lower courts falling in line with Justice Barrett’s ruling in NIH:

Continue reading “Where Grant Litigation Stands After the Supreme Court’s Jurisdictional Ruling in NIH”

This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule

Michael Joseph Montalbano ●

After years of drafts and interim measures, the Department of Defense (“DOD”) has issued the final Defense Federal Acquisition Regulation Supplement (“DFARS”) rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) program. This long-awaited development cements CMMC as a contractual requirement and clarifies key aspects of the rule’s certification, compliance, and oversight requirements.

How Will CMMC Work?

Under the final rule, every solicitation where a contractor may store, process, or transmit Federal Contract Information (“FCI”) or controlled unclassified information (“CUI”) will be assigned a CMMC level. Solicitations involving just FCI will have a CMMC Level 1 requirement. Solicitations involving non-Defense CUI will have a CUI Level 2 Self-Attestation requirement. Solicitations involving Defense CUI will have a CUI Level 2 third-party certification (i.e., C3PAO) requirement. Solicitations involving particularly sensitive DOD programs will have a Level 3 requirement. Level 3 requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”).

Continue reading “This Is Not a Drill: Department of Defense Issues Long-Awaited Final CMMC DFARS Rule”

The Bottom Line: Cost and Pricing Updates | Sum Certain

Stephanie M. Harden and Shane M. Hannon ●

Appeal of Samho Enterprise, ASBCA No. 63587 (Aug. 13, 2025)

The Bottom Line: The Contract Disputes Act (“CDA”) requires that if a contractor submits a claim for payment to the Government, the claim must include a “sum certain”—with the emphasis on “certain.” Here, the contractor submitted a claim for damages after the Government declined to exercise the contract’s first option year. The contractor submitted a claim for “no less than” $326,276. The claim’s qualifying language—“no less than”—meant the claim did not state a sum certain. The Armed Services Board of Contract Appeals (the “Board”) therefore dismissed the contractor’s appeal.

Key points of interest:

  • A sum certain is a mandatory element of a CDA claim. If a contractor’s claim fails to state a sum certain, the contracting officer may deny the claim on that basis, and the Board may dismiss any subsequent appeals for failing to state a claim.
  • Using qualifying language to describe the requested amount does not constitute a sum certain. If a claim characterizes its requested amount with qualifying language, like “approximately,” “to be determined,” or “in excess of,” the claim does not state a sum certain under the CDA.
  • Pursuant to the Federal Circuit’s 2023 decision in ECC International Constructors, the “sum certain” requirement is not a jurisdictional requirement. Accordingly, the Board dismissed the appeal without prejudice.
  • The contractor’s appeal also asked the Board to order the agency to exercise the contract’s option year. The Board reiterated it does not have jurisdiction over requests for specific performance.

Contractors submitting claims for monetary relief must include a “sum certain,” not a “sum approximate.” Failure to state a sum certain is fatal to a claim.