Recent DFARS class deviations associated with the FAR and DFARS overhaul reorganized several cybersecurity clauses, leading to confusion about government contractor self-assessment requirements. Although certain DFARS provisions were removed or renumbered, government contractors handling Federal Contract Information (FCI) must still conduct CMMC Level 1 self-assessments and post results in Supplier Performance Risk System (SPRS).
Topics: Contracts & Subcontracts Administration, Government Regulations, Federal Acquisition Regulation (FAR), Cybersecurity, Manufacturing Operations Consulting
Deltek will retire certain Costpoint authentication methods effective July 30, 2026. Users in affected cloud environments who do not transition to approved login methods may lose system access. Contractors should evaluate current configurations, coordinate with IT, and plan timely updates to avoid operational disruption and potential compliance impacts.
Topics: Accounting System Compliance, Deltek Costpoint, Cybersecurity
On December 5, 2025, the Department of Justice (DOJ) reported another settlement under the False Claims Act (FCA) related to cybersecurity. Swiss Automation agreed to pay $421,234 to the Government as a result of failing to provide adequate cybersecurity controls for drawings of parts supplied to Department of Defense (DoD) prime contractors. The qui tam suit under the False Claims Act (FCA) was brought forward by a whistleblower, not an Information Technology (IT) employee, but a Quality Control Manager of the company. The whistleblower received $65,291.
Topics: Contracts & Subcontracts Administration, DFARS Business Systems, Contractor Purchasing System Review (CPSR), Government Regulations, Federal Acquisition Regulation (FAR), Material Management & Accounting System (MMAS), Cybersecurity, Commercial Item Determination
%20Requirements%20Apply%20to%20Grants.png)
The Department of Defense (DoD) issued a final rule on September 10, 2025, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate the requirements of the Cybersecurity Maturity Model Certification (CMMC) for FAR-based contracts and subcontracts, effective November 10, 2025.
Topics: Small Business Compliance, Contracts & Subcontracts Administration, DFARS Business Systems, Government Regulations, Federal Acquisition Regulation (FAR), Cybersecurity, Grants & Cooperative Agreements (2 CFR 200)
%20Program.png)
Department of Defense (DoD) issued a final rule on September 10, 2025, amending Defense Federal Acquisition Regulation Supplement (DFARS), incorporating contractual requirements under the Cybersecurity Maturity Model Certification (CMMC) program as part of the National Defense Authorization Act for FY 2020 to enhance cybersecurity for the US defense industrial base. The final rule is effective November 10, 2025.
Topics: Contracts & Subcontracts Administration, DFARS Business Systems, Government Regulations, Federal Acquisition Regulation (FAR), Cybersecurity
The Department of Justice (DOJ) implemented an initiative to pursue cybersecurity fraud in 2021 (see our article on DOJ Initiative on Cyber Security Incident Reporting), and it is apparently working.
Topics: Litigation Consulting Support, Government Regulations, Federal Acquisition Regulation (FAR), Cybersecurity
What is a Department of Defense (DoD) class deviation? It is a deviation from the Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation (DFARS) that affects more than one contract. They are issued by an authorized official and are used to deviate from the FAR or DFARS and offer flexibility in the acquisition process. Class deviations are supposed to be temporary. If the class deviation will become permanent, the Government is supposed to issue a proposed revision to the FAR or DFARS.
Topics: Contracts & Subcontracts Administration, System Award Management (SAM), Government Regulations, Cost Accounting Standards (CAS), Federal Acquisition Regulation (FAR), Cybersecurity
The FAR Council issued a proposed rule on January 15, 2025, to expand the CUI requirements into FAR under Executive Order 13556 Controlled Unclassified Information. Controlled Unclassified Information is information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI may not be released to the public.
Topics: Contracts & Subcontracts Administration, DFARS Business Systems, Contractor Purchasing System Review (CPSR), Government Regulations, Federal Acquisition Regulation (FAR), Cybersecurity
On October 15, 2024, the Department of Defense (“DoD”) published the final rule of the Cybersecurity Maturity Model Certification (“CMMC”) requirements in Title 32 of the Code of Federal Regulations, effective December 16, 2024. The Final Rule updates DoD national security regulations to ensure contractors have implemented cyber security measures to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC will be contractually required when the Defense Federal Acquisition Regulation (“DFARS”) clause has not been finalized (see our article, “DoD Issues CMMC Proposed Rule – Submit your comments by October 15, 2024”). We will refer to this DFARS clause throughout this blog as the DFARS CMMC Clause Final Rule.
Topics: Contracts & Subcontracts Administration, Government Regulations, Federal Acquisition Regulation (FAR), Cybersecurity
DoD issued a proposed rule dated August 15, 2024 (DFARS Case 2019-D041) to amend DFARS to incorporate contractual requirements related to the Cybersecurity Maturity Module Certification (CMMC) Program. This implements a section of the National Defense Authorization Act for FY 2020 to enhance cybersecurity for the US defense industrial base. DoD is estimating that the final rule will be issued during Quarter 1 2025. Contractors should take heed and provide comments by the October 15, 2024, due date.
Topics: Government Regulations, Federal Acquisition Regulation (FAR), Cybersecurity