Government Contractors: Five Must-Watch Issues as 2025 Closes

Federal contractors face a rapidly changing landscape as we approach the end of 2025. With the government recently reopened after the longest shutdown in history, contractors should be aware of five key developments - and what actions to take:

1. FAR Overhaul Now in Effect

The "Revolutionary FAR Overhaul" aims to simplify and reorganize the FAR. On November 3, 2025, the first phase took effect, with several civilian agencies, including GSA, implementing class deviations to adopt the updated regulations. It is important to note that defense agencies have not yet implemented any class deviations adopting the FAR updates.

Contractor Actions:

• Check solicitations issued after November 3 for new deviation clauses.
• Monitor agency publications for updated guidance and additional deviations.
• Review internal FAR matrices and compliance guidance because definitions and flow-down obligations may have changed.
• Additional changes to the FAR will continue in 2026, so it is important to monitor the next phases of implementation and to update practices and policies as required.

2. Defense Acquisition Reforms

On November 7, 2025, Secretary of War Pete Hegseth announced "sweeping reforms" to the defense acquisition system outlined in an Acquisition Transformation Strategy plan and accompanying memoranda. Such proposed reforms include commercial-first sourcing, direct-to-supplier purchases and organizational changes within procurement offices. A number of the proposed reforms, such as expanding the use of commercial-item acquisition and eliminating certain regulatory requirements, are reflected in drafts of the 2026 National Defense Authorization Act (NDAA) pending in both the House and Senate.

Contractor Actions:

• Because the details of the proposed overhaul are not yet settled, defense contractors should pay close attention to the evolution of the proposed reforms, including in the 2026 NDAA.

3. CMMC 2.0 Implementation

The CMMC 2.0 program entered Phase 1 on November 10, 2025. Under this initial phase, applicable defense agency solicitations will require contractors to provide a self-assessment of their CMMC Level 1 or Level 2 compliance. Phase 2, set to begin in late 2026, will require third-party assessments for CMMC Level 2. Phase 3, set to begin in 2027, will require Government certification for CMMC Level 3.

Enforcement Note:

Contractors should be aware that the DOJ, through the Civil Cyber-Fraud Initiative, launched in 2021, is actively investigating false CMMC certifications and other cybersecurity compliance issues under the False Claims Act (FCA). The DOJ has brought several cybersecurity-related matters in recent years that have resulted in multimillion-dollar FCA settlements. For example, in March 2025, defense contractor MORSECORP agreed to pay $4.6 million to resolve allegations that it violated the FCA by falsely representing its compliance with cybersecurity requirements in its contracts, including misrepresenting its NIST SP 800-171 self-score. Similarly, in May 2025, Raytheon Company and certain of its affiliates also agreed to an $8.4 million settlement for alleged false representations concerning its compliance with cybersecurity requirements. These developments underscore that cyber compliance is a growing enforcement priority.

Contractor Actions:

• Ensure that CMMC self-assessments or cybersecurity certifications are accurate and compliant with relevant requirements.

4. CPARS Reform

Congress and the Pentagon are pursuing changes to CPARS. Proposed legislation in the 2026 NDAA aims to replace the current adjectival scoring system (Exceptional, Very Good, Satisfactory, Marginal, Unsatisfactory) with a "negative-only" model that records only significant performance failures such as late deliveries, safety incidents or cybersecurity violations. The Government's stated goal is to make past performance reporting more objective and consistent. These changes are expected to take effect six months after the 2026 NDAA becomes law.

5. Small Business M&A Grace Period Ends January 17, 2026

On January 16, 2025, the US Small Business Administration (SBA) issued a new final rule that made significant changes to several SBA regulations, including by changing the way the SBA evaluates a contractor's eligibility for future task orders under a multiple-award small-business contract after a merger, sale or acquisition involving the contractor or an affiliate of the contractor. Under the prior regulation, the contractor generally remained eligible for new task orders under existing multiple-award small-business set-aside contracts despite having to recertify as "other than small" following such a transaction. Through new language included in 13 C.F.R. § 125.12, the SBA established the opposite paradigm, stating that a recertification as other than small following a merger, sale or acquisition generally would render the contractor ineligible for future set-aside task orders.

But SBA provided, in 13 C.F.R. § 125.12(g), that this rule change would have a "delayed effective date" of January 17, 2026 and that "[a] firm that has a disqualifying size or status recertification due to a merger, acquisition or sale that occurs prior to January 17, 2026 remains eligible for orders issued under an underlying small business multiple award contract." Thus, SBA gave small-business contractors a one-year grace period to effect corporate transactions before the consequence of these transactions would be a loss of eligibility for future task orders. This grace period ends next month.

Contractor Actions:

• Small businesses and potential buyers considering a transaction should be aware that they have limited remaining time to effect a transaction before the new rule permanently forecloses such task order eligibility.

Synopsis

The federal contracting environment is shifting quickly. The FAR Overhaul is coming into effect across many federal agencies; the Pentagon is proposing to transform its acquisition system; CMMC 2.0 has entered its first implementation phase; CPARS reform may soon change how past performance is evaluated; and the expiration of SBA's one-year amnesty period on January 17, 2026 means that an M&A event will trigger a loss of eligibility for new task orders under existing multiple-award small-business contracts. Contractors should actively monitor these developments, update internal systems and adapt compliance programs now to be positioned to maintain eligibility and competitiveness across federal markets in 2026 and beyond.

This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm's data policy page for further information.