On February 17, 2026, the Federal Acquisition Regulatory Council released a Notice of Proposed Rulemaking, proposing amendments to the FAR to implement Section 5949 of the FY23 National Defense Authorization Act (“NDAA”). Section 5949 prohibits executive agencies from obtaining semiconductor parts, products, or services traceable to certain named Chinese companies – currently, Semiconductor Manufacturing International Corporation (“SMIC”), ChangXin Memory Technologies (“CXMT”), and Yangtze Memory Technologies Corp (“YMTC”) – subject to limited exceptions. In accordance with the statute, the proposed amendments to the FAR would become effective on December 23, 2027. The proposed rule is not yet final and is open for public comment until April 20, 2026.
Continue Reading FAR Council Issues Notice of Proposed Rulemaking to Implement Prohibition on Acquisition of Certain Semiconductors
OMB Rescinds the “Common Form” Secure Software Attestation Requirement
On January 23, 2026, the Office of Management and Budget (OMB) issued Memorandum M-26-05 “Adopting a Risk-based Approach to Software and Hardware Security,” which rescinds a previous Biden Administration’s requirement for all federal agencies to obtain a self-attestation from software producers in the “Common Form” developed by the Cybersecurity and Infrastructure Security Agency (CISA) before using certain third-party software. As its rationale, OMB noted that the prior memoranda diverted agencies from developing tailored assurance requirements and failed to account for threats posed by insecure hardware. Memorandum M-26-05 signals that the federal government is moving away from a “one-size fits-all” approach to software security and will instead allow each agency to develop tailored requirements. In creating their own assurance requirements, agencies may still require a self-attestation and/or Software Bill of Materials (SBOM) from the software vendor if the agency determines that such assurances are necessary based on the risks involved and the agency’s needs.
Continue Reading OMB Rescinds the “Common Form” Secure Software Attestation RequirementAugust, September, and October 2025 Cybersecurity Developments Under the Trump Administration
This is the seventh blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration. The sixth blog is available here and our initial blog is available here. This blog describes key cybersecurity developments that took place in August, September
Continue Reading August, September, and October 2025 Cybersecurity Developments Under the Trump AdministrationHow Will DoW Determine Which Level of CMMC Applies to My Agreement?
Now that the final Cybersecurity Maturity Model Certification (CMMC) Program and Procurement Rules have been issued by the Department of War (DoW) (see our CMMC Toolkit for in-depth analysis of these Rules) and the CMMC Program is set to begin in earnest, there is some uncertainty in industry as to
Continue Reading How Will DoW Determine Which Level of CMMC Applies to My Agreement?First Order Issued under the Federal Acquisition Supply Chain Security Act, Triggering Immediate Requirements on Contractors
On September 15, 2025, the Office of the Director of National Intelligence (“ODNI”) issued the first public exclusion and removal order (the “Order”) under the framework established by the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”). The Order applies to all products and services produced or provided by Acronis AG as well as all subordinate, subsidiary, or affiliated organizations doing business under various names in support of Acronis AG. The exclusionary Order has two immediate impacts on the federal supply chain. First, federal contractors entering into new contracts or following contractual modifications are prohibited from supplying products or services from Acronis to agencies that are either subject to the Order or that have otherwise adopted it (“Covered Agencies”). Second, contractors are prohibited from using products or services from Acronis in the performance of new and modified contracts with Covered Agencies. In addition, certain agencies must remove these products and services from particular information systems.
Although the prohibitions apply to new contract awards, all contractors to Covered Agencies that have the applicable FASCA FAR clause (FAR 52.204-30) in their agreements must conduct diligence to determine whether they have provided or used any prohibited products or services in the performance of their contracts. Following this review, the clause requires contractors to report the use of prohibited products or services to Covered Agencies.
Additional detail on the FASCSA exclusionary process and this first public Order is provided below.
Continue Reading First Order Issued under the Federal Acquisition Supply Chain Security Act, Triggering Immediate Requirements on ContractorsCybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule Announced
This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.
On
Continue Reading Cybersecurity Maturity Model Certification (CMMC) Program Procurement Final Rule AnnouncedBid Rigging Risk for Government Contractors
Consistent with the Trump Administration’s focus on procurement fraud, a recent settlement and guilty pleas secured by the DOJ demonstrate that bid rigging is in the Administration’s crosshairs. Government contractors should be aware of the legal risks associated with bid rigging when engaging in the bidding process.
Continue Reading Bid Rigging Risk for Government ContractorsJuly 2025 Cybersecurity Developments Under the Trump Administration
This is the sixth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the Trump Administration. The fifth blog is available here and our initial blog is available here. This blog describes key cybersecurity developments that took place in July 2025.
Continue Reading July 2025 Cybersecurity Developments Under the Trump AdministrationLatest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health Systems
In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies. The case is the latest in a series of False
Continue Reading Latest Cybersecurity False Claims Act Settlement with Diagnostics Provider Focuses on Sensitive Health SystemsRecent Cybersecurity FCA Settlement Demonstrates Heightened FCA Risk to Government Contractors
On July 14, 2025, the U.S. Department of Justice (DoJ) and General Services Administration (GSA) announced a $14.75 million settlement of Civil False Claims Act allegations against IT company Hill ASC Inc. (Hill). This settlement is consistent with the current Administration’s focus on “fraud, waste, and abuse” in government procurement
Continue Reading Recent Cybersecurity FCA Settlement Demonstrates Heightened FCA Risk to Government Contractors