As we welcome 2026, it is a good time for government contractors to reflect on their cybersecurity posture and the major shifts in federal data protection policy from 2025. Last year was more than just a year of evolution in the cybersecurity space—it was marked by long-anticipated regulatory milestones and an acceleration of federal enforcement and oversight. For government contractors, understanding these changes is key for internal policy decisions and mitigating risk in the months ahead.
Here is a look back on the most impactful updates from 2025—and what they mean for the coming year.
Finalization of CMMC
The most consequential development of 2025 likely was the finalization of Cybersecurity Maturity Model Certification (“CMMC”) 2.0. In September 2025, the Department of Defense (also known as the Department of War) (“DoD”) issued its final Defense Federal Acquisition Regulation Supplement (“DFARS”) rule, with new requirements in contracts to appear beginning in November 2025 (see our blog here). Contracting Officers now can require specific CMMC levels as a condition of award. DFARS 252.204-7025 is the new CMMC notice provision and DFARS 252.204-7021 is the new compliance provision. These clauses are incredibly important to look out for in solicitations and contracts as they trigger CMMC compliance requirements. The phased rollout means requirements will continue expanding through the late 2020s, but 2025 marked the turning point: CMMC compliance is now enforceable, auditable, and tied directly to contract eligibility.
FCA and Civil Cyber-Fraud Risk
The Department of Justice (“DOJ”) continued advancing its Civil Cyber-Fraud Initiative (“CCFI”), reinforcing that cybersecurity representations can form the basis of False Claims Act (“FCA”) liability. The nine cybersecurity-related settlements in 2025 totaled $52 million. More broadly, 2025 marked a record-breaking year for FCA settlements—totaling $6.9 billion, the highest single-year number in FCA history. Still, CCFI settlements have tripled in each of the past two years, signaling cybersecurity enforcement is a continuing priority for DOJ. This year’s enforcement actions focused on alleged misstatements about cybersecurity controls, incomplete implementation of required safeguards, and failures to disclose known gaps.
The enforcement landscape continues to evolve. Last year we saw a case where a private equity firm was held liable alongside its defense contractor portfolio company (see our blog here). In another case, a former senior manager at a government contractor was criminally indicted for major government fraud, wire fraud, and obstructing federal audits for an alleged scheme to mislead the government about the security of a cloud platform. Specifically, the alleged misrepresentation was that an information system met FedRAMP and DOD Impact Level 4 and 5 security controls.
The takeaway for contractors is clear: cybersecurity compliance is not merely aspirational. Inaccurate certifications, outdated assessments, or unsupported claims can expose companies to significant FCA risk. Going forward, there is a likelihood of increased enforcement risk under CMMC.
FedRAMP 20x and Cloud Modernization
On the cloud side, FedRAMP 20x was announced in March 2025 as a modernization effort designed to streamline cloud authorizations (see our blogs here and here). The initiative includes increased automation, collaboration between government and industry, and updates to the significant change process. We expect to see faster authorization and streamlined continuous monitoring requirements. The initiative rolled out in phases, with Phase One concluding in September 2025. Phase One focused on a general proof of concept with a small group of industry participants with lower impact cloud services. FedRAMP 20x began Phase Two, the FedRAMP moderate pilot, in November 2025. Phases Three, Four, and Five will stretch into 2027 before full implementation of FedRAMP 20x.
Executive Actions
With almost one year under the Trump administration, there has been a flurry of executive actions (see our tracker here for full coverage of executive orders for 2025). Cybersecurity was one of many areas that was not immune to change. A June 2025 Executive Order, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, amended prior cybersecurity directives and reaffirmed federal priorities around secure systems and digital infrastructure (see our blog here).
In April 2025, the Office of Management and Budget (“OMB”) released two new memorandums on artificial intelligence (“AI”) as directed by Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence. The first memo (M-25-21) provides guidance to agencies on federal AI use while the second memo (M-25-22) focuses on agency acquisition of AI (see our blog here).
FAR and DFARS Cases
In 2025, we also saw some long-awaited updates to Federal Acquisition Regulations (“FAR”) and DFARS clauses, as well as some that we will continue to wait on through 2026. In January 2025, the proposed FAR Controlled Unclassified Information (“CUI”) rule (FAR Case No. 2017-016) was published (see our full analysis here). At the start of this year, FAR and Defense Acquisition Regulation (“DAR”) staff are still processing feedback received from public comments.
See Tables 1 and 2 for the status of other cyber FAR and DFARS cases to keep an eye on:
Table 1 – Pending FAR Cases
Table 2 – Pending DFARS Cases
Looking Ahead
As we step into 2026, government contractors find themselves navigating an evolving landscape of data security requirements. Recent regulatory updates, especially CMMC, and heightened enforcement priorities underscore the federal government’s commitment to safeguarding sensitive data and combating emerging cyber threats. Understanding these changes is essential to managing risk and maintaining eligibility for federal awards. Contractors must remain proactive to avoid missteps.
