Gordon Rees Scully Mansukhani presents the latest insights from our Government Contracts group, offering a comprehensive overview of recent significant decisions, regulatory developments, and practical updates for businesses contracting with federal and state governments. Our team compiled the most pertinent legal developments to keep you informed in the dynamic landscape of government contracts.
Tune in to The Essential GovCon Brief podcast on Spotify or YouTube for an in-depth discussion of the issues highlighted here.
GSA Quietly Advances CMMC-Like Cybersecurity Requirements
In January, the General Services Administration (GSA) continued to expand cybersecurity requirements across its contracting vehicles in a manner that shares key principles with the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) framework, though without a formal program. Through solicitation provisions, contract clauses, and guidance tied to Federal Information Security Modernization Act (FISMA) compliance, GSA is requiring contractors to implement security controls aligned with NIST SP 800-171 and related standards.
GSA has been implementing these requirements through solicitations rather than notice-and-comment rulemaking, which has created considerable compliance challenges. For contractors accustomed to viewing civilian-agency work as carrying lighter cybersecurity obligations, this shift presents heightened compliance and enforcement risk. The trend reflects a broader government-wide move toward treating cybersecurity as a baseline responsibility for federal contractors, regardless of agency or contract type.
What Contractors Should Watch: Contractors should closely review GSA solicitations and modifications for cybersecurity representations, system security plan requirements, and flow-down obligations to subcontractors, particularly on Multiple Award Schedule and IT-centric procurements. Companies should also monitor whether GSA begins to require third-party assessments, enhanced reporting obligations, or formal attestations similar to CMMC certification levels. As these requirements continue to emerge incrementally, contractors failing to align internal cybersecurity practices early may face regulatory hurdles, performance risk, or increased exposure in the event of a cyber incident.
Executive Order Signals Heightened Scrutiny of Defense Contractor Performance
On January 7, 2026, the President issued an Executive Order (EO) directing the Department of Defense to prioritize warfighter readiness by increasing scrutiny of defense contractors that supply critical weapons systems and materials. The Order reflects concern that certain contractors have experienced production delays, cost overruns, or other performance shortfalls while continuing stock buybacks or corporate distributions rather than reinvesting in manufacturing capacity, workforce readiness, and supply chain resilience. It instructs DoD to identify underperforming contractors, require remediation plans where appropriate, and consider the use of existing statutory, contractual, and regulatory tools to accelerate production and improve delivery performance. The EO further calls for future defense contracts, including renewals, to more closely align executive compensation and corporate financial practices with performance outcomes such as production pace and on-time delivery.
What Contractors Should Watch: Defense contractors, particularly those supporting critical programs, should monitor how DoD implements these directives through revised contract clauses, enhanced performance oversight, and potential limitations on corporate financial practices, as well as whether similar incentive-based approaches begin to appear in civilian-agency procurements.
D.C. Circuit Upholds TSA’s Emergency Cybersecurity Mandate
In Spokane Airport Board v. Transportation Security Administration, decided January 20, 2026, the D.C. Circuit upheld the Transportation Security Administration’s (TSA) authority to impose mandatory cybersecurity requirements on airports through an emergency amendment to TSA-approved airport security programs. The court rejected the Spokane Airport Board’s challenge, holding that Congress granted TSA broad statutory authority to protect civil aviation security, including the authority to address cybersecurity threats. The court concluded that the emergency amendment was consistent with TSA’s existing regulations and was not arbitrary or capricious, emphasizing TSA’s detailed findings regarding escalating cyber threats to the aviation sector and the potential operational and national security consequences of cyber incidents. Several of the airport board’s procedural arguments were dismissed because they were not properly raised before the agency, reinforcing the importance of issue preservation in administrative challenges.
Impact: Although the case arises in the aviation context, the decision has broader implications for government contractors and regulated entities across sectors. The ruling confirms that agencies may impose significant, enforceable cybersecurity obligations through emergency or procurement-level actions without traditional notice-and-comment rulemaking and that courts are likely to defer to agency determinations that cyber threats pose immediate security risks. For contractors, the decision reinforces the government-wide shift toward treating cybersecurity as a baseline contractual and operational requirement, echoing trends seen in CMMC and civilian-agency cyber initiatives, and highlights the compliance risk of assuming that cybersecurity mandates must come through formal, centralized rulemaking.
Citation: Spokane Airport Board v. Transportation Security Administration, No. 23-1155, 2026 WL 157778 (D.C. Cir. Jan. 20, 2026).
GRSM Government Contracts Practice Group
GRSM’s Government Contracts team has considerable experience defending and enforcing the rights of our contractor clients in disputes against government entities and private businesses. In addition to litigating claims in state and federal courts, we routinely handle matters before administrative tribunals, such as the Government Accountability Office, the Small Business Administration, and the Armed Services Board of Contract Appeals.
Our team of attorneys is located throughout the United States, which allows the firm to represent contractors, regardless of size, in a wide variety of industries, including defense, information technology, construction, and aerospace, among others.
Please contact Patrick Burns or Meredith Thielbahr with any questions or for additional information.