Gordon Rees Scully Mansukhani presents the latest insights from our Government Contracts group, offering a comprehensive overview of recent significant decisions, regulatory changes, and essential updates for businesses contracting with federal and state governments. Our team compiled the most pertinent legal developments to keep you informed in the dynamic landscape of government contracts.
Tune in to The Essential GovCon Brief podcast on Spotify or YouTube for an in-depth discussion of the issues highlighted here.
Agency Update
CMMC Becomes Contract-Ready: DoD Issues Final DFARS Rule on Cybersecurity Assessments
On September 10, 2025, the Department of Defense (DoD) issued a long-awaited final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to establish uniform procedures for assessing and verifying contractor implementation of cybersecurity requirements under the Cybersecurity Maturity Model Certification (CMMC) program. The rule, effective November 10, 2025, implements certain provisions of the FY 2020 National Defense Authorization Act and marks a major step toward fully integrating CMMC into defense contracting.
The rule provides that contracting officers cannot award a contract to an offeror lacking a current CMMC status in the Supplier Performance Risk System (SPRS) at or above the level specified in the solicitation. Contractors must identify the unique identifiers for each information system used to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and maintain that information in SPRS. For solicitations and contracts issued after November 10, contracting officers will include the revised DFARS clause 252.204-7021, which formally ties eligibility for award to a contractor’s CMMC standing.
DoD has also introduced the concept of conditional CMMC status for contractors pursuing Level 2 or 3 certification. A contractor that has not yet achieved final certification may receive a conditional status for up to 180 days while it works to close outstanding items identified in an approved Plan of Action and Milestones (POA&M). Once those items are remediated, the contractor’s CMMC status becomes final. Contractors should expect DoD to verify compliance at the time of award and throughout contract performance.
Prime contractors are responsible for ensuring that their subcontractors maintain the same level of compliance when subcontract performance involves handling FCI or CUI. The final rule requires flowdown of the DFARS clause to all such subcontracts and mandates that subcontractors also post their CMMC assessment results and affirmations of continuous compliance in SPRS. While the final version removes the proposed requirement for reporting “lapses” directly to the contracting officer, existing incident-reporting obligations under DFARS 252.204-7012 remain in effect.
DoD clarified that the rule applies only to systems that process, store, or transmit FCI or CUI and does not extend to contracts solely for commercially available off-the-shelf (COTS) items. Contracting officers may also bilaterally modify existing contracts to incorporate the new clause, particularly when issuing new task or delivery orders after the rule’s effective date.
What This Means for Contractors (and What You Should Do Now)
- Perform a gap analysis now. Map out all your systems that handle FCI or CUI, check current CMMC status, and compare against the required levels you expect in upcoming bids.
- Ensure SPRS readiness. Make sure your self-assessments or certifications are properly recorded, your UIDs are correct, and your “affirmation of continuous compliance” is updated.
- Plan for conditional status/POA&Ms. If you cannot fully comply immediately, use the conditional status window wisely. Submit and close POA&Ms in a timely fashion.
- Strengthen your subcontractor oversight. Require upstream subcontractors to provide their CMMC status, plan remediation, confirm flowdown compliance, and build auditing or verification into your processes.
- Watch solicitations carefully. From November 10, 2025 onward, solicitations will start carrying the modified clause and explicit CMMC level, so be ready to respond with supporting documentation.
- Budget for compliance costs. Smaller firms, especially, should anticipate potential investment in cybersecurity controls, assessments, and internal processes to meet new obligations.
- Stay in the loop. Although this rule codifies many expectations, the full technical requirements are still rooted in the overarching CMMC Program, so make sure you stay current on guidance from the CyberAB, CMMC Accreditation Board, and DoD.
Recent Decisions
IRS’s Use of Limited Sources Justification for Sole-Source Bridge Contract Held Improper
In GovCIO, LLC v. United States, the Court of Federal Claims reviewed the Internal Revenue Service’s award of a sole-source “Scanning as a Service” bridge contract to Iron Mountain. The IRS relied on a Limited Sources Justification (LSJ) under Federal Acquisition Regulation (FAR) 8.405-6, invoking the “urgent and compelling” exception. The court held the LSJ did not provide a rational, contemporaneous explanation linking the asserted urgency, which the IRS tied to broader payment-modernization directives, to the need for a noncompetitive award for digitizing incoming returns. The court remanded for 30 days without vacatur for the IRS to supplement its justification.
Citation: GovCIO, LLC v. United States, 177 Fed. Cl. 579 (2025).
Court Upholds NASA’s Termination of Technology Development Agreements with Private Entity
In Spectre Corporation v. United States, the Court of Federal Claims granted summary judgment for NASA in a dispute over a collaboration to develop and commercialize silicon-carbide pressure sensor technology. Under the parties’ Space Act Agreement (SAA), milestone prepayment was a condition precedent to NASA’s continued performance. Spectre withheld part of a milestone payment; NASA was therefore excused from further work. The court also rejected claims of bad faith and “bait-and-switch,” finding NASA’s deliveries and timing consistent with the agreements, and upheld NASA’s termination of the patent license based on missed progress reporting and proper notice.
Citation: Spectre Corporation v. United States, No. 16-932, 2025 WL 2394834 (Aug. 18, 2025).
GRSM Government Contracts Practice Group
GRSM’s Government Contracts team has considerable experience defending and enforcing the rights of our contractor clients in disputes against government entities and private businesses. In addition to litigating claims in state and federal courts, we routinely handle matters before administrative tribunals, such as the Government Accountability Office, the Small Business Administration, and the Armed Services Board of Contract Appeals.
Our team of attorneys is located throughout the United States, which allows the firm to represent contractors, regardless of size, in a wide variety of industries, including defense, information technology, construction, and aerospace, among others.
Please contact Patrick Burns, Meredith Thielbahr, and Jeremy Camacho for further information or with any questions.