Investigations, Enforcement, & Compliance Alerts

On November 7, 2025, the U.S. Department of Defense announced a comprehensive overhaul of its procurement strategy named the “Acquisition Transformation Strategy” (ATS). The ATS envisions a wartime-oriented process that aims to prioritize rapid fielding to get equipment into the hands of warfighters, industrial-base expansion, and tighter coupling of requirements, resourcing, and acquisition execution. The accompanying directives signal a consequential restructuring of U.S. defense acquisition, requirements, and security cooperation processes as the Department aims to disestablish legacy joint requirements governance in favor of an integrated, budget-aligned model that is focused on speed, accountability, and mission outcomes. The new “Warfighting Acquisition System” will replace the existing “Joint Capabilities Integration and Development System,” creating both new opportunities and risks for federal contractors as they navigate shifting compliance expectations and material risk exposures in all aspects of the defense acquisitions process, including budget overruns, timely performance, and exportability of next-generation platforms. 

Cybersecurity requirements for contractors doing business with the U.S. federal government are nothing new. 

On October 22, 2024, the Department of Justice announced a False Claims Act (FCA) settlement related to a government contractor’s failure to adhere to certain cybersecurity requirements. Specifically, Pennsylvania State University (Penn State) has agreed to pay US$1.25M to resolve allegations that it violated the FCA by failing to comply with cybersecurity requirements in fifteen contracts or subcontracts involving the Department of Defense (DOD) or the National Aeronautics and Space Administration (NASA). The DOJ announcement is available here: https://www.justice.gov/opa/pr/pennsylvania-state-university-agrees-pay-125m-resolve-false-claims-act-allegations-relating.

It is no longer a secret that the U.S. Department of Justice (DOJ) has recently, and in some ways radically, increased its enforcement of the Foreign Agents Registration Act (FARA or the Act) and related foreign influence and lobbying laws that require adequate disclosure and transparency about domestic activities performed on behalf of foreign governments, companies, nonprofits, and other foreign actors. The uptick in recent prosecutions centered around improper foreign influence has been highlighted by the latest indictment of New York Mayor Eric Adams for allegedly receiving bribes and soliciting illegal campaign contributions from foreign sources tied to Turkey. He’s the third politician in just the last year who has been charged with crimes involving foreign influence operations—in the case of New Jersey Senator Bob Menendez, it was Egypt, and for Texas Congressman Henry Cuellar, it was Azerbaijan and a Mexican bank.

The Securities and Exchange Commission (SEC) recently charged a public company with violations of Regulation Fair Disclosure (“Regulation FD”) stemming from social media posts by the company’s CEO. These charges are evidence of a trend toward increased Regulation FD enforcement by the SEC.

The U.S. Department of Justice (DOJ) recently updated its Evaluation of Corporate Compliance Programs (ECCP) to reflect emerging challenges in corporate compliance.

The Department of Defense (DOD) is expected to finalize a new rule by the end of 2023 that will significantly enhance the Cybersecurity Maturity Model Certification (CMMC) framework and related cybersecurity requirements for defense contractors.