On June 4, 1944, General Eisenhower, Supreme Commander for all Allied Forces involved in the D-Day landing, received a weather report that weather conditions on June 5th, the scheduled D-Day, would be unsuitable for success. General Eisenhower faced a choice: pushing ahead with the plan despite the changed conditions or postponing the enormous landing force just as it was ready to move. Of course, we know that he chose correctly to postpone the operation a day. As a result, for more than 80 years we have celebrated June 6th, not June 5th, as D-Day and the successful launch to the liberation of Western Europe. Although contractors today navigating changes in policy, law, regulation, and enforcement priorities don’t (often) have the fate of the war turning on their decisions, they must take a page from General Eisenhower’s playbook and be willing to constantly update their prior assumptions and adapt to changing conditions. 

In just the last few months, we have seen dramatic changes in the defense contracting world. On November 7, 2025, Secretary Hegseth unveiled a memorandum and accompanying strategy on defense acquisition reform titled “Transforming the Warfighting Acquisition System.” Just three days later, on November 10, 2025, Cybersecurity Maturity Model Certification (CMMC) Phase One requirements went live, mandating comprehensive cybersecurity compliance verification for defense contractors handling controlled unclassified information. Meanwhile, the Department of Justice announced multiple False Claims Act settlements under its Civil Cyber-Fraud Initiative over the past year, including a $11.25M settlement with Health Net Federal Services, LLC and Centene Corporation for failing to comply with cybersecurity requirements. 

Like colliding weather patterns at sea, these overlapping developments indicate choppy waters ahead for defense contractors. On one hand, the acquisition reforms center on a shift in philosophy whereby “speed to capability” is now the guiding principle of the DOW.  The “85% solution” is to be favored and regulations and red tape are to be cut.  On the other, cybersecurity and supply chain regulations and scrutiny are ever more complex and DOJ has continued its civil cyber-fraud initiative to punish those out of (regulatory or contractual) compliance with power of the False Claims Act.  During these times of great change, enforcement actions and priorities are likely to be misaligned—at times—with implementation of acquisition policy reforms.  Contractors acting at the speed desired under the new acquisition system but be wary of cutting corners in areas that still carry great risk.  

High Speed: The Acquisition Reform Push 

The Pentagon’s proposed reforms will restructure the acquisition hierarchy, with portfolio acquisition executives (PAEs) replacing program executive offices (PEOs) and gaining direct authority over funding, standards, and trade-offs. These reforms are the latest implementation of the Administration’s efforts that started with Executive Orders 14265 on April 9, 2025 and 14275 on April 15, 2025, and continued with the Revolutionary Federal Acquisition Regulation (FAR) Overhaul. The reform efforts emphasize several key principles that cut against a compliance driven, risk adverse, mindset: 

  • Commercial-First ApproachThe plan mandates more commercial competition and directs the Pentagon to prioritize commercial solutions that can be delivered quickly even without meeting all technical specifications.   
  • Reduced OversightThe reforms eliminate multiple review layers and emphasize “85% solutions” delivered quickly rather than perfect systems delivered late.  
  • Performance IncentivesThe plan includes direction to “proportionally” penalize contractor delays and incentivize rapid delivery through financial mechanisms.  
  • Risk Tolerance: The entire reform philosophy embraces greater risk acceptance on behalf of the government in favor of speed.  

High Drag? The Civil Cyber-Fraud Initiative and Increased Cyber and Supply Chain Scrutiny 

These reforms are intended to implement a mindset where “speed replaces process.”  For defense contractors to adopt this mentality though, they must remain mindful of a myriad of countervailing trends that are unlikely to cease even considering the Pentagon’s proposed reforms. For example, the Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021, continues to fundamentally transform the risk landscape for government contractors. The initiative specifically focuses its enforcement efforts on entities that knowingly provide deficient cybersecurity products or services or knowingly misrepresent cybersecurity practices. What began as a theoretical enforcement mechanism has evolved into a powerful tool generating millions in settlements. 

Recent enforcement actions demonstrate the breadth of this initiative. Beyond the Health Net settlement in February 2025, millions more have been paid as parts of settlements related to cybersecurity requirements in federal contracts this year (See e.g., Press Release, Department of Justice, May 1, 2025 detailing a $8.4 Million settlement by Raytheon.) These cases reveal several concerning trends for contractors. First, enforcement extends beyond actual breaches—contractors face liability for non-compliance even absent any compromise of government data. Second, the settlements demonstrate DOJ’s aggressive interpretation of “materiality” under the FCA, viewing cybersecurity requirements are inherently material to government payment decisions. Third, the initiative relies heavily on whistleblowers, with qui tam relators often being former employees with inside knowledge of compliance failures.  Finally, these actions all occurred before the newest, more stringent, CMMC requirements became enforceable. 

The implementation of the first phase of CMMC 2.0 in November 2025 requires contractors to implement and verify compliance with up to 110 security controls from NIST SP 800-171, depending on their certification level. This isn’t merely a paperwork exercise—it often requires fundamental changes to information systems, security practices, and organizational culture. The timing creates particular challenges. Contractors must simultaneously invest in CMMC compliance infrastructure while facing pressure from acquisition reforms to deliver capabilities faster and at lower cost. Additionally, although commercial solutions or near commercial solutions are now favored by the Pentagon, there is no signal yet that the Pentagon will be waiving these requirements on a regular basis or at all.  The CMMC certification process itself can take months, requiring documentation of security controls, remediation of gaps, and formal assessment by accredited third-party assessors. For small and medium-sized businesses, the cost of achieving and maintaining CMMC Level 2 certification can exceed tens of thousands of dollars annually. 

More critically, CMMC compliance creates new FCA exposure. Each contract requiring CMMC certification effectively incorporates these requirements as material conditions of payment. Under Escobar’s materiality standard, and given DOJ’s position that cybersecurity requirements are presumptively material to protecting government information, any deficiency in CMMC compliance could trigger assertions of FCA liability with the government seeking treble damages and civil penalties. 

Adding another layer of complexity, supply chain security continues to rightfully be a concern for the Administration and Congress. For example, Section 889 of the National Defense Authorization Act (NDAA) for 2019implemented in the FAR, prohibits federal agencies from entering into or extending contracts with entities that use telecommunications equipment or services from Huawei, ZTE, Hytera, Hikvision, or Dahua as a substantial or essential component of any system. This prohibition extends beyond direct provision to the government to encompass any use of covered equipment throughout the contractor’s enterprise, regardless of connection to government contract performance. 

The broad scope of Section 889, and the various contractual mechanisms that implement requirements for supply chain risk management (SCRM) or cyber-SCRM can create significant compliance challenges. Contractors must conduct reasonable inquiries to determine whether they use “covered telecommunications equipment” anywhere within their operations, including examining relationships with subcontractors and suppliers. Additionally, many contracts will require SCRM or C-SCRM plans that potentially create more exposure under the FCA and cost the contractor time and money.  

This trend of increased cybersecurity and supply chain scrutiny is unlikely to abate; in fact we are likely to see continued scrutiny on supply chain and cybersecurity in years to come.  This focus is a countervailing force for the Pentagon’s stated acquisition reform goals of leveraging commercial technology and accelerating procurement because many commercial products and services incorporate components from prohibited entities, particularly in telecommunications infrastructure and security systems just as many of the most popular off-the-shelf software solutions are not yet CMMC compliant.   

Practical Strategies for Navigating Through Trouble Waters 

Contractors must develop sophisticated strategies to balance speed with compliance and avoid getting crushed by these competing trends. 

  1. Risk-Based Compliance Architecture. Contractors should implement tiered compliance frameworks that prioritize compliance in high-risk areas while streamlining lower-risk processes. This involves:
    • Mapping all cybersecurity and supply chain requirements to specific contracts and business units and scoping CMMC compliance efforts appropriately to avoid having to undergo costly additional effort if compliance levels increase because of changes in regulations or enforcement and to allow your business to rapidly jump on new opportunities. Spending a bit more now to broaden your CMMC ready systems and business units may mean you can jump on opportunities rapidly in the future without added barriers. Creating separate compliance tracks for commercial versus government-unique requirements may have made sense in the past but may not moving forward.
    • Implementing automated compliance monitoring for critical controls may lower costs, increase speed of delivery, while still meeting the threshold requirements for security.
    • Establishing clear escalation procedures for potential violations will help avoid costly failures to meet rapid reporting requirements and avoid potential FCA exposures.
  2. Early Integration of Compliance in Business Development. Rather than treating compliance as a post-award consideration, contractors must integrate the most difficult requirements into opportunity assessment and proposal development. Contractors should conduct compliance gap analyses during opportunity qualification and build compliance costs into pricing models upfront.  Establish go/no-go criteria based on compliance feasibility and your business’ ability to rapidly deliver in the identified PAE portfolio. 
  3. Proactive Supply Chain Management. Section 889 compliance requires comprehensive supply chain visibility. Implementing vendor screening processes for prohibited equipment, maintaining detailed component tracking for all systems, and documenting all reasonable inquiry efforts for FCA defense purposes is essential. Having a well-conceived SCRM plan and C-SCRM plan geared toward the most challenging of your businesses’ offerings will help ensure that you can quickly jump on opportunities as they arise.
  4. Strategic Use of Acquisition Pathways. The new acquisition system offers multiple pathways with varying requirements. In addition to the above strategies, contractors should partner with counsel familiar with, or familiarize themselves with, alternative contracting options such as Other Transaction Authorities (OTAs) and Small Business Innovation Research (SBIR) pathways with simplified requirements. Being ready to respond to these opportunities while understanding what compliance means in these more flexible arrangements will unlock opportunities.
  5. Documentation and Disclosure Strategies. Given FCA enforcement trends, robust documentation is more critical than ever. Maintaining contemporaneous records of all compliance decisions, documenting known limitations and compensating controls, establishing clear audit trails for all certifications and representations, and keeping records of government acceptance of any reported non-compliance will help contractors defend themselves if they come under FCA scrutiny. Additionally, with advice from qualified counsel, contractors should consider voluntary disclosure for potential violations, which will mitigate penalties. 

Looking Ahead: Potential Scenarios and Adaptations 

The only certainty in this environment is change. It’s possible that the tensions between increased compliance requirements in certain areas, continued robust FCA enforcement, and acquisition reforms aimed at speed will be resolved definitively in favor of one trend over another. For example, Congress may act to harmonize acquisition reform with compliance requirements, potentially creating safe harbors for rapid acquisition programs or modifying FCA application in specific contexts. Courts may provide clearer guidance on materiality standards for cybersecurity requirements, potentially limiting FCA exposure for minor or technical violations. Implementing agencies may develop more nuanced approaches that recognize the tension between speed and compliance, creating graduated requirements based on risk levels. In all cases, continued vigilance about these trends will be important to best to navigate the changes and understand which risks are smart to take and how to properly take them. 

Conclusion: Business as Usual Is No Longer Viable 

The trends described above reflect fundamental national security imperatives that cannot be easily dismissed. Cybersecurity threats are real and growing, especially as artificial intelligence makes attacks more prolific. This makes compliance essential for protecting sensitive information. Simultaneously, peer competitor advances demand rapid capability development and deployment. The tension between these imperatives will likely persist, requiring continued navigation of turbulent waters, rather than clear resolution and easy sailing. 

The convergence of aggressive FCA enforcement, comprehensive cybersecurity requirements, restrictive supply chain mandates, and revolutionary acquisition reforms creates a difficult but potentially promising operating environment for defense contractors. Traditional approaches that prioritize either compliance or speed cannot succeed in this new landscape. 

Like General Eisenhower adjusting in real-time to weather reports on the eve of the D-Day landing, today’s defense contractors must be willing to constantly reassess and adapt their strategies based on evolving conditions. The path forward demands not choosing between compliance and speed, but rather achieving both through innovation, investment, and strategic adaptation. Only contractors who master this balance will thrive in the new defense contracting landscape. Business as usual is no longer likely to lead to success—the future belongs to those who can navigate these complex waters with the correct mix of boldness and prudence.