Defense contractors face a pivotal moment as the Pentagon’s acquisition reforms land in the middle of a rapidly changing technology and regulatory environment. “Speed to capability” is now the guiding principle from the top of the Pentagon, while the Administration increasingly seeks to use aggressive levers of industrial policy to reshape the defense industrial base and related sectors—such as critical minerals and semiconductors.  At the same time advances in artificial intelligence and technologies key to defense products and services continue to rapidly evolve.  Change in everything, everywhere, all at once can be bewildering. Here are the things contractors acting at the speed of relevance under the new acquisition system must know.

What Are the Key Acquisition Reforms?

On November 7, 2025, Secretary Hegseth unveiled “Transforming the Warfighting Acquisition System,” seeking to restructure defense acquisition around speed-to-capability. The core principles include:

  • Commercial-First Approach: Prioritize commercial solutions that can be delivered quickly, even without meeting all technical specifications.
  • Reduced Oversight: Elimination of multiple review layers; “85% solutions” delivered quickly are favored over perfect systems delivered late.
  • Performance Incentives: Financial mechanisms to penalize delays and reward rapid delivery.
  • Risk Tolerance: Greater government acceptance of risk in favor of speed.

To carry these changes out, Portfolio Acquisition Executives (PAEs) will replace Program Executive Offices (PEOs) and gain direct authority over funding, standards, and trade-offs.

Emphasizing Artificial Intelligence

The Trump Administration has been aggressively pushing policies to foster further development of artificial intelligence and related technologies through it’s AI Action Plan, various Executive Orders, and numerous initiatives such as Stargate AI and Genesis.  Additionally, the Administration is using industrial policy tools and interventions to foster market elements that are key for AI development and high-tech defense sectors, such as direct investments in semiconductor technologies and firms as well as rare earth supply chains.

Not only do these actions shape the market environments for a large segment of the defense contracting industry, but they reveal an extremely pro-AI bent that will carry-over into the Pentagon’s acquisition transformation and acquisition decisions.  Contractors should be aware that the Pentagon is explicitly seeking to utilize AI tools to “centralize decision making” and streamline acquisitions.  Contractors must be able to understand how AI systems operate and may shape the Pentagon’s decision making.  Additionally, contractors must be able to communicate how their products and services will utilize AI, or operate within a system increasingly saturated with AI elements, in order to stand out in the crowd.

What Compliance Risks Remain?

Despite the push for speed in general, and the rapid adoption of AI elements across the government and industry, several compliance regimes will continue to create significant liability exposure and business risk.

Civil Cyber-Fraud Initiative

DOJ continues aggressively pursuing False Claims Act (FCA) cases, especially for cybersecurity non-compliance. Recent cybersecurity related settlements include $11.25M (Health Net/Centene) and $8.4M (Raytheon).

Key Concerns:

  • Enforcement extends beyond actual cybersecurity breaches—liability attaches for non-compliance even without data compromise.
  • DOJ views cybersecurity requirements as inherently material to government payment decisions.
  • Whistleblowers (qui tam relators) drive many enforcement actions.

CMMC 2.0 Phase One and Artificial Intelligence Tools

The ubiquitous adoption of AI solutions—as well as the increasing incorporation of AI into basic third-party tools contractors are already using—can complicate your cybersecurity compliance risk. Understanding how to maintain compliance with CMMC, as well as FedRAMP and other requirements, while utilizing the cutting-edge tools is mandatory for competitiveness.

Effective November 10, 2025, CMMC Phase One requires contractors to implement up to 110 security controls from NIST SP 800-171, depending on certification level. This isn’t merely a paperwork exercise—it often requires fundamental changes to information systems, security practices, and organizational culture. The certification process takes months, requiring documentation of security controls, remediation of gaps, and formal assessment by accredited third-party assessors. Costs can exceed tens of thousands annually for small and medium-sized businesses.

Critically, CMMC compliance creates new FCA exposure. Each contract requiring CMMC certification incorporates these requirements as material conditions of payment. Under the Supreme Court’s Escobar materiality standard and given DOJ’s position that cybersecurity requirements are presumptively material, any deficiency could trigger FCA liability with treble damages and civil penalties.

Supply Chain Requirements

Section 889 of the 2019 NDAA, implemented in FAR 52.204-25, prohibits federal agencies from contracting with entities that use telecommunications equipment from Huawei, ZTE, Hytera, Hikvision, or Dahua. This prohibition extends beyond direct provision to the government—it encompasses any use of covered equipment throughout the contractor’s enterprise, regardless of connection to government contract performance.

Contractors must conduct reasonable inquiries to determine whether they use covered equipment anywhere within their operations, including examining relationships with subcontractors and suppliers. Many contracts also require SCRM or C-SCRM plans that create additional FCA exposure. This trend of increased supply chain scrutiny is unlikely to abate—many commercial products incorporate components from prohibited entities, creating tension with the Pentagon’s commercial-first approach.

How Should Contractors Navigate These Competing Pressures?

  1. Implement Risk-Based Compliance Architecture
    • Map cybersecurity and supply chain requirements to specific contracts and business units.
    • Scope CMMC compliance broadly—investing now may allow rapid pursuit of future opportunities.
    • Implement automated compliance monitoring and clear escalation procedures.
  1. Integrate Compliance into Business Development
    • Conduct compliance gap analyses during opportunity qualification.
    • Build compliance costs into pricing models upfront.
    • Establish go/no-go criteria based on compliance feasibility and PAE portfolio alignment.
  1. Strengthen Supply Chain Visibility
    • Implement vendor screening for prohibited equipment.
    • Maintain detailed component tracking and document all reasonable inquiry efforts.
    • Develop comprehensive SCRM/C-SCRM plans for your most demanding offerings.
  1. Leverage Alternative Acquisition Pathways
    • Familiarize yourself with Other Transaction Authorities (OTAs) and Small Business Innovation Research (SBIR) pathways, which may offer simplified requirements while still requiring appropriate compliance understanding.
  1. Prioritize Documentation
    • Maintain contemporaneous records of all compliance decisions.
    • Document known limitations and compensating controls.
    • Keep records of government acceptance of any reported non-compliance.
    • Consider voluntary disclosure for potential violations with advice from counsel.

Key Takeaways

  • Speed and compliance are not mutually exclusive—contractors must achieve both through strategic planning and investment in solid processes, knowledgeable people or counsel, and upgraded technology solutions.
  • FCA enforcement remains aggressive—cybersecurity certifications are treated as material to payment, creating treble damages exposure.
  • Proactive compliance investment enables agility—broader CMMC-ready and export compliant systems position you to capture opportunities quickly.
  • Documentation is your defense—thorough record keeping support audit responses and FCA defense, especially in a rapidly changing regulatory environment.
  • Stay vigilant—the regulatory landscape continues to evolve, and business as usual is not viable.

Embrace Change

The pace of change in technology as well as the policy and regulatory environment is unlikely to slow.  Contractors have to embrace this reality, adapt to it, while maintaining robust compliance mechanisms to avoid catastrophic risks. Fluet’s Government Contracts Practice is actively monitoring these acquisition reforms and evolving compliance requirements to provide timely guidance and support to contractors navigating this rapidly changing landscape.