Cybersecurity requirements and federal procurement rules are getting a serious update. In our latest webinar, Eric Crusius, Partner at Hunton Andrews Kurth, joined Archisha Mihan, Founder of FedConsult, to walk us through two major shifts in the federal contracting world:

  • The upcoming enforcement of CMMC 2.0
  • The sweeping rewrite of the Federal Acquisition Regulation (FAR)

If you’re a government contractor—prime or sub—these changes will affect how you win, manage, and retain federal work. Here’s what you need to know.

CMMC: From Trust to Verification

The Cybersecurity Maturity Model Certification (CMMC) isn’t new—but the enforcement is. Starting November 10, 2025, the Department of War (formerly Department of Defense) will begin including CMMC requirements in contracts, with full rollout planned over the next three years.

CMMC 2.0 introduces three certification levels, tied to the type of data you handle:

  • Level 1: For contracts with basic Federal Contract Information (FCI) – self-assessment
  • Level 2: For contracts involving Controlled Unclassified Information (CUI) – either self-assessment or third-party certification
  • Level 3: For highly sensitive CUI – government-led assessments

Eric emphasized that while CMMC requirements will first appear in new solicitations, contracting officers can also add them to existing contracts through bilateral modifications. So even if your current work seems unaffected, that could quickly change.

Compliance Isn’t Optional—And the Risks Are Real

One of the most impactful moments of the webinar was the cautionary tale of a small defense contractor that paid $4.6 million to settle allegations tied to cybersecurity noncompliance. The issue? They reported a compliance score of 104 in the Supplier Performance Risk System (SPRS), but a later assessment revealed their actual score was -142.

In today’s environment, mistakes like that can trigger False Claims Act investigations—and reputational damage. Even if you’re still waiting for an official assessment, your self-attested score must be accurate, documented, and defensible.

Subcontractors Take Note

Many companies assume that only primes are on the hook for CMMC, but that’s not the case. If you’re a subcontractor and your work involves handling CUI, you may need to meet the same certification level as the prime. Large contractors are already requesting compliance evidence from suppliers, and some are making sourcing decisions based on who’s furthest along in the process.

Eric also noted that there are solutions—like virtual desktop environments—that allow primes to share sensitive data securely with subs who aren’t fully certified yet. But those solutions take planning, and they don’t work in every scenario.

What About the FAR?

While CMMC has grabbed most of the headlines, the FAR is also undergoing one of its most significant overhauls in decades. The rewrite aims to simplify language, eliminate redundancy, and consolidate commercial contract rules under FAR Part 12. A new Part 40 has also been introduced to address cybersecurity and supply chain risks.

One key change to watch? Contracting officers may soon have more discretion during proposal evaluations, including the ability to conduct discussions with select offerors rather than every qualified bidder. That shift could speed up the process, but also raises questions about transparency.

What Should Contractors Be Doing Right Now?

If you’re unsure whether these changes apply to you—or how to respond—Eric offered this straightforward advice:

  1. Review your current contracts to identify if and where CUI is involved.
  2. Confirm your SPRS score is accurate and backed by documentation.
  3. Get on a C3PAO’s schedule if you need third-party certification—availability is limited.
  4. Communicate with subs or primes to clarify cybersecurity responsibilities and flow-downs.
  5. Stay updated on both CMMC and FAR developments—changes are still unfolding.

Final Thoughts

CMMC and the FAR rewrite are more than regulatory shifts; they’re business shifts. Companies that treat cybersecurity as a strategic asset rather than a compliance burden will be better positioned to compete, grow, and protect their reputations in a more demanding federal landscape.

Didn’t catch the live webinar? You can find the full recording and slide deck here.

About the Author: GovSpend

GovSpend’s vision is to be the leading trusted source of data, analytics, and insight for organizations buying and selling in the public sector marketplace. Our SLED and Federal solutions enable better decisions, cultivate collaboration, and build a greater sense of community in the government procurement ecosystem.

Share This Story, Choose Your Platform!

Share This Post
Categories: Federal, Government ContractingTags: , , ,

Recent Posts

Get a Preview

Ready to get started?

Request a demo today to learn more about our public sector intelligence across the Federal and SLED markets.