Recent developments in government contracting highlight increased scrutiny of domestic sourcing and country-of-origin certifications, anticipated enforcement of cybersecurity requirements, and Small Business Administration activity focused on small business program compliance. These developments reflect continued alignment of procurement and enforcement priorities with supply chain security, data protection, and program integrity, directly impacting contractors across the federal marketplace.
Domestic Sourcing and Country-of-Origin Certifications Remain a Compliance Priority
Federal agencies are continuing to increase their focus on contractors’ domestic sourcing and country-of-origin representations following recent executive actions emphasizing American manufacturing and supply chain security.
Agencies administering General Services Administration (GSA) multiple award schedule (MAS) contracts and other procurement vehicles are moving toward more active verification of Buy American Act and Trade Agreements Act certifications rather than relying primarily on contractor self-certifications. These efforts are consistent with broader US administration priorities aimed at strengthening domestic industry and limiting reliance on non-US supply chains in sensitive sectors.
Federal contractors should continue to review the accuracy of their domestic sourcing and country-of-origin representations. Obligations arise under the Buy American Act, the Trade Agreements Act, FAR Part 25, and common solicitation/contract provisions such as the Buy American Certificate and Trade Agreements Certificate.
For MAS contractors, the GSA requires that contractors certify the country of origin for each product and that contracting officers have access to supply chain data that can flag potentially noncompliant products. MAS contractors are responsible for keeping product information accurate throughout the life of a contract—including when manufacturers change production locations.
DOJ Expected to Focus on Contractor Cybersecurity Compliance
Following the US Department of Defense’s implementation of the Cybersecurity Maturity Model Certification (CMMC) program in November 2025, the US Department of Justice (DOJ) is expected to leverage the False Claims Act (FCA) to enforce cybersecurity requirements applicable to government contractors.
The CMMC final rule reflects the government’s move toward verifying contractor implementation of security requirements for federal contract information and controlled unclassified information (CUI). Potential FCA cases will likely involve contractors handling sensitive government information and CUI or those with access to federal information systems.
For defense contractors, in addition to the CMMC final rule, obligations often arise under clauses such as DFARS 252.204-7012, which addresses safeguarding covered defense information and cyber incident reporting, and under requirements tied to NIST SP 800-171. Together, these frameworks signal an increasingly enforcement-oriented approach to cybersecurity compliance in federal contracting.
Read our recent blog post CMMC in Effect: Cybersecurity Compliance Measures for more information on the implementation of the CMMC’s final rule.
SBA Activity Highlights the Importance of Small Business Certification Compliance
The Small Business Administration (SBA) has taken significant action involving the 8(a) Business Development Program. In January 2026, the SBA announced that it had suspended more than 1,000 8(a) firms that did not provide requested documents during a program review. In February 2026, the SBA announced termination proceedings involving 154 Washington, DC–based 8(a) firms after an eligibility review. In March 2026, the SBA announced termination proceedings involving 628 additional 8(a) firms that allegedly refused to provide requested financial data.
While these latest actions have involved the 8(a) program, the same general compliance themes apply across small business set-aside programs. SBA program materials emphasize ownership, control, economic disadvantage, and continued compliance with program requirements.
The SBA also recognizes size and status protests in programs such as service-disabled veteran-owned small business and women-owned small business programs, and its affiliation guidance explains that affiliation is based on the ability to control—even if that control is not exercised.
Looking Ahead
These developments underscore a continued focus on verification and enforcement across key areas of government contracting, including sourcing representations, cybersecurity obligations, and small business eligibility. Contractors should assess their compliance frameworks in these areas, ensure documentation and certifications remain accurate and current, and monitor enforcement developments as agencies and regulators continue to operationalize these priorities.