First Quarter 2026 Government Contracts Policy and Regulatory Review

At a Glance

• In order to align its required representations and certifications with executive orders and other executive branch guidance targeting race-based DEI activities, the General Services Administration (GSA) issued a proposed SAM.gov certification regarding "illegal DEI," potentially increasing certification, audit, and enforcement risks for federal contractors and grant recipients.
• Federal agencies continued to implement the "Revolutionary Federal Acquisition Regulation (FAR) Overhaul" through class deviations, while GSA has separately issued a new cybersecurity framework that signals a move toward government-wide cybersecurity baselines.
• Small businesses experienced significant upheaval during the first quarter of 2026, as the Small Business Administration conducted mass suspension and termination actions while issuing new 8(a) eligibility guidance. Combined with the Department of Defense's (DoD) own 8(a) audit, small businesses doing business with the federal government should continue to expect greater scrutiny.

The first quarter of 2026 presented material shifts in the federal contracting and grants landscape, with continued enforcement-focused actions, additional changes pursuant to the ongoing "Revolutionary FAR Overhaul," and significant new cybersecurity and small business oversight initiatives. Recipients of federal funding should continue to expect greater enforcement of agency priorities throughout the year. In this alert, we summarize some of the most consequential legislative and regulatory developments for recipients of federal funding, including compliance risks and strategic considerations.

New Actions Targeting DEI Activities

New Executive Order Targets "DEI Discrimination" by Federal Contractors

On March 26, 2026, President Trump issued Executive Order (EO) 14398, "Addressing DEI Discrimination by Federal Contractors." As we previously covered, the EO represents an escalation from the administration's previous anti-DEI initiatives by providing a more specific definition of "illegal DEI" and focusing on potential False Claims Act (FCA) theories associated with cost and pricing audits. The EO is also notable in that only race-based "discriminatory activities" are within the scope of the EO, as opposed to prior actions that had referenced discrimination based on race, sex, sexual orientation, religion, or national origin.

While previous actions, such as Executive Order 14173 (issued January 21, 2025), already revoked prior affirmative action policies and directed agencies to include new terms in contracts and grant agreements requiring recipients to "certify" that they do "not operate any programs promoting DEI that violate any applicable Federal anti-discrimination laws," the new EO offers a more specific definition of "racially discriminatory activities" based on "disparate treatment based on race or ethnicity in the recruitment, employment (e.g., hiring, promotions), contracting (e.g., vendor agreements), program participation, or allocation or deployment of an entity's resources."

In addition to authorizing contract termination and suspension actions based upon “illegal DEI,” the new EO presents elevated FCA violation risks, given its references to "artificial costs in hiring, promotion, and operations" allegedly resulting from "racially discriminatory DEI activities." Similar to EO 14173, this EO characterizes its DEI-related prohibitions as "material" to federal payment decisions. Going forward, agencies may argue that certain costs for organizational "DEI activities" among contractors are unallowable or not allocable to federal awards, and may treat such expenditures as evidence of overcharging or inflated indirect cost rates. This could result in greater scrutiny during subsequent audits and reviews of contractor documents, particularly as the EO directs agencies to include a new contract term requiring the furnishing of "all information and reports, including . . . access to books, records, and accounts" to ascertain compliance with the EO.

Consistent with previous compliance efforts, contractors should continue to review and assess recruitment, employment, and subcontracting practices to identify any initiatives that might be covered by the EO's definition of "racially discriminatory DEI activities." Contractors, federal funding recipients, and their subcontractors or subgrantees should also review their subcontracting templates and "flow-down" procedures to address DEI-related compliance obligations.

"Illegal DEI" Certifications in SAM.gov

While Executive Order 14398 focused on federal contracting, the General Services Administration advanced similar changes affecting all federal financial assistance recipients through new proposed certifications in the System for Award Management (SAM.gov). In January and February 2026, GSA proposed revisions to the SAM.gov Financial Assistance General Certifications and Representations to align the language with updated executive branch guidance, including July 2025 guidance from the Department of Justice (DOJ) regarding "unlawful discrimination" activities. We previously covered the impact of the July 2025 DOJ guidance, which represented a significant expansion in how DOJ might attempt to apply federal antidiscrimination laws to federal funding recipients going forward, as evidenced by several subsequent FCA inquiries into major private companies.

Unlike agency-specific award terms, the certifications contained in the new GSA proposal would be made at the time of initial SAM.gov registration and at each SAM.gov renewal, including before any specific award decisions are made. This structure could broaden risk exposure for recipients of federal funding because a single certification would apply across all present and future grant programs (as opposed to a single award).

GSA's proposed revisions also incorporate a nonexhaustive list of examples of practices that DOJ asserts would violate antidiscrimination laws (e.g., race-based training programs, mandatory diversity statements, diverse hiring requirements). Additionally, the GSA text requires federal funding recipients to broadly certify that they will "not knowingly bring or attempt to bring to the United States, transport, conceal, harbor, shield, hire, or recruit for a fee an illegal alien; and will not induce an alien to enter or reside in the United States with reckless disregard of the fact that the alien is illegal." GSA also added a reference to the Administrative False Claims Act of 2023, which empowers agencies to independently pursue fraud cases of up to $1 million rather than referring such actions to DOJ.

Although many organizations already certify their compliance with applicable antidiscrimination laws and federal employment eligibility verification requirements (e.g., Form I-9 and E-Verify obligations), these new certifications signify an expansion of front-end compliance attestations and reinforces the administration's broader approach of enforcing policy priorities through centralized representations rather than through program-specific enforcement actions alone. The finalized certification language has not yet been issued, as the public comment period only ended on March 30, 2026.

Significant Updates Affecting Small Businesses

SBA 8(a) Audit Actions and Mass Suspensions

The first quarter of 2026 marked an unprecedented period of enforcement activity in the Small Business Administration's (SBA) 8(a) Business Development Program, reflecting a sustained initiative focused on reshaping the program in accordance with the current administration's priorities. SBA's actions unfolded in several phases, moving from procedural suspensions to substantive termination proceedings, while parallel review activity emerged within the Department of Defense.

In January 2026, SBA suspended over 1,000 8(a) participants, representing approximately 25% of the active program. The suspensions followed SBA's December 2025 data call, which directed participants to produce extensive financial documentation (i.e., three years of financial statements, bank records, ownership and control documentation, payroll records, and contract performance information) as part of an expanded eligibility review process. The January suspensions were largely procedural in nature, driven by incomplete submissions of requested materials rather than individualized findings of fraud or ineligibility.

Along with the January 2026 suspensions, SBA issued updated public guidance in January 2026 to outline expectations for 8(a) participants going forward. The guidance reflects heightened scrutiny of economic disadvantage thresholds and asserts SBA's position that, under SBA's previous regulations, "large segments of American society were excluded from the presumption [of social disadvantage] and, in practicality, from the program — particularly white Americans," constituting "unlawful" activity. Going forward, when considering "whether an individual has suffered social disadvantage," SBA will consider "whether such individual has been the victim of illegal or radical DEI policies or illegal affirmative action policies or has otherwise been the victim of discriminatory practices such as race-based quotas, set asides, or hiring targets, in each case, whether by governmental or non-governmental actors." The guidance signals a dramatic departure from the previous SBA regulatory regime.

The next month, in February 2026, SBA escalated enforcement efforts by initiating termination proceedings against 154 Washington, D.C.-area 8(a) firms following an internal eligibility review conducted by SBA's Office of Government Contracting and Business Development. SBA determined that these firms exceeded statutory economic disadvantage thresholds, including limits on net worth, adjusted gross income, or total assets. SBA implemented 30-day suspensions as a precursor to final termination and emphasized that these actions reflected substantive, rather than procedural, eligibility determinations.

On March 4, 2026, SBA announced it had initiated additional termination proceedings against 628 additional 8(a) firms that allegedly did not comply with SBA's request to produce financial records as part of the December 2025 audit. With this action, SBA reported that it had removed nearly 800 firms, or roughly 20% of the entire 8(a) program, through suspension or termination proceedings since the December 2025 audit began. SBA indicated that the audit remains ongoing and that further enforcement actions, including referrals for investigation, may follow.

Taken together, SBA's actions and updated guidance reflect a new enforcement posture centered on the administration's efforts to target "illegal DEI." Section 8(a) participants and prime contractors that rely on 8(a) partners should expect continued oversight in 2026 and should ensure that financial records, eligibility documentation, and performance structures are current and complete across federal contracting activities.

Department of Defense 8(a) Program Review

In parallel to SBA's actions, on January 16, 2026, the Department of Defense initiated a separate review of its use of the 8(a) program. DoD's review will focus on sole-source awards, compliance with statutory caps, and close enforcement of performance requirements under the program. Although DoD has not announced formal regulatory changes, the review has contributed to increased scrutiny by contracting officers, particularly for high-value or follow-on 8(a) awards.

New Proposed FAR Rule on Prohibition of Certain Semiconductor Products and Services

On February 17, 2026, the FAR Council issued a notice of proposed rulemaking to amend the FAR to implement portions of Section 5949 of the FY 2023 National Defense Authorization Act. The proposed rule would prohibit executive agencies from procuring or obtaining certain products and services that include covered semiconductor products or services, effective December 23, 2027. Critically, products and services acquired before this effective date may continue to be used for their full lifecycle, even if they contain covered semiconductors.

"Covered semiconductor products or services" are defined in the proposed rule to include semiconductors designed, produced, or provided by specified Chinese entities, including Semiconductor Manufacturing International Corporation (SMIC), ChangXin Memory Technologies (CXMT), and Yangtze Memory Technologies Corp. (YMTC), as well as their subsidiaries or affiliates. The definition also extends to semiconductors produced by any entity determined by the Department of Defense or the Department of Commerce (in consultation with the intelligence community or law enforcement) to be owned, controlled by, or otherwise connected to a foreign government of concern. Any such determination must be formally published before it takes effect.

The proposed rule introduces two distinct but related prohibitions, both of which would apply government-wide and to a broad range of acquisitions, including commercial items, commercial-off-the-shelf (COTS) products, and purchases below the micro-purchase threshold. First, agencies would be prohibited from procuring or obtaining electronic products or electronic services that include covered semiconductor products. Second, agencies would be prohibited from procuring or obtaining electronic products for use in critical systems if those products rely on electronics that include covered semiconductors — even where the covered semiconductor is not itself being delivered to the government. This latter prohibition extends the reach of the rule into contractor systems, integrations, and operational environments supporting critical functions.

Although the prohibition in the proposed rule would not take effect until late 2027, the rule would impose significant new supply chain compliance obligations on federal contractors. Specifically, the proposed rule introduces a new solicitation provision and contract clause that would require contractors to conduct a "reasonable inquiry" into their supply chains to identify potential covered semiconductors; certify at the time of offer that products and services offered do not include covered semiconductor products or services; disclose known use of covered semiconductors, along with any associated mitigation measures; and notify the contracting officer within 72 hours if covered semiconductor products or services are discovered during contract performance.

Contractors that provide electronic products and services to the federal government, particularly for use in critical systems, may face increased compliance costs and certification risks if the rule is finalized. Accordingly, contractors providing these services should begin initial diligence efforts and supply chain mapping to assess their risk profiles in the coming months.

"Revolutionary FAR Overhaul" Updates

The FAR Council continued its efforts towards advancing its "Revolutionary FAR Overhaul" (RFO), releasing updated RFO model deviation text in March 2026 to conform with newly codified FAR rules. Multiple RFO parts — including Parts 1, 5, 10, 22, 25, and 52 — were updated accordingly. The FAR Council previously released model deviation texts for all FAR parts under the RFO initiative, which agencies have thus far implemented through various class deviations. For example, GSA previously announced that it would issue a mass modification to all Multiple Award Schedule (MAS) contracts to align Schedule terms with the RFO, and DoD has also implemented extensive FAR and DFARS deviations in recent months. We covered some of the most significant revisions in a previous client alert, including changes to FAR Part 19 (Small Business Programs), which affect an agency's discretion to implement the "Rule of Two."

The result of the class deviations is that contractors increasingly face dual regimes of governing regulations: deviation-based FAR texts versus codified FAR clauses in the Code of Federal Regulations (CFR). Accordingly, federal contractors must continue to closely monitor solicitation-specific updates, clause numbering, and content that might differ from Title 48 of the CFR, and elevated compliance risks during this transition period. The next phase of the RFO initiative — formal notice-and-comment rulemaking — is expected to continue throughout 2026, extending this period of transitional complexity for contracting entities.

New "Made in USA" Enforcement — EO

On March 13, 2026, President Trump issued a new EO titled "Ensuring Truthful Advertising of Products Claiming to Be Made in America." Although framed as a consumer protection measure, the order has direct implications for federal contractors, particularly those making domestic-origin representations in connection with federal procurement programs.

Specifically, Section 2(d) of the EO directs federal agencies to verify domestic-origin representations made in connection with government contracts, including claims tied to Buy American Act compliance and country-of-origin assertions. The order further provides that misrepresentations may be referred to the Department of Justice, creating potential False Claims Act exposure where contractors knowingly submit inaccurate domestic-content representations in bids, certifications, or invoices. Agencies are also directed to remove products found to have deceptive American-origin claims from federal procurement availability.

The executive order also directs the Federal Trade Commission (FTC) to prioritize enforcement actions against deceptive or misleading "Made in America" or "Made in the USA" claims. It also calls for enhanced coordination among federal agencies with authority over country-of-origin standards, including US Customs and Border Protection (CBP), US Department of Agriculture, Food and Drug Administration, and other federal agencies.

Contractors should remain aware of and not conflate distinctions between "Made in USA" claims, which primarily implicate consumer-protection standards enforced by the FTC, and Buy American and Trade Agreements Act requirements, which are procurement-specific regimes governed by the FAR. Contractors should continue to ensure compliance with all domestic-origin representations made in proposals and certifications, and ensure that supply-chain documentation supports any domestic origin claims used in connection with federal contracts.

Cybersecurity Updates

On January 5, 2026, GSA issued Revision 1 of its IT Security Procedural Guide for Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems. This guidance establishes a comprehensive cybersecurity compliance framework governing how contractors and other nonfederal entities must safeguard CUI handled outside government systems, representing a significant policy shift for civilian-agency contractors and signaling a continued move toward government-wide cybersecurity standardization. Although not promulgated as a FAR rule, the framework may be incorporated into solicitations and contracts at the contracting officer's discretion and applies immediately, with no formal phase-in period.

A central feature of the framework is its requirement that covered contractors comply with NIST SP 800-171, Revision 3. Many contractors may need to reassess and update their existing cybersecurity controls, documentation, and system boundaries as a result. The guidance also references selected enhanced controls from NIST SP 800-172, particularly for higher-risk environments.

Similar to DoD's Cybersecurity Maturity Model Certification (CMMC) program, GSA's framework adopts a multiphase lifecycle approach. We covered DoD's final rule implementing the CMMC program in a previous client alert, including details regarding particular regulatory requirements and definitions under the final rule. Under GSA's framework, contractors are expected to generate and maintain extensive documentation (including system security and privacy plans), undergo independent assessments, meet stringent operational requirements such as one-hour cyber-incident reporting, and support ongoing monitoring throughout contract performance. GSA's guidance also anticipates the flow-down of CUI-related cybersecurity obligations to subcontractors, with corresponding supply chain and vendor management implications.

Taken together with recent cybersecurity enforcement actions, GSA's guidance reflects a broader federal trend toward standardizing contractor cybersecurity expectations across civilian and defense agencies, increasingly treating NIST-based compliance as a prerequisite for eligibility rather than a contract-specific obligation. Contractors supporting civilian agencies should evaluate their exposure to CUI; assess readiness against NIST SP 800-171 Rev. 3 standards; and prepare for expanded documentation, assessment, and reporting requirements as these expectations continue to spread across federal contracting entities.

What's Next?

The first quarter of 2026 reflects a continued trend toward greater enforcement of administration priorities through active, certification-driven compliance regimes. Contractors and grant recipients should anticipate further enforcement actions, evolving certification requirements, and continued regulatory disruption as agencies implement RFO-related deviations and new cybersecurity expectations.

For More Information

Faegre Drinker's government contracts team will continue to monitor additional regulatory and legislative developments in the coming months. For further information you may contact the authors.