National Defense Authorization Act for Fiscal Year 2026: Compliance Highlights

On December 18, 2025, President Trump signed the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2026. The act authorizes funding for the U.S. Armed Forces, Department of Defense (DoD), and key national security programs, including military construction, Department of Energy initiatives, as well as intelligence and State Department activities. In addition to setting policies to strengthen the defense industrial base, promote emerging technologies such as artificial intelligence (AI) and biotechnology, enhance supply chain resilience, and modernize defense acquisition, the FY2026 NDAA also significantly reforms government contracting by:

• Streamlining acquisition and procurement processes
• Emphasizing commercial solutions
• Boosting domestic supply chain
• Increasing scrutiny on technology and AI; and
• Reducing  compliance burdens for contractors. 

These measures are intended to accelerate defense procurement, reduce barriers for commercial firms, and enhance industrial base resilience against foreign adversaries.

Below is a summary of the key highlights from the FY2026 NDAA.

Section 866 – Cybersecurity Regulatory Harmonization:

By June 1, 2026, the Secretary of Defense must standardize cybersecurity requirements for the defense industrial base, reduce contract-specific requirements, and report these actions to the congressional defense committees. The harmonization aims to eliminate duplicative and inconsistent requirements, ensure proper governance, and provide stakeholder input, including: any changes made to agreements  ; a list of DoD contracts or other agreements that Starting December 31, 2026, and annually for three years, the Chief Information Officer of the DoD must report to the congressional defense committees on their progress propose  cybersecurity requirements not published in the Federal Register; and the rationale for approving or denying such requirements. These updates demonstrate the administration’s continued push toward a uniform cybersecurity framework.

Section 875 – Ability to Withhold Contract Payments During Period of Pendency of a Bid Protest:

The Secretary of Defense must update the Defense Federal Acquisition Regulation Supplement (DFARS) to establish procedures that will allow contracting officers to withhold up to 5% of payments from an incumbent contractor under an extension or bridge contract while the contractor’s bid protest at the Government Accountability Office (GAO) is pending. If the GAO dismisses the protest for lacking a reasonable legal or factual basis and the dismissal becomes final, the contractor will forfeit the withheld payments.

Section 1804 – Adjustments to Certain Acquisition Thresholds:

Section 3702(a) of Title 10, United States Code is amended to raise the threshold for requiring certified cost or pricing data under the Truthful Cost or Pricing Data Act (TINA). For contracts entered into after June 30, 2026, the threshold increases from $2,000,000 to $10,000,000. Contracts entered into on or before that date, the threshold remains at $2,000,000.

Section 1806 – Matters Related to Cost Accounting Standards:

Increased Threshold for Full Cost Accounting Standards (CAS) Coverage: The update raises the threshold for Full CAS coverage in section 9903.201-2 of title 48, Code of Federal Regulations, from $50 million to $100 million (adjusted for inflation as per Section 1908 of Title 41, U.S. Code). The Secretary of Defense must update the DFARS. Full compliance with CAS will only be required for entities or subsidiaries that: (A) Receive a single contract award of $100 million or more, or (B) Have total contract awards during the previous cost accounting period totaling $100 million or more.

Increased Contract-Specific Threshold for Modified CAS: The statutory threshold for modified CAS coverage on a specific contract is increased from its previous level of $2.5 million to $35 million.

Exemptions for Portions of Contracts: The government cannot recover costs from firm-fixed-price contracts or contracts not based on cost redetermination. For any contract or subcontract (or any portion of such) that is not a firm-fixed-price contract or subcontract, the government’s cost recovery is limited to the net increased costs paid to the contractor or subcontractor for all changes in cost accounting practices implemented during that year.

Section 1823 – Modifications to Commercial Solutions Openings:

The Secretary of Defense and military department secretaries are allowed to acquire commercial products, commercial services, or non-developmental items through competitive selection based on general solicitation and appropriate reviews (peer, technical, or operational). The revisions also permit the government to award follow-on production contracts, including sole-source contracts, to Commercial Solutions Openings (CSO) awardees, provided the initial CSO was openly competed. Additionally, these follow-on contracts can be structured as Other Transaction Authority Agreements (OTAs), which are exempt from the Federal Acquisition Regulation and allow for flexible negotiation of terms such as intellectual property and data rights.

Section 1826 – Exemptions for Nontraditional Defense Contractors:

Exemptions: Nontraditional defense contractors (contractors that have not performed a CAS-covered contract or subcontract within the preceding year) are exempt from several requirements related to accounting system administration. This includes business and purchasing systems, Part 31 (cost allowability) of the Federal Acquisition Regulation (FAR), as well as DFARS clauses 252.242-7006, 252.234-7002, 252.215-7002, 252.242-7004, 252.245-7003, 252.244-7001, 252.242-7005, section 215.407, section 3702 of title 10, United States Code, and FAR Part 31.

Waiver and Modifications: The head of the relevant contracting activity may waive or modify these exemptions for specific products or services through a written determination.

Partial Application: Some requirements may be applied to a contract, subcontract, or other agreement with a nontraditional defense contractor if justified as being in the best interest of the government with written approval and justification from the head of the relevant contracting activity.

Congressional Notification: If a waiver is granted, the Secretary of Defense must notify congressional defense committees within 60 days and provide an explanation of efforts to avoid the need for the waiver.

Implementation of Changes

The provisions of the NDAA are typically implemented through revisions to the DFARS or through other regulatory updates. These updates are expected to begin in early 2026 and can take several months to be fully implemented. Contractors are advised to keep an eye out for these changes as they make their way through the regulatory rulemaking process.