Compliance Issues

On October 17, 2025, the General Services Administration (“GSA”) announced that it plans to issue a Mass Modification to GSA’s Multiple Award Schedule (“MAS” or “Schedule”) Solicitation[1] and Schedule contracts in November 2025 (“Refresh”).  Periodically, GSA may issue a Mass Modification to Schedule contracts to uniformly impose changes to the contract terms applicable to all Schedule contract holders, often as a result of changes in applicable law, regulation, or policy.  This approach also ensures that existing Schedule contracts have consistent terms, even though with the evergreen nature of the Solicitation those contracts have been entered into at different times and are at different stages of performance.

This Refresh (i.e., Refresh #30) will implement several significant changes with the goal to align the GSA Schedule with recent developments in the Revolutionary FAR Overhaul (“RFO”).[2]  Although the full text of the Refresh is not yet available, GSA’s Refresh outline provides insight into the changes that are to come as GSA seeks to gain implementation experience with the RFO clauses, provisions, and ordering procedures through its Schedule contracts.  Given GSA’s leadership of the RFO process, and this year’s Executive Order to consolidate domestic procurement of common goods and services in GSA to the extent permitted by law,[3] it is no surprise that it has acted quickly to revise its long-term government-wide contracting vehicle according to these recent developments. 

Along with the Refresh announcement, GSA opened a 10 business day comment window on buy.gsa.gov, which we expect will close on October 31, 2025.  Schedules contractors will be expected to accept the Refresh no later than 90 days from its release which is expected sometime in November.  Below we discuss relevant background on the RFO process as it relates to the Schedule and anticipated changes to provisions and clauses in the Refresh.  We will continue to watch for updates as GSA’s implementation of the RFO unfolds.    Continue Reading Overhauling the GSA Schedule

Consistent with the Trump Administration’s focus on procurement fraud, a recent settlement and guilty pleas secured by the DOJ demonstrate that bid rigging is in the Administration’s crosshairs.  Government contractors should be aware of the legal risks associated with bid rigging when engaging in the bidding process. Continue Reading Bid Rigging Risk for Government Contractors

Small Person Using Calculator

The Government Accountability Office (“GAO”) released a report on the Defense Contract Audit Agency’s (“DCAA”) past and future use of private-sector, independent public accountants to augment its auditor workforce. The initiative—approved under Section 803 of the Fiscal Year (“FY”) 2018 National Defense Authorization Act (“NDAA”)—began in fiscal year 2020 and

Continue Reading GAO: DCAA Built a Valuable Bench of Independent Public Accountants, Now What?

Kenya has released its first National Artificial Intelligence Strategy (2025–2030), a landmark document on the continent that sets out a government-led vision for ethical, inclusive, and innovation-driven AI adoption. Framed as a foundational step in the country’s digital transformation agenda, the strategy articulates policy ambitions that will be of interest to global companies developing, deploying, or investing in AI technologies across Africa.

While the strategy is explicitly domestic in focus, its framing—and the architecture of its governance, infrastructure, and data pillars—reflects a broader trend, i.e., the localization of global AI governance norms in high-growth, emerging markets.

What the Strategy Means for Global Technology Governance

The strategy touches on several themes that intersect with enterprise risk, product development, and regulatory foresight for multinationals:

  • Data governance and sovereignty: Kenya signals a strong intent to develop AI within national parameters, grounded in local data ecosystems. The strategy explicitly references data privacy, cybersecurity, and ethics as core enablers of the AI ecosystem. For global companies with cloud-based models or cross-border data transfer frameworks, these developments may signal localization pressures or evolving consent standards.
  • Sector-specific use cases: Healthcare, agriculture, financial services, and public administration are named as strategic AI priorities. Companies operating in the life sciences, health tech, or diagnostics space should watch closely for how regulatory authorities may interpret and apply ethical or risk-based AI guidelines—especially where AI is used in clinical decision-making, diagnostics, or personalized medicine.
  • Public-private AI infrastructure development: The strategy envisages expanded digital infrastructure, data centers, and cloud resources, as well as national research hubs. This may create commercial opportunities—but could also trigger localization requirements or procurement-related restrictions, particularly for telecommunications and hyperscale cloud providers.
  • Future legal frameworks: The current strategy is not itself a binding legal instrument, but it points to future policy development—especially around governance, regulatory oversight, and risk classification of AI systems. Teams advising on AI risk, litigation exposure, and AI-assisted products (including generative tools) will want to track the next wave of draft legislation and implementation guidance.

Continue Reading Kenya’s AI Strategy 2025–2030: Signals for Global Companies Operating in Africa

On January 8, 2025, the Consumer Product Safety Commission (“CPSC”) published in the Federal Register a Final Rule that significantly changes the requirements for filing certificates of compliance for imported products under the Consumer Product Safety Act (“CPSA”). The publication of the Final Rule followed the CPSC’s vote to approve the Final Rule on December 18, 2024.

The Final Rule is intended to provide the CPSC and Customs and Border Protection (“CBP”) with significantly more information about imported products, which will likely enhance enforcement against noncompliant products. Companies should take proactive measures to ensure that all imported products comply with the CPSA. They should also prepare for increased scrutiny of products upon import, which may result in delays and potential seizures of products, and ensure that they have processes in place for complying with all aspects of the Final Rule.

The Final Rule makes two major changes to existing CPSC requirements for filing certificates of compliance, which will take effect on July 8, 2026 (except that for products entering from a foreign trade zone for consumption or warehousing, the rule will take effect on January 8, 2027).

First, the Final Rule requires that for all imported products subject to a mandatory safety standard under the CPSA, importers must electronically file (“eFile”) the requisite certificate of compliance at the time of entry with Customs and Border Protection (“CBP”), which will then share the certificate with CPSC. Notably, products claiming a de minimis duty exemption under 19 U.S.C. § 1321 (“Section 321”)—i.e., products valued at less than $800—are also subject to this eFiling requirement. By requiring eFiling of certificates of compliance, including for de minimis products, the Final Rule is intended to improve the CPSC and CBP’s ability to collect data on imported products and bolster their monitoring and enforcement capabilities.

Second, the Final Rule newly defines the term “importer” in the CPSC regulations to be synonymous with the importer of record (“IOR”). This change places the responsibility for filing certificates of compliance for most imported products on the IOR. However, if the IOR is a customs broker, the broker is responsible for filing the certificate but can designate the “owner, purchaser, or consignee” as legally responsible for complying with the CPSC’s testing and certification requirements, including for the accuracy and validity of the data submitted on the certificate.

For mail and de minimis shipments, which do not have an IOR, the Final Rule clarifies that the “importer” can be an owner, purchaser, consignee, or authorized customs broker. Similar to products that do not fall under the de minimis exemption, the customs broker may file the certificate for a de minimis shipment but identify the owner, purchaser, or consignee as the party responsible for compliance. Continue Reading CPSC Revises Requirements for Certificates of Compliance

Under a newly enacted law, beginning June 30, 2026, defense contractors risk losing all future contracts with the Defense Department if they engage outside consultants that lobby for certain Chinese companies. On December 23, 2024, President Biden signed the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2025

Continue Reading New Law Appears to Restrict Defense Contractors from Retaining Consultants Who Lobby for Chinese Military Companies

This is part of an ongoing series of Covington blogs on the implementation of Executive Order No. 14110 on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” (the “AI EO”), issued by President Biden on October 30, 2023.  The first blog summarized the AI EO’s key provisions and

Continue Reading October 2024 Developments Under President Biden’s AI Executive Order

This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024.  It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors. 

NIST Publishes Cybersecurity Framework 2.0

            On February 26, 2024, the U.S. National Institute of Standards and Technology (“NIST”) published version 2.0 of its Cybersecurity Framework.  The NIST Cybersecurity Framework (“CSF” or “Framework”) provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or relative maturity, to better understand, assess, prioritize, and communicate its cybersecurity efforts.  CSF 2.0 makes some significant changes to the Framework, particularly in the areas of Governance and Cybersecurity Supply Chain Risk Management (“C-SCRM”).  Covington’s Privacy and Cybersecurity group has posted a blog that discusses CSF 2.0 and those changes in greater detail.

NTIA Requests Comment Regarding “Open Weight”

Dual-Use Foundation AI Models

            Also on February 26, the National Telecommunications and Information Administration (“NTIA”) published a request for comments on the risks, benefits, and possible regulation of “dual-use foundation models for which the model weights are widely available.”  Among other questions raised by NTIA in the document are whether the availability of public model weights could pose risks to infrastructure or the defense sector.  NTIA is seeking comments in order to prepare a report that the AI EO requires by July 26, 2024 on the risks and benefits of private companies making the weights of their foundational AI models publicly available.  NTIA’s request for comments notes that “openness” or “wide availability” are terms without clear definition, and that “more information [is] needed to detail the relationship between openness and the wide availability of both model weights and open foundation models more generally.”  NTIA also requests comments on potential regulatory regimes for dual-use foundation models with widely available model weights, as well as the kinds of regulatory structures “that could deal with not only the large scale of these foundation models, but also the declining level of computing resources needed to fine-tune and retrain them.”Continue Reading February 2024 Developments Under President Biden’s Cybersecurity Executive Order, National Cybersecurity Strategy, and AI Executive Order

On June 20, 2023, the Federal Communications Commission (“FCC”) released a Notice of Proposed Rulemaking (“NPRM”) to require cable operators and direct broadcast satellite (“DBS”) providers to display an “all-in” price for their video programming services in their billing and marketing materials.  The White House issued a press release that

Continue Reading FCC Proposes “All-In” Pricing Rules for Cable/Satellite TV

Covington annually publishes a detailed survey of state campaign finance, lobbying, and gift rules.  Now, for the first time, Covington is releasing an updated survey that details federal campaign finance, lobbying, and gift rules, in addition to those of the 50 states and the District of Columbia. Corporations, trade associations, non-profits, other organizations, and individuals face significant penalties and reputational harm if they violate federal or state laws governing corporate and personal political activities, the registration of lobbyists, lobbying reporting, or the giving of gifts or items of value to government officials or employees. To help organizations and individuals comply with these rules, this detailed survey—now 327 pages—summarizes the campaign finance, lobbying, and gift rules adopted by the federal government, all 50 states, and the District of Columbia.

Newly added federal sections cover the Lobbying Disclosure Act, the Foreign Agents Registration Act, Congressional gift rules, executive branch gift rules, and the Federal Election Campaign Act. Information is provided in a table question and answer format intended to address common questions with practical guidance. Continue Reading Covington Releases Updated Survey of Federal and State Campaign Finance, Lobbying, and Gift Rules (2023 Edition)