The federal contracting environment is changing faster in 2026 than it has in years. Higher spending thresholds, a rewrite of the Federal Acquisition Regulation (FAR), new cybersecurity requirements, and a trillion-dollar defense budget are reshaping how the government buys from small businesses.
Some changes help you. Higher thresholds mean less paperwork and more sole-source opportunities. Others demand action. The Cybersecurity Maturity Model Certification (CMMC) Phase 1 started in November 2025, and Department of Defense (DOD) solicitations are already requiring it.
This article covers the federal contracting news that matters most right now. Each section explains what changed, what it means for your company, and what to do about it.
What You’ll Learn
- New FAR spending thresholds effective October 1, 2025 (including micro-purchase, SAT, and 8(a) limits)
- FY2026 NDAA threshold changes for cost accounting and pricing data
- The FAR overhaul under Executive Order 14275 and what it means for acquisitions
- CMMC 2.0 phased rollout timeline through 2028
- FY2026 defense budget highlights and where the money is going
- SBA program changes: 8(a) audits, HUBZone recertification, and new rules
- SAM.gov modernization updates
- FedRAMP 20x and its faster authorization timeline
- How government shutdowns affect contractors
FAR Threshold Changes: Effective October 1, 2025
The biggest immediate win for small businesses came on October 1, 2025, when inflation-adjusted Federal Acquisition Regulation thresholds took effect. These thresholds determine how the government buys and which rules apply at each dollar level.
Here is what changed:
| Threshold | Previous Amount | New Amount (Oct 1, 2025) |
|---|---|---|
| Micro-Purchase Threshold | $10,000 | $15,000 |
| Simplified Acquisition Threshold (SAT) | $250,000 | $350,000 |
| 8(a) Sole Source (Non-Manufacturing) | $4.5 million | $5.5 million |
| 8(a) Sole Source (Manufacturing) | $7 million | $8.5 million |
| 8(a) Justification and Approval Threshold | $25 million | $30 million |
| 8(a) Super Sole Source (DOD/NASA/USCG) | $100 million | $150 million |
| 8(a) Lifetime Aggregate Award Ceiling | Not previously set | $168.5 million |
Source: Acquisition.gov Threshold Changes, GSA SmartPay Bulletin
What This Means for Your Business
The micro-purchase increase to $15,000 is the most practical change for new contractors. Government purchase card holders can now buy up to $15,000 from any SAM.gov-registered vendor without formal competition. Make sure your SAM.gov registration is current.
The SAT increase to $350,000 means more contracts fall under simplified acquisition procedures, which are faster, require less paperwork, and are automatically reserved for small businesses under the Rule of Two.
For 8(a) participants, the sole-source ceiling increase to $5.5 million (general) and $8.5 million (manufacturing) means contracting officers can award larger contracts directly to your firm without competition.
FY2026 NDAA Threshold Changes (Effective June 30, 2026)
The Fiscal Year 2026 National Defense Authorization Act (NDAA) raised three additional thresholds that reduce compliance costs for small and mid-size contractors. These take effect for contracts awarded after June 30, 2026.
| Threshold | Previous Amount | New Amount (After June 30, 2026) |
|---|---|---|
| Truth in Negotiations Act (TINA) / Cost or Pricing Data | $2 million | $10 million |
| Cost Accounting Standards (CAS) Full Coverage | $50 million (annual) | $100 million (annual) |
| CAS Per-Contract Trigger | $2.5 million | $35 million |
Source: Government Contracts Law, Cherry Bekaert
The TINA increase from $2 million to $10 million is the standout. Previously, any defense contract over $2.5 million required certified cost or pricing data. Now, contracts up to $10 million are exempt. For small contractors bidding on mid-size contracts, this removes a major paperwork barrier.
The CAS changes matter if your firm is growing. Full CAS coverage previously kicked in at $50 million in annual awards. That bar now sits at $100 million. Most small businesses will never hit it, but growing mid-tier firms benefit directly.
The FAR Overhaul: Executive Order 14275
In April 2025, Executive Order 14275 launched a government-wide effort to rewrite and simplify the FAR. The stated goal: the FAR should “contain only provisions that are required by statute or that are otherwise necessary to support simplicity and usability.”
The overhaul uses two phases. Phase 1 (now) issues interim class deviations on a rolling basis. The first 31 Defense Federal Acquisition Regulation Supplement (DFARS) deviations took effect February 1, 2026. Phase 2 will formalize these changes through permanent rulemaking.
Key Changes So Far
- Simplified procedures for commercial acquisitions below $7.5 million moved from FAR Part 13 to Part 12.
- SAM.gov will stop collecting Types 2 and 3 representations and certifications. Those are now collected per solicitation.
- Multiple FAR parts are being consolidated or eliminated.
What to do: Keep your SAM.gov profile updated and watch for representation and certification changes in individual solicitations. Bookmark Acquisition.gov’s FAR Overhaul page for the latest updates.
Source: Acquisition.gov FAR Overhaul, USFCR
CMMC 2.0: The Cybersecurity Mandate Is Here
The Cybersecurity Maturity Model Certification (CMMC) is no longer a future requirement. Phase 1 began on November 10, 2025. If you work with the Department of Defense or plan to, you need to understand this timeline.
| Phase | Effective Date | What Is Required |
|---|---|---|
| Phase 1 | November 10, 2025 | Level 1 (Self-Assessment) or Level 2 (Self-Assessment) required in applicable solicitations |
| Phase 2 | November 10, 2026 | Level 2 (C3PAO Third-Party Assessment) required. DOD may also include Level 3 at its discretion. |
| Phase 3 | November 10, 2027 | Level 3 (DIBCAC Assessment) required in all applicable solicitations |
| Phase 4 | November 10, 2028 | Full implementation. All DOD contracts requiring FCI or CUI must include the appropriate CMMC level. |
Source: CTI Cybersecurity CMMC Timeline, Dorsey Alert
What the Levels Mean
- Level 1: 15 basic cybersecurity practices for protecting Federal Contract Information (FCI). Self-assessed.
- Level 2: 110 practices aligned to NIST SP 800-171 for handling Controlled Unclassified Information (CUI). Self-assessed in Phase 1, third-party assessed starting Phase 2.
- Level 3: 110+ practices plus additional requirements from NIST SP 800-172. Assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
CMMC requirements are now a pre-award condition. You cannot win a covered DOD contract without the required certification level.
What to do now: If you handle DOD contracts, complete your CMMC Level 1 self-assessment at minimum. If your contracts involve CUI, begin preparing for Level 2 third-party assessment before November 2026. Do not wait. Assessment backlogs are expected as demand for Certified Third-Party Assessment Organizations (C3PAOs) grows.
FY2026 Defense Budget: $1.01 Trillion
The FY2026 DOD budget request totals $892.6 billion in discretionary spending. With supplemental funding from the One Big Beautiful Bill Act (OBBBA), total defense spending reaches $1.01 trillion, a 13% increase over FY2025. The OBBBA added $150 billion in mandatory defense spending, with 84% going to Procurement and Research, Development, Test, and Evaluation (RDT&E). That means $113 billion in new weapons spending for FY2026, a 22% year-over-year increase.
Where the Money Is Going
- Missile Defense Initiative: $25 billion initial investment for a program inspired by the Reagan-era Strategic Defense Initiative and Israel’s Golden Dome system.
- Nuclear Triad Modernization: $60 billion across sea-based (submarines), air-based (bombers), and land-based (ICBMs) systems.
- IT Modernization: Continues as the federal government’s most consistent growth area for contractors.
- AI, Cybersecurity, and Space Systems: Rising investment across all three categories.
For small businesses, the push toward non-traditional defense contractors matters. The “Big 5” primes account for roughly 30% of DOD contract funding but only 0.1% of total contracts. The remaining 99.9% go to other companies, including small businesses.
Source: Defense Budget Briefing, FedSavvy Strategies
SBA Program Updates for 2026
The Small Business Administration (SBA) made several rule changes that affect certification programs and recertification timelines.
8(a) Program Audit
The SBA ordered all 8(a) participants to submit financial, ownership, and contract documentation by January 5, 2026. A full program audit is underway. If you are in the 8(a) program, confirm your documentation is current and submitted.
One positive change: follow-on 8(a) contracts can now transition to HUBZone, SDVOSB, or WOSB set-asides without SBA approval. This gives agencies more flexibility to keep contracts in the small business community after 8(a) terms end.
HUBZone Recertification: Now Triennial
HUBZone participants no longer need to recertify annually. The SBA moved to a triennial (every three years) cycle and clarified rules on counting legacy employees toward the mandatory 35% residency requirement.
30-Day Recertification Mandate (Effective January 17, 2026)
All small business certification programs now include a 30-day recertification period. Businesses that fail recertification on multiple-award contracts cannot bid on new task orders or exercise contract options. This applies across 8(a), HUBZone, Women-Owned Small Business/Economically Disadvantaged Women-Owned Small Business (WOSB/EDWOSB), and Service-Disabled Veteran-Owned Small Business (SDVOSB) programs.
Source: iQuasar, SmallGovCon, Taft Law
SAM.gov Modernization
SAM.gov is going through its own overhaul in 2026. Here are the key changes:
- FPDS Migration: Federal Procurement Data System (FPDS) contract award data has moved inside SAM.gov. Users now need a SAM account to access historical contract data.
- eSRS Retirement: The Electronic Subcontracting Reporting System has been decommissioned. Its functions are now part of SAM.gov.
- FAR Overhaul Integration: Types 2 and 3 representations and certifications are no longer collected through SAM registration.
- Registration Updates: The entity registration interface was refreshed in September 2025 with updated legal proceedings and contact pages.
Action item: Log in to SAM.gov and verify your entity registration reflects current information. If you have not registered yet, start with our step-by-step SAM.gov registration guide.
Source: Crowell and Moring
FedRAMP 20x: Faster Cloud Authorizations
FedRAMP 20x replaces the traditional Federal Risk and Authorization Management Program (FedRAMP) authorization process. The old process took 18+ months. The new target: roughly 3 months for Low and Moderate authorizations.
Timeline
- March 2025: FedRAMP 20x launched.
- Phase 1: 27 submissions processed, 13 authorizations granted.
- Phase 2 (through March 31, 2026): New requirements for Authorization Data Sharing, Persistent Validation, Secure Configurations, and Vulnerability Detection.
- Phase 3 (FY2026 Q3-Q4): Wide-scale adoption. FedRAMP will stop accepting new Rev5-based agency authorizations.
If you are a cloud service provider selling to the federal government, FedRAMP 20x lowers the barrier significantly. Small cloud companies that could not afford an 18-month authorization process now have a realistic path.
Source: FedRAMP.gov 20x Overview, Ignyte Platform
Government Shutdowns: What Contractors Need to Know
FY2025 and FY2026 brought multiple shutdown threats and at least two partial shutdowns. Here is what every contractor should understand:
- No guaranteed back pay. Federal employees receive back pay after a shutdown. Contractor employees do not.
- Contract award delays. New awards freeze during a shutdown.
- Payment processing stops. Invoices will not be processed until the government reopens.
- Keep performing on funded contracts. Continue work on contracts with obligated funds unless your contracting officer directs otherwise.
Best practice: Maintain cash reserves to cover 30 to 60 days of payroll and operating expenses. Invoice factoring (selling outstanding government invoices for immediate cash) is one way to manage cash flow during shutdowns.
Source: PilieroMazza, Federal News Network
What Smart Contractors Are Doing Right Now
Here are the five highest-priority actions based on these 2026 changes:
- Review your SAM.gov registration. Log in, verify your information, and locate the newly integrated FPDS data.
- Start CMMC preparation. Complete at minimum a Level 1 self-assessment. For CUI-handling contracts, begin Level 2 preparation now. Phase 2 third-party assessments start November 2026.
- Understand the new thresholds. The micro-purchase increase to $15,000 and SAT increase to $350,000 create new opportunities. The TINA increase to $10 million (after June 30, 2026) reduces compliance burden on mid-size contracts.
- Check your SBA certifications. The 30-day recertification mandate is in effect. Know your deadlines and have documentation ready.
- Build cash reserves. A 30 to 60-day cash buffer protects your team and business during shutdowns.
Frequently Asked Questions
When did the new FAR thresholds take effect?
The inflation-adjusted thresholds (micro-purchase, SAT, 8(a) sole source) took effect on October 1, 2025. The NDAA threshold changes (TINA, CAS) apply to contracts awarded after June 30, 2026.
Do I need CMMC certification to bid on DOD contracts?
Starting November 10, 2025, applicable DOD solicitations require CMMC Level 1 or Level 2 self-assessment. By November 2026, Level 2 will require third-party assessment. Not all DOD contracts require CMMC, but the number of contracts that do is growing with each phase.
How does the FAR overhaul affect small businesses?
The FAR overhaul aims to simplify acquisition rules and reduce administrative burden. For small businesses, the immediate effects include changes to SAM.gov registration requirements and simplified commercial purchasing procedures. The full impact will unfold as Phase 2 formal rulemaking proceeds.
What should I do if the government shuts down during my contract?
Continue performing on contracts with obligated funds unless your contracting officer directs otherwise. Invoice processing will pause until the government reopens. Contractor employees are not guaranteed back pay. Contact your contracting officer for guidance specific to your contract.
Where can I track these changes as they happen?
Bookmark Acquisition.gov’s FAR Overhaul page for FAR compliance updates. Follow SmallGovCon for regulatory analysis written for small businesses. Check SAM.gov announcements for platform changes. And bookmark this article. We update it as new changes take effect.
Next step: New to government contracting? Start with our guide on what government contracting is and how it works. Already registered? Make sure your compliance is current with our FAR compliance guide for small businesses.
This article is for informational purposes only. It is not legal, financial, or regulatory advice. Federal contracting rules change frequently. Verify all thresholds, deadlines, and requirements through official government sources before making business decisions. Consult with qualified professionals for guidance specific to your business.
