Insights

On February 9, 2026, the U.S. Department of the Treasury’s (Treasury) Office of Investment Security (OIS) published a request for information (RFI) seeking public comments on how the Committee on Foreign Investment in the United States (CFIUS) might streamline its foreign investment review process, including through the Known Investor Program (KIP). The RFI requests feedback on (1) proposed eligibility criteria and a draft questionnaire for the KIP, including certain defined terms, and (2) other ways that CFIUS and transaction parties can streamline aspects of the foreign investment review process. Written comments are due March 18, 2026.

Rising electricity prices are becoming an increasingly potent political issue, with both utilities and data centers facing growing scrutiny from federal and state lawmakers on how to insulate ratepayers from rising costs. While headlines have been dominated by the White House and Governors of states in the PJM Interconnection proposing reforms to the PJM capacity market, and by New Jersey Governor Sherrill’s goal to freeze rate hikes, the issue is also quickly becoming a focal point of congressional oversight.

Employers are increasingly relying on artificial intelligence and automated decision systems (ADS) in workplaces across California and the world as avenues to boost productivity or achieve cost savings. However, some state legislators have raised concerns about the lack of worker protections and oversight in discipline and termination decisions made by ADS.

On July 8, 2025, the U.S. Court of Appeals for the Eighth Circuit vacated the Federal Trade Commission’s (FTC) Rule Concerning Subscriptions and Other Negative Option Plans, commonly known as the “Click-to-Cancel” rule. As detailed in a previous client alert, the rule was intended to regulate negative option plans[1]— such as subscriptions and automatic renewals — by imposing stringent requirements on businesses, including streamlined cancellation processes and enhanced disclosure obligations. The Eighth Circuit vacated the Click-to-Cancel rule because it found that the FTC had failed to comply with mandatory procedural requirements. As a result, the rule is no longer in effect, and businesses are not currently subject to its mandates.

On February 3, 2026, President Trump signed a $1.2 trillion spending deal that, among other points, introduced significant regulatory changes for Medicare Part D plans and PBMs providing services to PDP sponsors in the Medicare Advantage and Medicare Part D programs, and imposed significant new restrictions and transparency requirements on PBMs contracting with private group health plans.

The UK Financial Conduct Authority (FCA) recently issued consultation paper CP26/5, proposing to replace the existing Task Force on Climate-related Financial Disclosures (TCFD) requirements with new rules mandating listed companies to report against the UK Sustainability Reporting Standards (UK SRS). These are based on the IFRS Sustainability Disclosure Standards developed by the International Sustainability Standards Board (ISSB).

Last week, the Federal Circuit heard oral argument in Global K9 Protection Group, LLC v. United States, a bid protest appeal concerning, in part, whether an awardee who chose not to intervene at the outset of the protest should have been allowed to do so after its award was enjoined.

On January 27, the EU and Brazil announced their positive determination on the mutual adequacy of Brazil’s and the EU’s data privacy frameworks — confirming the growing importance of transatlantic data transfers and the EU-Mercosur relationship. This adequacy decision, while not formally tied to the EU-Mercosur trade negotiations, is a historic development that can facilitate cross-border data transfers and fuel shared economic growth driven by data-centered service sectors.

On January 29, 2026, the U.S. Department of Justice (DOJ) Antitrust Division (Division) and U.S. Postal Service announced the first-ever payment under the antitrust whistleblower rewards program, awarding $1 million to an individual whose information led to a $3.28 million fine as part of a deferred prosecution agreement with EBLOCK Corporation, an online auction platform for used vehicles.

Liesbeth Truyens, Economic Sanctions and Commercial Disputes Lawyer, Joins Crowell & Moring’s Brussels Office

On January 27, 2026, the Centers for Medicare and Medicaid Services (CMS) released a Health Plan Management System (HPMS) memo that provided a long-awaited update on how the agency plans to approach previously announced Risk Adjustment Data Validation (RADV) audits for Payment Years (PY) 2020-2024. The memo is the agency’s most comprehensive statement on the subject since September 25, 2025, when the Northern District of Texas vacated the 2023 RADV Final Rule. The memo makes clear that, while CMS has made certain operational adjustments in response to concerns expressed by Medicare Advantage Organizations (MAOs), the agency is largely pressing forward with the accelerated audit strategy announced in May 2025.

The federal Defend Trade Secrets Act (“DTSA”) is celebrating its 10th anniversary.  After many years of consideration, in 2016, Congress passed and the President signed the DTSA.  Patterned on the Uniform Trade Secrets Act adopted in most states, the DTSA creates a federal cause of action for misappropriation of trade secrets and thereby gives litigants a direct avenue into federal court.  Since then, the federal courts have been grappling with how to manage DTSA cases.  One issue still to be resolved is the absence of model jury instructions in most jurisdictions.

On January 26, 2026, the Centers for Medicare and Medicaid Services (CMS) circulated the Calendar Year (CY) 2027 Advance Notice to communicate proposed changes to Medicare Advantage (MA) capitation rates and Parts C and D payment policies.  The changes are expected to be finalized in April 2026 but may be delayed. The following is a summary of the most significant proposals, with further details below:

Congress has not passed funding bills to keep key parts of the government funded for the remainder of Fiscal Year 2026—including the Departments of Defense, State, Treasury, Labor, Health and Human Services, Transportation, Housing and Urban Development, and Homeland Security, as well as independent agencies, the judiciary, and national security and foreign operations functions. As Congress continues to negotiate a deal in advance of the expiration of funds on January 30, parts of the government may still face a short shutdown, given the time needed for both the Senate and the House to consider and approve legislation. In anticipation of that possibility, agencies whose funding is uncertain are preparing for a shutdown; contractors, grant recipients, and companies that work with those agencies should do the same. Our team is ready and available to advise through the shutdown process.

As we previously reported, on January 16, 2026, the Department of War (DoW) announced an audit of 8(a) sole source awards over $20 million, joining the previously-announced audits by the Small Business Administration (SBA) and U.S. Treasury Department (discussed here and here).  A DoW memorandum also dated January 16, 2026 but only recently made public reveals that this audit is much broader in than originally announced.  Any active 8(a) sole source contract, 8(a) set-aside contract, or small business set-aside contract over $20 million is under scrutiny. 

On January 28, 2026, the Federal Aviation Administration (FAA) announced that it would reopen the comment period for the Notice of Proposed Rulemaking (NPRM) titled “Normalizing Unmanned Aircraft Systems Beyond Visual Line of Sight Operations” for fourteen days. This NPRM, jointly published with the Transportation Security Administration (TSA) on August 7, 2025, introduces performance-based regulations for beyond visual line of sight (BVLOS) unmanned aircraft systems (UAS) operations and the third-party services that support them. Although the NPRM’s initial comment period closed on October 6, 2025, the FAA is now accepting additional feedback through February 11, 2026, with a particular focus on the proposed rule’s right-of-way and detect-and-avoid requirements. The FAA previously rejected formal requests to extend the initial comment period, citing the deadline imposed by Executive Order 14307.

On January 23, 2026, Office of Management and Budget (OMB) Director Russell T. Vought issued OMB Memorandum M-26-05 (Memo). The Memo rescinds prior OMB memoranda (M-22-18 and M-23-16) that required federal agencies to collect the Secure Software Development Attestation Form from entities selling software or products containing software to the U.S. government. The Trump administration previously retracted a Biden administration directive that called for formalization of the Attestation Form collection process in the Federal Acquisition Regulation (FAR). Many in industry saw this as a sign that the Trump administration disfavored the Attestation Form. Now, the Memo has gone one step further to officially terminate agencies’ obligation to collect the Form from their software suppliers.

The Small Business Administration (SBA) has rolled out changes to its 8(a) Program even as it suspends 8(a) participants for failure to respond to the SBA’s December 5, 2025 8(a) audit letters.

On January 13, 2026, Miami-based pharmaceutical wholesaler Atlantic Biologicals Corporation entered into a two-year DPA, admitting to conspiracy to distribute and dispense controlled substances, including more than 14 million opioid doses to “pill mill” pharmacies in Texas at a markup. The DOJ and DEA underscored the company’s deliberate evasion of compliance checks and disregard for red flags signaling diversion.

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide initiative established to standardize the security assessment, authorization, and continuous monitoring of cloud products and services used by federal agencies. FedRAMP’s primary objective is to ensure that cloud service providers (CSPs) implement robust security controls to protect federal information in cloud environments. By leveraging a consistent framework for security assessment and authorization, FedRAMP is intended to reduce duplication of effort, cost, and time for both agencies and vendors.