Demystifying the Federal Rulemaking Process

Eric Marquette

Hey everyone, welcome back to FAR & DFARS: Procurement Power! I'm Eric Marquette, joined by my co-host Paul Netopski. Today we're tackling a topic that's been floating around the regulatory world forever—the federal rulemaking process. It's the stuff that sits behind all those clauses we've been picking apart in every other episode.

Paul Netopski

Yeah, and—hey Eric—this one’s foundational. Everything you ever see in the FAR or DFARS, or even those cybersecurity requirements we love to debate so much, all come from this formal rulemaking process. And honestly, people don't realize just how much goes on before anything ever appears in a contract.

Eric Marquette

Right! At its core, federal rulemaking starts when an agency spots a need—a new law's passed, a technical issue pops up, or someone submits a petition. Sometimes it's just, you know, an issue that’s been simmering in the background and finally reaches a boil. You’d think it always moves at the same speed, but wow, it doesn’t. That urgency, or lack of it, really shapes what happens next.

Paul Netopski

No doubt. If Congress puts a clear mandate in new legislation, agencies can move pretty quickly, but more often it's a mix of urgency, agreement on what needs to be done, and how well different agencies cooperate. I mean, if there’s alignment and a shared sense of mission, things roll fast. But if there’s uncertainty—let’s say, about exactly what Congress wanted—or disagreement between agencies? That can drag things out, big time, sometimes for years.

Eric Marquette

Oh, totally. I saw this up close when the Department of Defense faced a major cybersecurity breach. The usual process went out the window—suddenly, teams worked nights, coordination was off the charts. In just months, you had new rules hit the Federal Register. Compare that to, well... procurement reforms. Everyone knows they're vital, but nobody agrees on what they should be or how to prioritize them. That stuff crawls along, sometimes stuck in fact-finding, debates over legal authority, or just... inertia.

Paul Netopski

Exactly. You summarized it well. And that's the pattern. Clear driver? You get acceleration. Murky statutory authority or stakeholder disagreement? You get delays. The system’s built for careful consideration—sometimes that’s a benefit, but when it’s slow, those delays can have real operational impacts, especially in fast-moving areas like cyber. I think we saw that reflected in some of those FAR Part 40 episodes we did recently, right?

Eric Marquette

Yeah, great point—there’s always that tension. It’s not just red tape for its own sake. They're trying to balance speed, clarity, and legitimacy. Alright, so the agency spots the need and kicks off the process. But what actually gets things rolling after that? That's where notice and comment comes in.

Eric Marquette

So here’s where things get a little more public—the agency publishes a proposed rule in the Federal Register. And that's the signal. It's like the starting gun for that "notice and comment period" everyone's heard about, but maybe doesn’t really understand in detail.

Paul Netopski

Yeah, if you’re listening and you’ve ever wanted to give feedback on a government rule, this is your window. Regulations.gov is the big one-stop-shop online now. Anyone—businesses, advocacy groups, you name it—can submit comments. That’s, by design, the main opportunity for the public to shape what the final rule actually looks like.

Eric Marquette

Right, but it’s not just a box to check off. Agencies have to do targeted outreach—not just post on the site and cross their fingers. When they make a real effort to get comments from the right people, and also use digital tools to handle and sort input, the process works better, moves faster. I’m thinking about those Environmental Protection Agency rules or FCC policy changes. Sometimes they get, what, tens of thousands of comments?

Paul Netopski

Yeah, and I've been there, Eric. I remember when the NIST Cybersecurity Framework had an update proposed—boom, thousands and thousands of comments came flooding in. We had a team just categorizing, de-duplicating, and making sense of the feedback. That’s actually a bottleneck; high volume or overly technical comments can jam things up. If agencies don’t set up a plan to process those, you see serious delays.

Eric Marquette

And sometimes the way they communicate about the proposal matters too. If the language is too technical, or they don’t give enough time, a lot of crucial voices might be left out. That’s especially tough for small businesses, which I know we talked about in our small business episode.

Paul Netopski

That's a good callback, Eric. And it's also why good agencies spend effort demystifying the rule—plain-language summaries, FAQs, stuff like that. But even with best practices, when you’re staring at 10,000 comments, there’s no quick fix. Someone has to actually read and understand each one. You can automate some sorting, but in the end, people have to make judgment calls before the process moves to finalization.

Eric Marquette

So the comment period can speed things up if managed well, or become the biggest slow-down if it's not. It's the cornerstone of transparent rulemaking—but also where the process most often gets bogged down.

Paul Netopski

Once that firehose of comments closes, it's crunch time. Under the Administrative Procedure Act—the big one, originally from 1946 and the backbone of all this—agencies actually have to review and address significant issues raised in those comments. They can't ignore anything material. The law requires agencies to explain how they responded to substantive comments when they publish the final rule in the Federal Register.

Eric Marquette

That’s huge, right? Because this is what keeps the process accountable. It's not just "thanks for your input, moving on." Agencies have to show their work—they have to summarize important themes from the comments and outline exactly how they addressed concerns or, you know, why they chose not to make a requested change.

Paul Netopski

Absolutely. And there are practical levers here, too. If an agency prepares response templates or predicts the big comment themes ahead of time, they can accelerate this stage. But if a rule is controversial, or if the comments raise substantial legal or technical issues, then you get a slow grind—especially once legal review comes in from places like the Office of Management and Budget or the Government Accountability Office, the GAO.

Eric Marquette

Oh, the GAO did a report not too long ago, right? I’m probably oversimplifying this, but their research showed agencies that fumble the response to comments—like, if they don’t explain things clearly or ignore key issues—often see bigger delays in getting rules finalized. And I think you saw that with the roll-out of new FAR cybersecurity clauses. There were a bunch of unresolved questions about risk assessment language that—well—pushed everything back for months.

Paul Netopski

Right, those delays weren’t theoretical—they had big downstream effects. That’s a recurring theme. When agencies embrace transparency and take the time to thoughtfully address input, it builds credibility, and sometimes opens up a path for smoother implementation. But if they sidestep concerns or gloss over controversy, it comes back to bite them, often with more legal scrutiny or pushback from Congress and stakeholders. So, thoughtful, thorough response isn’t just a legal box to check—it’s the best way to keep things moving downstream.

Eric Marquette

So, once comments are addressed and the final rule is ready, it goes back into the Federal Register, complete with responses. That’s the signpost—the next step is actually making sure the thing works in the real world, right?

Eric Marquette

Exactly. Once a rule is finalized, the agency moves into the real-world phase—you’ve got to implement the thing. That means developing clear procedures, dedicating resources, building compliance timelines. It all gets pretty operational at this point.

Paul Netopski

Yeah, this is where planning and coordination start to matter even more. Effective agencies—ones that actually hit the ground running—set measurable benchmarks for adoption right away. They track compliance data, identify issues early, and adjust as needed. If you remember, we talked about this a little bit when we looked at FAR Part 40 and supply chain security—putting a rule out is only half the battle. Making it stick is the art form.

Eric Marquette

And you need feedback mechanisms. It's not enough just to assign tasks and hope for the best. Agencies should create loops for input from the public, industry, even their own internal teams. Regular review meetings, published progress reports, stakeholder check-ins—that's what keeps trust up and ensures people feel like their concerns aren’t just floating into the void.

Paul Netopski

Transparency and accountability—those are the words. Publishing implementation progress, holding open stakeholder sessions. If there's a problem, people want to see how an agency responds. This also gives agencies flexibility to adapt enforcement strategies if they spot a pattern in compliance data or hear new concerns. Agencies that treat this as an ongoing relationship, instead of a ‘one and done’ deal, tend to see better results and avoid a lot of costly missteps down the line.

Eric Marquette

Yeah, and honestly, those practices are why the most complex rules—like the cybersecurity requirements or multifaceted procurement changes—can succeed at all. You can have a perfect rule on paper, but it’s what happens once it gets out in the wild that decides real-world impact.

Paul Netopski

Alright, moving further, effective oversight isn’t a “set it and forget it” deal. To know whether a rule’s working, agencies have to set clear performance metrics from the start. Think compliance rates, safety incident drops, economic impact—whatever the goal is, that’s what you benchmark. And these benchmarks aren’t just for internal reports—they get used to keep everyone honest, both inside and outside of government.

Eric Marquette

Yeah, otherwise, you’re just guessing if the change stuck. Periodic review is key—agencies gather data, listen to feedback, sometimes run independent audits. All that’s supposed to find out what’s working, what’s not, and honestly, it’s usually when they discover the parts that look great on paper... but don’t quite hit in practice.

Paul Netopski

True. And maintaining transparency—keeping the public informed about those results—is a requirement, not just a best practice. Evaluation reports get published, and ideally, agencies are open to input, whether that’s direct stakeholder feedback or just scouring the media and third-party analyses to spot problems early. If a rule needs updating, or enforcement strategy isn’t aligned with actual outcomes, agencies are supposed to make real, data-driven adjustments.

Eric Marquette

And when feedback reveals something isn’t clicking, the agency has to show not just "what" is changing, but "why." That’s what drives process improvements over time and helps avoid those scenarios where rules outlive their usefulness. I might be oversimplifying, but that’s the core purpose behind these post-implementation evaluations.

Paul Netopski

Exactly—it’s what keeps federal rules adaptable and rooted in reality, instead of just, you know, more words in the Code of Federal Regulations that nobody reads.

Eric Marquette

Let’s expand on that, because engagement doesn’t stop after publishing a rule, right? The best agencies build formal engagement plans—regular stakeholder meetings, public forums, surveys—straight into their post-rule process, not just as an afterthought. That loop is how you catch emerging friction before it becomes a crisis.

Paul Netopski

That’s exactly right. And it isn't just scheduled events. Agencies assign teams to monitor the landscape—media chatter, social media concerns, even industry newsletters. You have to spot trends and issues, sometimes before formal complaints come through.

Eric Marquette

And when people raise issues or concerns, there’s got to be a process—not just for saying “thanks, noted,” but for actually reviewing feedback, setting timelines for a response, and, when possible, incorporating valid suggestions into a future rule revision. I think more agencies are getting better at that, but there’s still a lot of room for improvement.

Paul Netopski

Yeah, you need a predictable structure—otherwise feedback just gets lost. If you have a team tracking suggestions with clear accountability, you get more actionable improvements and less disruption the next time a rule is updated. And I want to point out: this is required under the APA’s principles—fairness, transparency, and accessibility—not just a nice-to-have.

Eric Marquette

So if you’re a contractor, supplier, or even just a concerned citizen, it really is worth it to engage not just during the initial comment period, but throughout the life of the rule. That’s how the system adapts and improves.

Paul Netopski

Alright, Eric, let’s bring it full circle. Rules aren’t static. If there’s one thing you take away from all this, it’s that agencies have to regularly review existing regulations to make sure they're still effective. Technology moves, economic situations evolve, new security threats pop up—you get the picture.

Eric Marquette

Yeah, regular review cycles are baked into the process now, to keep rules from becoming fossils. And when something major changes—say, some new tech threat or an economic upheaval—they can, at least in theory, move more quickly to issue updates or amendments. Still takes effort to minimize the bureaucracy, but the goal is to make rapid adjustments possible when it matters.

Paul Netopski

And critically, agencies need channels for ongoing input, not just those big one-time comment periods. If stakeholders—industry, nonprofits, or the general public—can easily suggest improvements, the system becomes more resilient and responsive. That builds long-term trust and helps make sure the rulebook keeps up with reality.

Eric Marquette

You summed it up. The whole ecosystem depends on this kind of continuous improvement. Alright, we’ve covered the life cycle from start to finish—initiation, comment, finalization, and that never-ending oversight and engagement loop. Paul, any closing thoughts?

Paul Netopski

Just that understanding the process helps you be a better participant—whether you're a contractor, a compliance lead, or just a citizen who wants a voice. Don’t get discouraged by the slow pace; persistence and solid input really do shape outcomes over time.

Eric Marquette

Couldn’t agree more. That wraps up today's deep dive into the federal rulemaking process. Thanks for listening to FAR & DFARS: Procurement Power. We’ll be back soon to break down more procurement challenges and maybe even get a little more technical next time!

Paul Netopski

Looking forward to it, Eric. Thanks, everyone. See you next time.

Eric Marquette

See you, Paul. Take care, everyone!