Friday Flash 04/17/2026

The Spring Training Conference is Almost Here!

The Spring Training Conference: The Revolutionary Federal Market Continued is less than one month away! Join us May 13–14 in Falls Church, VA to hear directly from acquisition leaders across government and industry as we explore The New GSA for the Revolutionary Federal Market and The Evolving Federal Healthcare Market, along with key policy, program, and compliance developments. Attendees will have the opportunity to gain practical insights and engage directly with agency leadership on the issues that most impact the procurement community. View just some of the exciting conference highlights and developments below!

Keynote Sessions

We are honored to kick off the Governmentwide Day with a Keynote Fireside Chat featuring Michael Lynch, Deputy Administrator of the General Services Administration (GSA), who will discuss GSA’s role in supporting the federal marketplace and advancing the Administration’s acquisition priorities.

The Luncheon Keynote will feature Moshe Schwartz, Coalition Defense Fellow and President of Etherton & Associates, who will provide an overview of the federal budget and legislative landscape, including key developments in acquisition policy and program funding.

On the Healthcare Day, Moshe Schwartz will return to deliver the morning keynote focused on the federal healthcare budget and legislative landscape.

The Healthcare Day Luncheon Keynote will feature Wayland Coker, Acting Deputy Director and Supply Chain Optimization Director at the Administration for Strategic Preparedness and Response (ASPR), who will discuss the national security strategy for medical supply chains, including medicines, devices, and other critical medical resources.

Agency Leadership Insights

Senior agency leaders will participate across both days, providing updates on key priorities and initiatives shaping the federal market. The following speakers are among those participating in the Governmentwide Day of the conference.

Jeff Koses, GSA Senior Procurement Officer, and other agency leaders will discuss the ongoing Revolutionary FAR Overhaul (RFO), including its objectives, current efforts, and how these reforms are expected to impact acquisition policy, processes, and outcomes across government.
Laura Stanton, Federal Acquisition Service (FAS) Deputy Commissioner, GSA, will provide an update on FAS, including key priorities, operational developments, and opportunities for industry engagement.

On the Healthcare Day of the conference, senior acquisition leaders from the Department of Veterans Affairs (VA) will also provide updates on VA acquisition priorities, organizational changes, and strategic initiatives supporting veteran care.

Invited speakers include:

Phil Christy, Principal Executive Director and Chief Acquisition Officer, OALC, VA
Christopher Parker, Deputy Principal Executive Director & Deputy Chief Acquisition Officer, OALC, VA
Jeffrey Neil, Senior Procurement Executive and Executive Director, OALC, VA

Nuts & Bolts Breakout Sessions

The “Nuts & Bolts” sessions are designed to provide attendees with practical, operational insight into key acquisition organizations and contract programs.

On the Governmentwide Day, Nuts & Bolts sessions will focus on GSA’s new FAS organizations and their mission, structure, and how each organization supports the acquisition needs of GSA’s customers:

CENTRALIZE
CREATE
ASSIST
DELIVER
OPTIMIZE

On the Healthcare Day, Nuts & Bolts sessions will highlight key federal healthcare contracting programs, including:

Indian Health Service (IHS) Pharmacy Program
VA Medical/Surgical Prime Vendor (MSPV) Program
Defense Logistics Agency (DLA) Medical Troop Support
VA Pharmacy Benefits Management Program
VA Prosthetics

TDR and FCP Help Desk

The Governmentwide Day will feature a dedicated help desk focused on Transactional Data Reporting (TDR) and the FAS Catalog Platform (FCP), offering attendees the opportunity to engage directly with GSA representatives on how these initiatives are impacting operations within the Multiple Award Schedule (MAS) program.

Participants include:

Josh Royko, Branch Chief, FAS Catalog Management Office, GSA
Paula Hance, Procurement Analyst, GSA
Manuel Gotay, Procurement Analyst, GSA
Peter Han, Director, Catalog Management Office, GSA
Amanda Werb, Business Requirements Analyst, GSA

Additional One-on-One Tabletops

Additional one-on-on engagement opportunities, including with the VA MSPV team, will be available at the conference as well. Check out the agendas for more details.

Join Us in May!

View the Governmentwide Day Agenda here.

View the Healthcare Day Agenda here.

Register today to secure your spot and stay ahead of the federal market! To register for the Spring Training Conference, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Hotel Room Block

Please note that the room block at the Fairview Park Marriott, the location of the conference, has sold out. The Coalition has secured an additional room block at the Courtyard by Marriott Dunn Loring Fairfax, located at 2722 Gallows Road, Vienna, VA 22180.

Important: This hotel is NOT the conference venue. Attendees staying at the Courtyard can access the conference via a circulating bus available at the Dunn Loring Metro Station, which provides transportation to the Fairview Park Marriott.

Please use the link below to secure your room at the discounted group rate:

Book your group rate at Courtyard by Marriott Dunn Loring Fairfax (event located at separate hotel)

This room block is available through April 27 or until rooms are sold out.

Spring Training Conference App Now Available!

We’re excited to announce that our official conference app is now live and ready to enhance your conference experience.

Through the conference app, attendees can personalize their schedule, build their profile, connect with fellow attendees, and engage with new interactive features, including gamification, discussion boards, and enhanced networking tools. Please find details below on how to access and use the app.

Access the App

If you have already registered for the conference, simply follow these instructions to download the app and log in. If you have not yet registered for the Spring Training Conference, be sure to reserve your spot here! All future registrants will receive app instructions within one business day.

Set Up Your Profile

Customize your profile with your title, organization, and profile picture to help other attendees connect with you.

New this year: Please be sure to tag your industry or area of focus within your profile. This will make it easier for other attendees to connect with you through the app.

Participate in Gamification

We are excited to introduce gamification as part of the conference experience! Earn points by participating in activities within the app and at the conference, including:

Visiting sponsor pages
Posting and engaging in discussion boards
Connecting with other attendees
Submitting questions
And more

Throughout the app, you will encounter gamification codes displayed on select pages. Enter these codes in the app to earn additional points. To get started, navigate to the “Earn Points” section of the app menu to view challenges, enter codes, and track your leaderboard standings. Top participants will earn prizes!

Join the Discussion Boards

Engage with fellow attendees through the app’s discussion boards, organized by key topic areas. Use these channels to:

Connect with attendees in your field
Share insights and perspectives on relevant procurement trends and opportunities
Continue conversations from sessions during the conference

Connect with Other Attendees

Use the app’s networking features to connect with fellow attendees before and during the conference. Browse attendees under the “Attendees” tab, start conversations, and schedule meetups.

Browse Sponsor Pages

Visit the “Sponsors” tab to explore sponsor and exhibitor profiles, learn more about their offerings, and connect with representatives.

View and Personalize Your Agenda

Browse the full agenda and select sessions by clicking “Add to Schedule.” To view your personalized agenda, click your profile icon in the top right corner of the app and select “Your Agenda.”

Participate in Q&A

During mainstage panels, submit anonymous questions directly through the app. To participate, select a session in the agenda and enter your question in the Q&A box.

We look forward to providing this interactive experience to enhance your time at the Spring Training Conference.

Thank you to our Mobile App Sponsor, Veterans Healthcare Supply Solutions (VHSS).

GSA Confirms When Contractors Should Begin TDR Reporting

As part of MAS Refresh 31 and the expansion of Transactional Data Reporting (TDR), the General Services Administration (GSA) has clarified the effective date for TDR participation under Mass Modification A909. TDR requirements will take effect on the first day of the sales reporting quarter following acceptance. For contractors that accept the modification on or before June 30, 2026, the effective date will be July 1, 2026.

Contractors will not transition to TDR immediately upon acceptance. Through June 30, contractors must continue to comply with Commercial Sales Practices (CSP) requirements and all non-TDR obligations, including pricing compliance under existing contract terms.

GSA also confirmed that a grace period for TDR data quality submissions will begin on July 1, aligning with the start of the first reporting period.

Additional corrective actions are expected to ensure a consistent TDR effective date across contractors:

For Contractors Who Have Not Yet Signed Mass Mod A909: A correction will be applied to the pending Mass Mod A909 to ensure the effective date of TDR participation is correct.
For Contractors Who Have Already Signed Mass Mod A909 (TDR Transition): A new unilateral Mass Modification will be issued to clarify the effective date of TDR participation as July 1, 2026.

VA Resumes Electronic Health Record Deployments

The Department of Veterans Affairs (VA) has resumed deployments of its Electronic Health Record (EHR) modernization system following a pause in 2023 due to implementation challenges, including workflow disruptions, patient safety concerns, and system outages.

The Federal EHR system went live on April 11 at four Michigan facilities. This marks the first wave of 13 planned deployments in 2026 under VA’s accelerated rollout schedule.

Additional deployments are scheduled for later this year:

June 2026

Chillicothe VA Medical Center (Chillicothe, OH)
Cincinnati VAMC (Cincinnati, OH)
Cincinnati VAMC–Fort Thomas (Fort Thomas, KY)
Dayton VAMC (Dayton, OH)

August 2026

Fort Wayne VAMC (Fort Wayne, IN)
Marion VAMC (Marion, IN)
Richard L. Roudebush VAMC (Indianapolis, IN)

October 2026

Alaska VA Healthcare System (Anchorage, AK)
Louis Stokes Cleveland VAMC (Cleveland, OH)

According to the VA, the modernization effort will improve the coordination of care, including enhanced data sharing across the VA, the Department of War, and private sector providers.

“These first EHR deployments in 2026 represent real progress toward a unified electronic health record that strengthens care delivery for our patients and providers,” said VA Deputy Secretary Paul Lawrence, Ph.D. “With our Michigan sites now live, we are building strong momentum as we prepare for the next wave of implementation.”

For more information about the EHR modernization program, visit https://digital.va.gov/ehr-modernization.

Coalition to Launch Survey on Contract Duplication

The Coalition will launch a new survey next week focused on identifying potential duplication across contracts.

The purpose of the survey is to gather member feedback from industry about the cost of contract duplication, including bid proposals and contract management. Insights from the survey will help inform ongoing discussions around contract alignment, consolidation, and best practices. Survey results will be shared with key government stakeholders.

Members are encouraged to participate. Survey responses will be treated as non-attributable, and individual company information will not be shared with the Government. The Coalition will collect company names solely to provide an accurate count of participating organizations.

A link to the survey will be distributed next week.

GAO Examines AI Procurement Across Federal Agencies

A recent Government Accountability Office (GAO) report examines how federal agencies are acquiring artificial intelligence (AI) products and services, identifying key challenges and opportunities for improvement. GAO conducted an in-depth review of 13 AI acquisitions across the Department of War (DoW), Department of Homeland Security (DHS), GSA, and the VA. The review also included agency policies, Office of Management and Budget (OMB) guidance, and interviews with senior officials involved in AI acquisition.

The report identifies tradeoffs associated with different AI acquisition approaches, as well as strategic and programmatic challenges to broader AI adoption. Key challenges include limited access to AI expertise, complexities in protecting government data, and difficulties aligning AI procurements with existing acquisition timelines and contract structures.

GAO also found that agencies have not yet established mechanisms to systematically share lessons learned from AI procurements, despite OMB guidance directing agencies to share this information through a GSA-managed repository.

GAO recommends that DoW, DHS, GSA, and the VA develop policies to collect and share lessons learned from AI acquisitions. All four agencies agreed with the recommendations.

GSA Looks to Expand OneGov into Long-Term, Scalable Programs

MeriTalk reports that GSA is working to transition its initial OneGov agreements into longer-term, scalable programs as the initial OneGov agreements approach their one-year mark. Launched in April 2025, OneGov is designed to modernize federal IT acquisition through standardized terms and pricing. To date, the program has expanded to include nearly two dozen companies.

Speaking at an industry conference, GSA Deputy Administrator Michael Lynch said the first year of OneGov has produced new public-private partnerships and that GSA is now collaborating with industry on the program’s next phase. Over the next six to nine months, GSA expects additional announcements about the extension of early agreements longer-term. Some OneGov agreements have included discounted or pilot offerings, including limited-use access to AI models. More recent agreements have also begun to extend beyond one-year terms, with some structured for 18 months.

According to Deputy Administrator Lynch, the program has generated more than $1 billion in governmentwide savings to date, building on earlier estimates of $800 million. He also noted that the initiative has reduced overall spending without significantly changing how agencies use existing tools.

Looking ahead, GSA expects increased activity in the second half of fiscal year 2026, including efforts to expand access to services, deepen agency partnerships, and support the development of more scalable AI infrastructure across government.

GSA Posts Additional Q&As to OASIS+ FAQs

GSA has posted more than 120 new questions and answers to the FAQ section of the OASIS+ Solicitations (Continuously Open) webpage. Vendors that have submitted proposals, as well as those considering participation, are encouraged to review the updated responses.

GSA advises vendors to review existing FAQs before submitting new questions. The FAQ section will continue to be updated on a rolling basis.

The Solicitations (Continuously Open) webpage includes:

An overview of the continuously open model;
Information on how submissions and rolling awards are managed ;
A centralized FAQ resource; and
Guidance on the Q&A submission process.

VA FSS to Issue Mass Modification for Multiple Schedules

The VA Federal Supply Schedule (FSS) will soon issue a mass modification for Schedules 65IB, 65IIA, 65IIF, 65IIC, 65VII, 65VA, 621I, and 621II that incorporates new clauses and provisions into the contract.

The modification includes the addition of GSAM/GSAR 552.238-116 (Option to Extend the Term of the FSS Contract), FAR 52.217-9 (Option to Extend the Term of the Contract), and A-FSS-11.

Current FSS Contractors will receive an email notification that includes downloadable documents and submission instructions.

GSA Launches Initiative to Expand Use of AI

Federal News Network reports that GSA is exploring the use of AI to automate portions of its internal work following a significant reduction in its workforce. Speaking at an industry conference, GSA Deputy Administrator Michael Lynch said that the agency has launched a “million hours challenge” using its internal AI tool, USAi, to automate work currently performed by federal employees and contractors.

Deputy Administrator Lynch noted that GSA has already identified approximately 400,000 hours of work that could be automated by reducing lower-value administrative tasks and shifting personnel toward higher-value activities.

“GSA, like most parts of the federal government, is reduced in size from where we were at the start of the administration,” Deputy Administrator Lynch said. “We’re now looking at everything we do to identify where we can be more efficient and better use technology to go faster.”

To support this effort, GSA has established a small internal team, known as GSA Labs, to identify opportunities to automate and modernize agency operations. According to Deputy Administrator Lynch, approximately 300 employees applied to participate, with an initial cohort of about 30 employees selected. Lynch described the group as an internal consulting team that will work with agency leadership to address operational challenges and identify opportunities for automation.

Legal Corner: Executive Order Targets DEI… Again

The Legal Corner provides the procurement community with an opportunity to share insights and comments on Legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Common Sense in Government Procurement.

Alejandra Montenegro Almonte, Connor W. Farrell, Scott N. Flesch, Nate Lankford, Katherine E. Pappas, Ashley Powers, Alejandro (Alex) L. Sarria, Jason N. Workmaster; Miller & Chevalier

On March 26, 2026, President Trump issued a new diversity, equity, and inclusion (DEI)-related executive order (E.O.) titled, “Addressing DEI Discrimination by Federal Contractors.” This E.O. follows – and is in addition to – the administration’s prior efforts in E.O. 14151, “Ending Radical and Wasteful Government DEI Programs and Preferencing,” and E.O. 14173, “Ending Illegal Discrimination and Restoring Merit-Based Opportunity,” to address what it referred to as “illegal DEI” (previously discussed here). So, in addition to continuing to monitor the certification and related requirements called for in those earlier E.O.s, contractors and subcontractors will now need to be prepared to (1) address – potentially in very short order – a new contract provision aimed at what the E.O. broadly defines as “racially discriminatory DEI activities” in a way that does not clearly align with existing anti-discrimination law, and which also imposes new audit and reporting requirements, and (2) further take into account the enforcement risks associated with the administration’s view of what constitutes such activities.

Broad Definition of “Racially Discriminatory DEI Activities”

Unlike the prior DEI-related E.O.s which did not provide a definition of “illegal DEI,” leading to the issuance of further Department of Justice (DOJ) guidance on that subject (previously discussed here), this order defines “racially discriminatory DEI activities” and does so quite broadly.¹ Specifically, the E.O. defines “racially discriminatory DEI activities” as “disparate treatment based on race or ethnicity in the recruitment, employment (e.g., hiring, promotions), contracting (e.g., vendor agreements), program participation, or allocation or deployment of an entity’s resources.” And it defines “program participation” as “membership or participation in, or access or admission to: training, mentoring, or leadership development programs; educational opportunities; clubs; associations; or similar opportunities that are sponsored or established by the contractor or subcontractor.”

The reference to “allocation or deployment of an entity’s resources” in the definition of “racially discriminatory DEI activities,” and the inclusion of mentoring, leadership development, and training programs within “program participation,” suggest that many corporate programs could be subject to scrutiny by the administration – even though they are not labeled as DEI and even though the E.O. does not identify any pre-existing legal authority that would necessarily render them illegal. Consequently, the contract clause – once included in a contract – could arguably impose a contractual obligation that is broader than compliance with underlying, applicable anti-discrimination laws. By including “contracting (e.g., vendor agreements)” in the definition of “racially discriminatory DEI activities,” the E.O. also could be read to reach state and local requirements for diversity in contracting/subcontracting, thus potentially creating a conflict between state and local laws, on one hand, and the new contract clause, on the other, that contractors will need to carefully assess.

New Contract Clause

The new E.O. directs all executive departments and agencies, as well as independent establishments (collectively, agencies), “to the extent permitted by law,” to include in all contracts and contract-like instruments (at the prime and subcontract levels) a new contract clause, set forth in full text in the E.O. as follows:

In connection with the performance of work under this contract, [the contractor/appropriate party (contractor)] agrees as follows:

The contractor will not engage in any racially discriminatory DEI activities, as defined in section 2 of the Executive Order of March 26, 2026 (Addressing DEI Discrimination by Federal Contractors);
The contractor will furnish all information and reports, including providing access to books, records, and accounts, as required by the contracting agency pursuant to the Executive Order of March 26, 2026 (Addressing DEI Discrimination by Federal Contractors), for purposes of ascertaining compliance with this clause;
In the event of the contractor’s or a subcontractor’s noncompliance with this clause, this contract may be canceled, terminated, or suspended in whole or in part, and the contractor or subcontractor may be declared ineligible for further Government contracts;
The contractor will report any subcontractor’s known or reasonably knowable conduct that may violate this clause to the contracting department or agency and take any appropriate remedial actions directed by the contracting department or agency;
The contractor will inform the contracting department or agency if a subcontractor sues the contractor and the suit puts at issue, in any way, the validity of this clause; and
The contractor recognizes that compliance with the requirements of this clause are material to the Government’s payment decisions for purposes of section 3729(b)(4) of title 31, United States Code (False Claims Act).

The E.O. directs that agencies ensure inclusion of this clause within 30 days of the date of the order (i.e., April 25, 2026). It is unclear, though, whether the direction to include this new contract clause applies only prospectively to new contracts and contract-like instruments, or whether it also applies to existing ones.² It is also unclear whether the president has the authority to direct inclusion of specific clause text when that text has not been subject to publication in the Federal Register and the notice-and-comment process, and the E.O.’s limitation of its implementation “to the extent permitted by law” suggests the administration itself recognizes that it may be challenged on this basis.³ Moreover, because the E.O. could be interpreted as a labor and employment regulation (as opposed to a procurement regulation), it could potentially face challenges based on an argument that it is outside the scope of the president’s direct regulatory power under the Federal Property and Administrative Services Act (FPASA).⁴

Despite this uncertainty, however, contractors should be prepared to see the new clause included in solicitations going forward, as well as efforts by agencies to include it in existing contracts. In addition to prohibiting contractors from engaging in “racially discriminatory DEI activities” as that term is defined in the E.O., the new clause facilitates government investigations by:

Providing contracting agencies with broad audit rights, requiring contractors to “furnish all information and reports, including providing access to books, records, and accounts, as required… for purposes of ascertaining compliance” with the clause.
Requiring contractors to “report any subcontractor’s known or reasonably knowable conduct that may violate this clause.” Presumably, however, this requirement should be read in light of applicable False Claims Act (FCA) precedent, which provides that a prime contractor is entitled to reasonably rely upon the certifications of its subcontractors – unless it has reason to doubt the accuracy of those certifications. See United States ex rel. Folliard v. Gov’t Acquisitions, Inc., 764 F.3d 19, 29-31 (D.C. Cir. 2014).

Enforcement Risks

The order makes clear that the administration contemplates using several different enforcement mechanisms with respect to the new clause, including:

Contract-level remedies: Agencies are authorized to cancel, terminate, or suspend contracts (in whole or in part) for contractor or subcontractor non-compliance.
Suspension and debarment: Agencies are directed to take appropriate action to suspend and debar non-compliant contractors and subcontractors.
Civil FCA exposure: The E.O. reinforces consistent themes in prior E.O.s and agency communications, stating that the administration will consider non-compliance with the new clause to constitute the basis for an FCA violation. In this regard, the clause expressly states that compliance is “material” to the government’s payment decisions under the FCA.⁵ Moreover, the order provides: “DEI activities impose artificial costs in hiring, promotion, and operations… [and] create unnecessary costs by reducing the pool of available labor by artificially limiting companies to hiring or promoting certain individuals, suppliers, or intermediaries based on their race or ethnicity. These costs are inevitably passed on to the Federal Government when it contracts with companies who engage in racially discriminatory DEI activities, or who use subcontractors who do so.” In addition, the E.O. directs the Attorney General (AG) to consider bringing FCA actions against violators and to ensure prompt review of qui tam actions brought by private relators, including rendering a decision on intervention within the 60-day seal period to the maximum extent practicable.
Sector-specific targeting: The Office of Management and Budget (OMB), in coordination with the AG, the Domestic Policy Council, and the Equal Employment Opportunity Commission (EEOC) Chair, is directed to identify economic sectors that pose a particular risk of engaging in racially discriminatory DEI activities and issue additional compliance guidance for those sectors.

Conclusion

The administration’s ongoing focus on DEI-related issues requires continued vigilance by contractors to understand the legal and enforcement risks in question. In particular, it is advisable for contractors to assess their existing practices in light of the E.O.’s definition of “racially discriminatory DEI activities,” given the lack of clarity as to whether that definition is co-extensive with existing anti-discrimination laws. After having made such an assessment, contractors can then assess their enforcement risk, plan accordingly in light of that assessment, and be prepared to defend the rationale for activities that may come under scrutiny.

Legal Corner: Has GSA Adopted DOD’s CMMC Requirements?

Authored by Reggie Jones & Nick Feldstern; Fox Rothschild LLP

If your organization handles Controlled Unclassified Information (CUI) for the federal government, take note: the U.S. General Services Administration (GSA) has just raised the bar on compliance. On January 5, 2026, GSA published new requirements for contractors and other nonfederal entities that work with CUI, and unlike the Department of Defense’s (DOD) phased rollout of its Cybersecurity Maturity Model Certification (CMMC) program, GSA isn’t waiting around. These requirements are effective immediately and mirror FAR proposed, but not final, CUI rule published in January 2025.

In an unusual move, GSA issued its IT Security Procedural Guide, entitled “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process CIO-IT Security-21-112 Rev. 1” (the Guide), without a press release or other agency communication and without an opportunity for industry comment, which typically accompanies impactful agency rulemaking and guidance. And the Guide will make a huge impact once its requirements are included as a contractual requirement. Contractors wishing to remain eligible for GSA contracts must:

Comply with all of the security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 3 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” select enhanced controls from NIST SP 800-172, Rev. 3 (draft), “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” and select privacy controls from NIST SP 800-53 Rev. 5, “Security and Privacy Controls for Information Systems and Organizations”;
Engage in a five-step approval process, including third-party assessment and continued compliance monitoring; and
Comply with a strict one-hour cyber incident reporting requirement.

Although styled as internal agency guidance, the Guide signals the standards GSA intends to enforce going forward. Notably, however, the guide is silent on how these requirements will be incorporated into solicitations and contracts, leaving contractors with clarity on what will be expected of them but uncertainty as to how and when those expectations will be formally imposed.

Below, we break down the key elements of the Guide and highlight what organizations holding or pursuing GSA contracts—including those on GSA’s governmentwide Multiple Award Schedule (MAS)—need to know.

Federal Cybersecurity and the Standardization of CUI Compliance

In 2010, Executive Order 13556, titled “Controlled Unclassified Information,” established an open and unified program for managing information that, while unclassified, requires safeguarding or dissemination controls. The CUI program, implemented through 32 CFR § 2002, includes rules, organization, and procedures for federal and nonfederal entities that process, store, or transmit CUI. However, in practice, different agencies implemented the program and associated requirements haphazardly, leading to confusion among contractors and contracting personnel alike.

In the late 2010s, policymakers and industry began pushing for more consistency. At the forefront was DOD’s CMMC program, which was first announced in 2019, later finalized in 2024, and became formally effective in November 2025.

In short, the CMMC requires contractors to meet certain security requirement thresholds depending on the type of federal information that they will handle during contract performance. For contracts that involve handling CUI, contractors must implement security controls derived from NIST SP 800-171 Rev. 2 and, in the case of highly sensitive CUI, from NIST SP 800-172 Rev. 2. Compliance with the CMMC is a prerequisite for contract award for any defense contract that involves processing, storing, or transmitting Federal Contract Information (FCI) or CUI. Pursuant to the CMMC program, DOD solicitations will explicitly inform contractors what CMMC level is required for eligibility.

The CMMC emerged, in part, from growing concerns that allowing contractors to self-certify their cybersecurity compliance could result in false or inaccurate attestations and heightened security vulnerabilities. Accordingly, a key characteristic of the CMMC program, which differentiated it from other existing agency CUI programs, is the requirement of a compliance assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). (For a more in-depth dive into the CMMC see “Final CMMC Rule Effective Nov 10, 2025: What Federal Contractors Need to Know”).

While DOD’s CMMC program attracted the most attention, other civilian agencies have also been advancing CUI program reforms. The Federal Acquisition Regulation (FAR) Council issued a proposed rule to amend the FAR in January 2025, which has yet to become final, to incorporate CUI-related requirements across federal contracting. The Guide contains similar requirements to those contemplated by the FAR proposed rule. The Guide also shares several key characteristics with the CMMC, but diverges in important ways.

GSA’s Guide

Under the new guidance, contractors must comply with NIST security controls for all contractor information systems that process, store, or transmit CUI and will require both third-party assessment and approval by GSA’s Office of the Chief Information Security Officer (OCISO) in order to remain eligible for GSA contracts. Unlike the CMMC, which is currently undergoing a four-year phased rollout to allow defense contractors time to achieve compliance, this GSA framework provides no transition period, which means implementation can begin immediately.

However, also unlike the CMMC, GSA will approve non-compliant systems so long as specific “showstopper” controls are implemented, including multi-factor authentication, vulnerability monitoring and scanning, secure remote access controls, implementation of cryptographic protection, and replacement of unsupported components. Contractors that meet these “showstopper” controls but lack other controls will be required to develop a Plan of Actions and Milestones (POA&M), which identifies deficiencies and establish a timeline for full compliance.

Five-Phase Process for Protecting CUI

The Guide is structured around NIST’s Risk Management Framework, which consists of five phases, each broken down into multiple subphases.

Phase 1: Prepare – Contractors must first determine the types of information stored, processed, or transmitted by their information systems using the Federal Information Processing Standard (FIPS) 199 security categorization template. During this subphase, contractors will collaborate with the GSA Information System Security Officer (ISSO), Information System Security Manager (ISSM) and the CISO to confirm this determination. After an initial kickoff meeting with GSA to discuss the CUI approval process, the contractor must submit details on its solution architecture and security capabilities to GSA for evaluation.

Phase 2: Document – Contractors next must prepare and submit several key deliverables: a System Security and Privacy Plan (SSPP), Privacy Threshold Assessment (PTA), Privacy Impact Assessment (PIA), Architecture Review Checklist, and Supply Chain Risk Management Plan. Importantly, contractors should be aware that security plans developed for other federal programs, such as CMMC or the Federal Risk Authorization and Management Program (FedRAMP), generally cannot be repurposed to satisfy this requirement due to GSA-specific criteria. All materials must be reviewed and approved by GSA before contractors can move forward. Phases 1 and 2 most closely align with the “scoping” phase of the CMMC.

Phase 3: Assess – The third phase requires contractors to engage a third-party independent assessor, either a FedRAMP Third Party Assessment Organization (3PAO) or GSA‑approved independent assessor, to test their systems using a plan agreed to in advance by GSA. POA&Ms are also required at this stage.

Phase 4: Authorize – GSA will conduct a multi-level review of the contractor’s approval package then prepare a Memorandum for Record evaluating whether the contractor’s systems are sufficiently secure to handle CUI.

Phase 5: Monitor – Once approved, contractors must continuously monitor their information systems and prepare quarterly deliverables (vulnerability scanning reports, POA&M updates, and shared drive access review) and annual deliverables (updated SSPPs, PTAs, and PIAs). Additionally, contractors must undergo a third-party assessment every three years and immediately report any major system changes to GSA.

One-Hour Incident Reporting

Beyond the five-phase CUI framework, the Guide imposes a stringent incident reporting requirement. Contractors must report both suspected and confirmed CUI incidents within one hour of discovery. Those who fail to meet this deadline face “escalation,” though the Guide leaves this term undefined, offering little clarity on the consequences.

This is a much shorter reporting window than the CMMC’s 72-hour window or the 8-hour window in the FAR CUI proposed rule. The tight reporting window raises practical concerns, as it leaves minimal time for contractors to conduct meaningful preliminary investigations. As a result, initial reports may be incomplete, forcing contractors to submit additional reports and potentially undermining the speed and effectiveness of their incident response efforts.

Contractor Takeaways

GSA’s CUI framework is effective immediately although it is not clear whether or how it will be incorporated into existing and new GSA contracts and leases. While the Guide may not provide all the answers, it suggests GSA contracting officers can begin enforcing the cybersecurity requirements on new contracts involving CUI. The more stringent requirements will have far-reaching impacts on any contractors holding or seeking any of the vast array of GSA contracts, including GSA’s many governmentwide acquisition contracts.
Contractors that hold or plan to pursue GSA contracts should immediately assess their CUI infrastructure under the new requirements, specifically the NIST SP 800-171 Rev. 3 and select NIST SP 800-172 Rev. 3 security controls. At the very least, contractors should ensure compliance with the more limited “showstopper” controls.
Prepare materials and get in line for a third-party assessment. Given the limited number of 3PAOs, contractors would be wise to open a dialogue and schedule an assessment. Considering the policy shift away from self-assessment and toward third-party assessment, contractors should expect other agencies to adopt similar requirements in the near future.
The careful reader will notice the Guide requires Revision 3 of both NIST SP 800-171 and -172, whereas the CMMC only requires Revision 2. This is significant, as Revision 3 reorganizes and consolidates several of the 110 security controls and places a greater emphasis on supply chain risk management, continuous monitoring, and stronger authentication. While Revision 3 is not a radical departure from its predecessor, contractors already familiar with Revision 2, such as defense contractors, must be aware of the differences.
Although the Guide does not explicitly address subcontractor flow-down requirements, contractors should consider broader trends in CUI protection, which typically require prime contractors to ensure subcontractors employ similar CUI safeguards. Given this landscape, GSA contractors are well-advised to proactively ensure their subcontractors adhere to general CUI safeguarding practices, even absent express guidance to do so.
Given the limited pool of trained and approved independent assessors, contractors should anticipate some delays in scheduling assessments. Early engagement with legal counsel experienced in federal cybersecurity and procurement requirements can be invaluable for navigating these obligations, evaluating risk, and developing a sound compliance strategy.

FY27 Budget Proposes Increased VA IT and AI Investments

NextGov/FCW reports that the White House’s Fiscal Year (FY) 2027 budget request includes approximately $6.3 billion for the VA’s information technology (IT) systems, with a growing portion dedicated to AI.

The proposal includes $130 million for AI and automation investments within the Veterans Benefits Administration to support claims processing, with the goal of reducing errors and improving delivery timelines.

A separate FY27 budget document for VA IT programs proposes $47.8 million for “Decision Intelligence and Automation,” representing an increase of $4.7 million over FY26 enacted levels. These funds are meant to support infrastructure and capabilities to develop, integrate, and govern AI across the agency. According to the budget materials, the VA has reported time savings of approximately two-three hours through the use of generative AI tools.

The budget request also includes $4.2 billion to continue implementation of the VA’s EHR program. The VA indicates that ongoing efforts to migrate the system to a cloud-based infrastructure are expected to support expanded use of AI capabilities in the future.

Alliant 3 Phased Award Update

GSA has issued a notice with an update on the Alliant 3 phased award process. The agency confirmed that it continues to evaluate proposals for Phase II awards.

Importantly, GSA noted that companies that have not received a Phase I notice of award remain under consideration and have not been eliminated.

GSA Contractors should continue to monitor SAM.gov for additional updates.

GSA OCAS to Host Pipeline Review Webinar, May 28

GSA’s Office of Centralized Acquisition Services (OCAS) will host its first pipeline review webinar on Thursday, May 28, at 1:00 PM (ET).

During the session, the GSA Office of Small Business will discuss ongoing efforts to partner with small businesses. OCAS leadership will also highlight current and upcoming opportunities where the office is supporting agency customers.

Registration information can be found here. A Zoom link will be shared upon registration confirmation.

Future-Proofing Your Contracts: Legal Compliance Updates for Government Contractors, April 23

The Coalition is pleased to host a webinar featuring PilieroMazza, Partner, Nichole Atallah to discuss legal updates impacting government contracts. The webinar will be held on April 23 at 12:00PM ET.

Panelists will review recent legal developments, discuss notable regulations, and provide best practices for positioning your business amidst the change.

Learning objectives include:

new SBA rule changes
cases impacting mentor-protégé and joint venture arrangements
refresher on the nonmanufacturer rule (NMR)
recent GAO protest ruling involving a reseller and the Trade Agreements Act (TAA)
Corporate Transparency Act (CTA) compliance
updates on CMMC 2.0 implementation
national security memo on Artificial Intelligence (AI)

Join us for an informative discussion designed to keep you ahead of the latest legal and regulatory changes affecting the government contracting community.

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Transactional Data Reporting: Key Updates and Considerations for MAS Contractors, April 22

The Coalition will host a webinar on Transactional Data Reporting (TDR) on April 22 at 12:00 PM (ET), featuring The Gormley Group’s Andrew Sisti, Principal GSA Schedule Consultant and GSA Systems Subject Matter Expert, and Lauren Keshavarz, Senior GSA Schedule Consultant.

With TDR expanded across the Multiple Award Schedule (MAS) program through Refresh 31, contractors are now facing important updates. This session will provide an overview of key TDR requirements and compliance considerations.

During the webinar, Andrew and Lauren will cover:

The transition from Commercial Sales Practices (CSP) to TDR
Key reporting elements, including new requirements from Refresh 31
How to report firm-fixed price orders
TDR best practices

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Please note: The webinar will be recorded and sent to all registrants.

Pharmaceutical Committee Meeting: BIOSECURE Act Update, April 29

The Coalition’s Pharmaceutical Committee will host a meeting with Joy Sturm of Hogan Lovells for a briefing on the BIOSECURE Act. The meeting will be held virtually on April 29 at 12:00 PM (ET).

The BIOSECURE Act, signed into law on December 18, 2025, as part of the FY26 National Defense Authorization Act (NDAA), restricts U.S. federal agencies and recipients of federal funding from contracting with or using biotechnology equipment or services from designated “biotechnology companies of concern.” The legislation is intended to strengthen national security by limiting foreign access to sensitive biological data, particularly from companies with ties to China.

To register, click here. This is a members-only event. If you see a message that says “Registration Not Available” please log in using your member account.

Using JVs to Win Work with GSA and Beyond, April 30

The Coalition is pleased to host a webinar with Meghan Leemon, Partner at PilieroMazza, for a practical and informative discussion to help you structure and use joint ventures (JVs) to expand your federal contracting opportunities. The webinar will be held on April 30 at 12:00 PM (ET).

JVs are an excellent tool to win work, including with GSA. However, JVs must be structured properly to avoid significant risks that can arise in protests or in disputes between JV partners. Using JVs for GSA Schedules requires a unique approach. This webinar will discuss how you can structure and use JVs to win work and grow, with GSA Schedules and beyond.

Topics include:

Tips for how to form and best utilize JVs
Using JVs to pursue work through GSA Schedules
Latest developments with JV regulations and case law

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

GSA & VA Schedule Contracting Training for In-House Counsel, May 12

The Coalition is proud to once again host its “must attend” General Services Administration (GSA) and Veterans Affairs (VA) Schedule Contracting Training for In-House Counsel on May 12! This course is designed for lawyers and contract managers at member companies with significant contract management and compliance responsibilities with GSA and/or VA Schedule contracts.

Our presenters for the day will be Robert Burton, Partner, Crowell & Moring; Ken Dodds, Executive Vice President & General Counsel, The Coalition for Common Sense in Government Procurement; and Jason Workmaster, Member, Miller & Chevalier Chartered;

During the training, Robert, Ken, and Jason will cover the following topics and more:

Pricing – Transactional Data Reporting (TDR)/Commercial Sales Practices (CSP);
Domestic Preferences;
Supply Chain;
Enforcement/Mandatory Disclosure/Ethics;
Sustainability Requirements/Policy; and
Bid Protests Update.

Reasons to Attend:

After successfully completing this course, you will receive 6 CLE credits, while also gaining an understanding of:

GSA/VA’s most favored customer pricing policy and major requirements of the government solicitation;
Current audit/oversight procedures;
Current GSA Schedule Price Negotiation Priorities; and
How the GSA Schedule can impact your company’s bottom line.

Plus, you will be able to advise your in-house clients regarding topics such as:

Disclosure of company records;
Establishing management and compliance processes;
Establishing ethics programs and mandatory disclosure;
Avoiding penalties; and
Identifying resources to assist with continuing legal support of your internal GSA/VA Schedule programs.

Who Should Attend:

This training course is excellent for:

In-house counsel for current GSA/VA Schedule contractors and/or companies considering becoming a GSA/VA Schedule contractor;
Government attorneys that advise clients with GSA/VA Schedule contracts;
Contract Managers with MAS experience; and
Compliance Personnel.

The training will be held at GDIT, Falls Church, VA, Time: 9:30 AM – 3:30 PM (ET). Virtual attendance is also offered for the course. We look forward to your participation!

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

VA Medical/Surgical Prime Vendor (MSPV) Make PPE in America Industry Day, May 12

The Department of Veterans Affairs (VA) is excited to announce the upcoming MSPV Make PPE in America Industry Day on May 12, 2026. This event is intended to bring together suppliers, manufacturers, and industry stakeholders involved in the production and distribution of Personal Protective Equipment (PPE) to support the VA’s Medical/Surgical Prime Vendor Program. Our goal is to foster collaboration, share valuable insights, and enhance the procurement and supply chain processes for PPE necessary to serve our veterans and healthcare providers effectively.

This event will be held in conjunction with the Coalition for Government Procurement (CGP) Spring Training Conference, which will take place on May 13–14, 2026, at the same venue. Attendees interested in participating in the CGP Spring Training Conference can ﬁnd more details and register below.

* Personal protective equipment, as applied to this Industry Day announcement, means surgical masks, N95 masks, respirator non-surgical masks and powered air purifying respirators and required ﬁlters, face shields and protective eyewear, disposable and reusable surgical and isolation gowns, head and foot coverings, and other gear or clothing used to protect an individual from the transmission of disease. All items must be in compliance with the “Infrastructure Investment and Jobs Act” (IIJA) PL 117-58, and the “Make Personal Protective Equipment (PPE) in America Act”. Additionally, this Industry Day event will exclude gloves. Additionally, any information from industry awareness for speciﬁc PPE items that may have no compliant items available is welcome.

** Representatives will be available from the CGP to register for their Spring Training Conference during the Industry Day event.

VA’s MSPV Program is looking for:

PPE Manufacturers and Suppliers
PPE Medical/Surgical Product Distributors
Industry Stakeholders
Supply Chain Management Professionals

Why attend the Make PPE in America Industry Day?

Understand the VA’s MSPV Program and its impact on PPE procurement.
Learn about the VA’s current and future PPE requirements.
Network with key VA officials and industry leaders.
Gain insights into the VA’s procurement processes and opportunities.
Showcase your innovative PPE products and solutions.

We look forward to your participation in this informative and engaging event as we work together to ensure the safety and well-being of our veterans and healthcare providers.

Event Details:

Date: Tuesday May 12, 2026

Time: Booth/Table 8:00am – 9:00am; MSPV/MSPO opening statements 9:15am – 9:30am Location: Fairview Marriott, Falls Church, Virginia

Event Fee: The Industry Day event on May 12 will be free of charge.

NO VIRTUAL ATTENDANCE – THIS IS AN INDIVIDUAL BOOTH PRESENTATION & TOUCH AND FEEL EVENT

MSPV Make PPE in America Industry Day Agenda:

Welcome and Introduction
VA’s MSPV PPE Procurement Needs and Processes
Q&A Session
Supplier Presentations and Innovations in PPE (individual times will be on a signup sheet in the future)

Registration Information Industry Day (no cost):

Please register for the MSPV Make PPE in America Industry Day event by 12:30pm Eastern on April 7, 2026 to Matthew McDonell Matthew.McDonell@va.gov and Sarah Scott Sarah.Scott1@va.gov with the following information in the body of the message:

Company name and direct contact information
Attendee Count
SB Status (if any)
SAM UEI and DUNS
PPE Product

If you have any questions for the Coalition regarding the Industry Day, please contact Joseph Snyderwine at JSnyderwine@thecgp.org.

Please note that registration for the Spring Training Conference (May 13-14) and Industry Day (May 12) is separate. For more information on the Spring Training Conference and to register, click here.