Friday Flash 04/03/2026

April 2, 2026

Spring Conference Agenda Day 2: The Evolving Federal Healthcare Market

The Coalition for Common Sense in Government Procurement (Coalition) is excited to share the Healthcare Day agenda for the 2026 Spring Training Conference: The Revolutionary Federal Market Continued on May 13-14 at the Fairview Park Marriott!

The Evolving Federal Healthcare Market

The theme for the Healthcare Day on May 14 is the Evolving Federal Healthcare Market. The conference will bring together leaders from across government to discuss acquisition priorities, supply chain challenges, and key program developments. Sessions will highlight how agencies are adapting to meet mission needs, strengthening healthcare delivery, and partnering with industry to support critical requirements.

Attendees will hear from acquisition leadership at the U.S. Department of Veterans Affairs, Department of Health and Human Services, Defense Health Agency, Defense Logistics Agency, and Indian Health Service about their current priorities, contract opportunities and upcoming compliance requirements for Federal contractors.

All speakers are invited unless otherwise noted as confirmed.

Agenda Highlights

Morning Keynote Address: Healthcare Budget & Legislative Updates

We are pleased to welcome Moshe Schwartz, Coalition Defense Fellow and President of Etherton & Associates, to provide a Keynote Address on the federal healthcare budget and legislative landscape. This session will cover policy developments impacting healthcare acquisition, government funding, and policy considerations.

Lunch Keynote Address: The National Security Strategy for Medical

Wayland Coker, Acting Deputy Director and Supply Chain Optimization Director at the Administration for Strategic Preparedness and Response (ASPR), will discuss the national security strategy for medical supply chains, especially medicines, devices and other critical medical supplies.

VA Leadership Panel

Senior acquisition leaders from the Department of Veterans Affairs (VA) will provide updates on the VA’s acquisition priorities, organizational changes, and strategic initiatives. This panel will offer valuable insight into how VA is organizing its acquisition enterprise to support veteran care.

Invited speakers include:

Phil Christy, Principal Executive Director and Chief Acquisition Officer, OALC, VA
Christopher Parker, Deputy Principal Executive Director & Deputy Chief Acquisition Officer, OALC, VA
Jeffrey Neil, Senior Procurement Executive and Executive Director, OAL, VA

VA Contracting Programs Panel

VA leaders representing key contracting organizations from the Strategic Acquisition Center (SAC), National Acquisition Center (NAC), Technology Acquisition Center (TAC), and Veterans Health Administration (VHA), will discuss their respective programs, priorities, and opportunities for industry engagement.

Invited speakers:

Joy Smith, Acting Associate Executive Director, SAC and NAC, VA
Jeff Bishop, Acting Associate Executive Director, TAC, VA
Dr. Zeb Fox, Associate Executive Director, Office of Facilities Acquisition & Head of Contracting Activity, Office of Construction Facilities Management, OALC, VA
Curtis Jordan, Executive Director, Regional Procurement Office – West, VHA

Healthcare Customer Agency Panel

Leaders from key healthcare agencies, including the Department of Health and Human Services (HHS), VA, Indian Health Service (HIS), and Defense Logistics Agency (DLA), will discuss their missions, challenges, and acquisition priorities, as well as ways for industry to support their evolving requirements across the federal healthcare system.

Invited speakers:

Joffrey Benford, CMA Division Director, BARDA and Head of Contracting Activity, ASPR, HHS
Spencer Roberts, Executive Director, Logistics, VHA
Capt. Robert Hayes, Director, National Supply Service Center, IHS
Matthew Beebe, Director of Acquisition, DLA

“Nuts & Bolts” Breakout Sessions

In the afternoon, attendees can participate in focused “Nuts & Bolts” breakout sessions covering critical healthcare programs, including:

IHS Pharmacy Program
VA Medical/Surgical Supplies (MSPV)
DLA Medical Troop Support
VA Pharmacy Program
VA Prosthetics

View the full Healthcare Day agenda here.

Additional Offerings for Healthcare Attendees

VA PPE Industry Day

Tuesday, May 12 at 8:00 AM (ET)

For more details and to register, see VA MSPV notice on SAM.gov here.

VA Med/Surg Supplies One-on-One Meetings

Wednesday, May 13

Available for conference attendees. Sign up instructions will be published in the Friday Flash newsletter soon. For questions, contact Joseph Snyderwine at jsnyderwine@thecgp.org.

Register Today

We are excited to explore these developments on the second day of the Spring Training Conference and to bring together government and industry leaders to discuss the evolving federal healthcare market!

To register for the Spring Training Conference, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Hotel Reservations

Please use this link to secure your room in our block at the discounted rate before April 27, 2026: Book your group rate for CGP Spring Training Conference.

Spring Conference Agenda Day 1: The New GSA for the Revolutionary Federal Market

The Coalition is excited to share the Governmentwide Day agenda for the 2026 Spring Training Conference: The Revolutionary Federal Market Continued on May 13-14 at the Fairview Park Marriott!

The New GSA for the Revolutionary Federal Market

The Governmentwide Day on May 13 will focus on how the General Services Administration (GSA) is positioning itself to support the federal mission moving forward, consistent with the Administration’s priorities. Sessions will explore how GSA is adapting its approach to acquisition, enhancing coordination across government, and strengthening its role as a central partner in delivering mission outcomes. Attendees will learn how these developments will impact procurement strategies and engagement with GSA going forward.

All speakers are invited unless otherwise noted as confirmed.

Agenda Highlights

Keynote Address: GSA Administrator Edward C. Forst

We are honored to invite the Honorable Edward C. Forst, GSA Administrator, to deliver keynote remarks on GSA’s role in supporting the federal marketplace and advancing the Administration’s acquisition priorities. Building on his remarks at the Winter Training Conference, we will hear Administrator Forst’s vision for GSA, including key priorities and initiatives for the agency.

Federal Acquisition Service Update

We have invited Laura Stanton, Federal Acquisition Service (FAS) Deputy Commissioner, to provide an update on FAS, including key priorities, initiatives, operational developments, and how industry can best support FAS.

The Revolutionary FAR Overhaul Practitioners Panel

GSA leaders Jeff Koses, Larry Allen, and Polly Hall will discuss the ongoing Revolutionary FAR Overhaul (RFO), including its objectives, current efforts, and how these reforms are expected to impact acquisition policy, processes, and outcomes across government.

Luncheon Keynote: Budget & Legislative Updates

Moshe Schwartz, Coalition Defense Fellow and President of Etherton & Associates, will provide an overview of the federal budget and legislative landscape, including key developments on acquisition policy and program funding.

“Nuts & Bolts” Breakout Sessions: GSA in the New Revolutionary Federal Market

In the afternoon, attendees can engage in focused “Nuts & Bolts” discussions highlighting GSA’s 5 new acquisition organizations: CENTRALIZE, CREATE, ASSIST, DELIVER, and OPTIMIZE. GSA leadership from each organization will discuss their mission and structure. Attendees will gain a clearer understanding of how these GSA functions will support agency needs and impact acquisition strategies across government.

View the full Governmentwide Day agenda here.

New Executive Order to Implement DEI Restrictions in Federal Contracts

On March 26, 2026, the President issued an executive order (EO) titled “Addressing DEI Discrimination by Federal Contractors.” Within 30 days of the EO (April 25th), executive agency contracts must include a clause stating that:

1. The contractor will not engage in any racially discriminatory DEI activities.

“Racially discriminatory DEI activities” means disparate treatment based on race or ethnicity in the recruitment, employment, contracting, program participation, or allocation or deployment of an entity’s resources.

2. The contractor will furnish all information and reports (e.g., access to books, records, and accounts), to ensure compliance.

3. Noncompliance may lead to contract cancellation, termination, and the contractor may be declared ineligible for further Government contracts.

4. The contractor must report any subcontractor known or reasonably knowable conduct that may violate this clause to the contracting department or agency.

5. The contractor will inform the contracting agency if a subcontractor sues the contractor and the suit puts at issue, in any way, the validity of this clause; and

6. The contractor recognizes that compliance is material (False Claims Act liability).

Within 60 days (May 25th), the Federal Acquisition Regulatory (FAR) Council will issue a deviation implementing the new DEI clause. In addition, the Office of Management and Budget will identify sectors where DEI poses a particular risk and issue guidance to Federal agencies about these sectors.

Bill to Limit Defense Contractor Executive Compensation

Senators Elizabeth Warren (D-MA) and Josh Hawley (R-MO) have introduced the Prioritizing the Warfighter in Defense Contracting Act of 2026. The bill would impose financial restrictions on defense contractors that are not meeting Department of War (DoW) needs.

The bill would codify elements of a recent executive order on the same topic and establish broad restrictions on certain financial activities for large defense contractors. “Large defense contractors” are defined as those that have received more than $250 million annually in DoW contract obligations in any of the past three years. Specifically, the bill would prohibit large defense contractors from engaging in stock buybacks, issuing dividend payments, or providing executive compensation above $5 million, unless a waiver is granted by the Secretary of War.

Under the bill, a waiver would require certification that the contractor is meeting DoW requirements.

The bill also establishes a process for addressing noncompliance, including a 15-day period for contractors to submit a remediation plan following notification.

Army Issues Final MAPS RFP

The U.S. Army has released the final Marketplace for the Acquisition of Professional Services (MAPS) Request for Proposals (RFP). MAPS is a multiple-award, indefinite-delivery/indefinite-quantity contract that will allow the Army, DoW, and federal agencies to procure knowledge-based professional services. These services include a variety of IT and engineering services ranging from cybersecurity, program management, and business process reengineering, to research, development, testing and more.

Proposals are due May 1, 2026. Questions must be submitted through the Digital Marketplace Portal by April 17, 2026, where an interactive Q&A process will be available.

View the final solicitation here.

Coalition Submits MSPV Product Addition Recommendations

The Coalition has drafted recommendations to improve the Product Addition Process for the Department of Veterans Affairs’ (VA) Medical Surgical Prime Vendor (MSPV) Program. The suggestions were drafted based on member feedback to facilitate discussion with the VA over opportunities to improve the program. The Coalition has submitted the comments to leadership at the VA Strategic Acquisition Center.

To view the comments, click here.

If you have any questions about the recommendations, please reach out to Joseph Snyderwine at JSnyderwine@thecgp.org.

EPA’s ENERGY STAR Program Moves to Department of Energy

The Department of Energy (DOE) and the Environmental Protection Agency (EPA) have signed a Memorandum of Agreement regarding the ENERGY STAR program. The agreement moves administration of the ENERGY STAR program from EPA to DOE. Details about the transfer of the program will be outlined in the 2026 ENERGY STAR Transition Plan to be established by early June 2026.

GAO Finds Privacy Gaps in OMB AI Guidance

A Government Accountability Office (GAO) report identified gaps in the Office of Management and Budget’s (OMB) guidance on the federal use of artificial intelligence (AI).

GAO formed a panel of AI experts to assess the guidance and found that it only partially addresses eight of ten identified privacy-related challenges. While OMB’s guidance addresses workforce capability and scaling AI implementation with privacy protections, it does not fully address the remaining privacy-related challenges or specify the types of risks agencies should consider when developing AI policies.

GAO noted that without additional direction, agencies may not adequately protect sensitive information when using AI systems.

The report includes two recommendations for OMB. First, GAO recommends that OMB provide specific examples of known privacy risks to help agencies develop appropriate AI policies. Second, GAO recommends expanding information sharing or issuing governmentwide guidance to address the identified privacy risks not fully covered in the current guidance.

GSA Highlights Expansion of Governmentwide Printer BPA

GSA published a blog outlining plans to expand use of its Governmentwide Printer Blanket Purchase Agreement (BPA). The blog highlights the BPA as a pre-competed solution designed to streamline printer procurement while maintaining compliance with federal requirements, including the Trade Agreements Act (TAA). GSA notes that the BPA reduces procurement lead times, eliminates the need for brand-name justifications, and provides access to vetted offerings and consistent pricing.

According to GSA, use of the BPA also supports implementation of Executive Order 14240, Eliminating Waste and Saving Taxpayer Dollars by Consolidating Procurement, which directs agencies to use GSA-managed contracts for common goods and services. The BPA is available for use across federal, state, local, and tribal entities.

GSA will host a virtual training session on the Governmentwide Printer BPA and other end-user device BPAs on May 5 at 12:00 PM (ET). Attendees will earn one Continuous Learning Point.

Pentagon Plan to Transform Technology and Cybersecurity

According to MeriTalk, the Department of War (DoW) has a four-part plan to modernize the Pentagon’s IT environment. During a recent House Armed Services subcommittee hearing, DoW Chief Information Officer Kristen Davies discussed the plan which focuses on modernizing the network backbone, replacing legacy IT systems, strengthening cybersecurity, and expanding the workforce.

According to Davies, the Pentagon plans to expand, modernize, and harden its network infrastructure, including increasing use of commercial cloud providers to improve resiliency. DoW also aims to transition legacy IT systems to more agile delivery models aligned with industry practices, while improving interoperability and data management.

On cybersecurity, DoW plans to shift from a compliance-based approach to a risk-based model, supported by automation, continuous monitoring, and zero trust principles. Finally, the plan includes efforts to expand recruitment and training of cyber professionals to support ongoing modernization efforts.

Coast Guard Advances AI-Enabled ‘Acquisition Superhighway

Washington Technology reports that the U.S. Coast Guard is preparing a $5 to $10 million Blanket Purchase Agreement (BPA), the “Acquisition Superhighway.” The Acquisition Superhighway initiative aims to streamline procurement by automating workflows, supporting acquisition program management, improving knowledge sharing, and enhancing business intelligence. It will also integrate with existing Department of Homeland Security (DHS) procurement platforms.

Although relatively small in value, the initiative could influence future contracting opportunities, as the Coast Guard manages roughly $3 to $3.6 billion in annual procurement spending. The Coast Guard expects to release a final solicitation in the second quarter of the year, with the BPA running through April 30, 2028, according to a notice posted Monday in the DHS Acquisition Planning Forecast System.

Legal Corner: Executive Order Targets DEI… Again

The Legal Corner provides the procurement community with an opportunity to share insights and comments on Legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Common Sense in Government Procurement.

Alejandra Montenegro Almonte, Connor W. Farrell, Scott N. Flesch, Nate Lankford, Katherine E. Pappas, Ashley Powers, Alejandro (Alex) L. Sarria, Jason N. Workmaster; Miller & Chevalier

On March 26, 2026, President Trump issued a new diversity, equity, and inclusion (DEI)-related executive order (E.O.) titled, “Addressing DEI Discrimination by Federal Contractors.” This E.O. follows – and is in addition to – the administration’s prior efforts in E.O. 14151, “Ending Radical and Wasteful Government DEI Programs and Preferencing,” and E.O. 14173, “Ending Illegal Discrimination and Restoring Merit-Based Opportunity,” to address what it referred to as “illegal DEI” (previously discussed here). So, in addition to continuing to monitor the certification and related requirements called for in those earlier E.O.s, contractors and subcontractors will now need to be prepared to (1) address – potentially in very short order – a new contract provision aimed at what the E.O. broadly defines as “racially discriminatory DEI activities” in a way that does not clearly align with existing anti-discrimination law, and which also imposes new audit and reporting requirements, and (2) further take into account the enforcement risks associated with the administration’s view of what constitutes such activities.

Broad Definition of “Racially Discriminatory DEI Activities”

Unlike the prior DEI-related E.O.s which did not provide a definition of “illegal DEI,” leading to the issuance of further Department of Justice (DOJ) guidance on that subject (previously discussed here), this order defines “racially discriminatory DEI activities” and does so quite broadly.¹ Specifically, the E.O. defines “racially discriminatory DEI activities” as “disparate treatment based on race or ethnicity in the recruitment, employment (e.g., hiring, promotions), contracting (e.g., vendor agreements), program participation, or allocation or deployment of an entity’s resources.” And it defines “program participation” as “membership or participation in, or access or admission to: training, mentoring, or leadership development programs; educational opportunities; clubs; associations; or similar opportunities that are sponsored or established by the contractor or subcontractor.”

The reference to “allocation or deployment of an entity’s resources” in the definition of “racially discriminatory DEI activities,” and the inclusion of mentoring, leadership development, and training programs within “program participation,” suggest that many corporate programs could be subject to scrutiny by the administration – even though they are not labeled as DEI and even though the E.O. does not identify any pre-existing legal authority that would necessarily render them illegal. Consequently, the contract clause – once included in a contract – could arguably impose a contractual obligation that is broader than compliance with underlying, applicable anti-discrimination laws. By including “contracting (e.g., vendor agreements)” in the definition of “racially discriminatory DEI activities,” the E.O. also could be read to reach state and local requirements for diversity in contracting/subcontracting, thus potentially creating a conflict between state and local laws, on one hand, and the new contract clause, on the other, that contractors will need to carefully assess.

New Contract Clause

The new E.O. directs all executive departments and agencies, as well as independent establishments (collectively, agencies), “to the extent permitted by law,” to include in all contracts and contract-like instruments (at the prime and subcontract levels) a new contract clause, set forth in full text in the E.O. as follows:

In connection with the performance of work under this contract, [the contractor/appropriate party (contractor)] agrees as follows:

The contractor will not engage in any racially discriminatory DEI activities, as defined in section 2 of the Executive Order of March 26, 2026 (Addressing DEI Discrimination by Federal Contractors);
The contractor will furnish all information and reports, including providing access to books, records, and accounts, as required by the contracting agency pursuant to the Executive Order of March 26, 2026 (Addressing DEI Discrimination by Federal Contractors), for purposes of ascertaining compliance with this clause;
In the event of the contractor’s or a subcontractor’s noncompliance with this clause, this contract may be canceled, terminated, or suspended in whole or in part, and the contractor or subcontractor may be declared ineligible for further Government contracts;
The contractor will report any subcontractor’s known or reasonably knowable conduct that may violate this clause to the contracting department or agency and take any appropriate remedial actions directed by the contracting department or agency;
The contractor will inform the contracting department or agency if a subcontractor sues the contractor and the suit puts at issue, in any way, the validity of this clause; and
The contractor recognizes that compliance with the requirements of this clause are material to the Government’s payment decisions for purposes of section 3729(b)(4) of title 31, United States Code (False Claims Act).

The E.O. directs that agencies ensure inclusion of this clause within 30 days of the date of the order (i.e., April 25, 2026). It is unclear, though, whether the direction to include this new contract clause applies only prospectively to new contracts and contract-like instruments, or whether it also applies to existing ones.² It is also unclear whether the president has the authority to direct inclusion of specific clause text when that text has not been subject to publication in the Federal Register and the notice-and-comment process, and the E.O.’s limitation of its implementation “to the extent permitted by law” suggests the administration itself recognizes that it may be challenged on this basis.³ Moreover, because the E.O. could be interpreted as a labor and employment regulation (as opposed to a procurement regulation), it could potentially face challenges based on an argument that it is outside the scope of the president’s direct regulatory power under the Federal Property and Administrative Services Act (FPASA).⁴

Despite this uncertainty, however, contractors should be prepared to see the new clause included in solicitations going forward, as well as efforts by agencies to include it in existing contracts. In addition to prohibiting contractors from engaging in “racially discriminatory DEI activities” as that term is defined in the E.O., the new clause facilitates government investigations by:

Providing contracting agencies with broad audit rights, requiring contractors to “furnish all information and reports, including providing access to books, records, and accounts, as required… for purposes of ascertaining compliance” with the clause.
Requiring contractors to “report any subcontractor’s known or reasonably knowable conduct that may violate this clause.” Presumably, however, this requirement should be read in light of applicable False Claims Act (FCA) precedent, which provides that a prime contractor is entitled to reasonably rely upon the certifications of its subcontractors – unless it has reason to doubt the accuracy of those certifications. See United States ex rel. Folliard v. Gov’t Acquisitions, Inc., 764 F.3d 19, 29-31 (D.C. Cir. 2014).

Enforcement Risks

The order makes clear that the administration contemplates using several different enforcement mechanisms with respect to the new clause, including:

Contract-level remedies: Agencies are authorized to cancel, terminate, or suspend contracts (in whole or in part) for contractor or subcontractor non-compliance.
Suspension and debarment: Agencies are directed to take appropriate action to suspend and debar non-compliant contractors and subcontractors.
Civil FCA exposure: The E.O. reinforces consistent themes in prior E.O.s and agency communications, stating that the administration will consider non-compliance with the new clause to constitute the basis for an FCA violation. In this regard, the clause expressly states that compliance is “material” to the government’s payment decisions under the FCA.⁵ Moreover, the order provides: “DEI activities impose artificial costs in hiring, promotion, and operations… [and] create unnecessary costs by reducing the pool of available labor by artificially limiting companies to hiring or promoting certain individuals, suppliers, or intermediaries based on their race or ethnicity. These costs are inevitably passed on to the Federal Government when it contracts with companies who engage in racially discriminatory DEI activities, or who use subcontractors who do so.” In addition, the E.O. directs the Attorney General (AG) to consider bringing FCA actions against violators and to ensure prompt review of qui tam actions brought by private relators, including rendering a decision on intervention within the 60-day seal period to the maximum extent practicable.
Sector-specific targeting: The Office of Management and Budget (OMB), in coordination with the AG, the Domestic Policy Council, and the Equal Employment Opportunity Commission (EEOC) Chair, is directed to identify economic sectors that pose a particular risk of engaging in racially discriminatory DEI activities and issue additional compliance guidance for those sectors.

Conclusion

The administration’s ongoing focus on DEI-related issues requires continued vigilance by contractors to understand the legal and enforcement risks in question. In particular, it is advisable for contractors to assess their existing practices in light of the E.O.’s definition of “racially discriminatory DEI activities,” given the lack of clarity as to whether that definition is co-extensive with existing anti-discrimination laws. After having made such an assessment, contractors can then assess their enforcement risk, plan accordingly in light of that assessment, and be prepared to defend the rationale for activities that may come under scrutiny.

Healthcare Spotlight: Coalition Recommendations for the VA FSS

The Coalition has submitted a list of Recommendations to Improve the Efficiency and Effectiveness of the Department of Veterans Affairs (VA) Federal Supply Schedule (FSS) Program to the VA.

We believe that the adoption of these recommendations will increase the availability of innovative healthcare products and services through the VA FSS for veterans. It will also lead to increased efficiency in delivering products and services to veterans and reduce the cost of contracting for the government and industry.

The recommendations focus on three key areas: 1) increasing communications between the VA and its suppliers, 2) streamlining audits and 3) increasing efficiencies in contract administration.

VA FSS Recommendations are posted on the Coalition’s website here.

We sincerely appreciate the VA FSS program for their consideration of these recommendations and thank the VA FSS Working Group members for their input.

Legal Corner: Has GSA Adopted DOD’s CMMC Requirements?

Authored by Reggie Jones & Nick Feldstern; Fox Rothschild LLP

If your organization handles Controlled Unclassified Information (CUI) for the federal government, take note: the U.S. General Services Administration (GSA) has just raised the bar on compliance. On January 5, 2026, GSA published new requirements for contractors and other nonfederal entities that work with CUI, and unlike the Department of Defense’s (DOD) phased rollout of its Cybersecurity Maturity Model Certification (CMMC) program, GSA isn’t waiting around. These requirements are effective immediately and mirror FAR proposed, but not final, CUI rule published in January 2025.

In an unusual move, GSA issued its IT Security Procedural Guide, entitled “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process CIO-IT Security-21-112 Rev. 1” (the Guide), without a press release or other agency communication and without an opportunity for industry comment, which typically accompanies impactful agency rulemaking and guidance. And the Guide will make a huge impact once its requirements are included as a contractual requirement. Contractors wishing to remain eligible for GSA contracts must:

Comply with all of the security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 3 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” select enhanced controls from NIST SP 800-172, Rev. 3 (draft), “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” and select privacy controls from NIST SP 800-53 Rev. 5, “Security and Privacy Controls for Information Systems and Organizations”;
Engage in a five-step approval process, including third-party assessment and continued compliance monitoring; and
Comply with a strict one-hour cyber incident reporting requirement.

Although styled as internal agency guidance, the Guide signals the standards GSA intends to enforce going forward. Notably, however, the guide is silent on how these requirements will be incorporated into solicitations and contracts, leaving contractors with clarity on what will be expected of them but uncertainty as to how and when those expectations will be formally imposed.

Below, we break down the key elements of the Guide and highlight what organizations holding or pursuing GSA contracts—including those on GSA’s governmentwide Multiple Award Schedule (MAS)—need to know.

Federal Cybersecurity and the Standardization of CUI Compliance

In 2010, Executive Order 13556, titled “Controlled Unclassified Information,” established an open and unified program for managing information that, while unclassified, requires safeguarding or dissemination controls. The CUI program, implemented through 32 CFR § 2002, includes rules, organization, and procedures for federal and nonfederal entities that process, store, or transmit CUI. However, in practice, different agencies implemented the program and associated requirements haphazardly, leading to confusion among contractors and contracting personnel alike.

In the late 2010s, policymakers and industry began pushing for more consistency. At the forefront was DOD’s CMMC program, which was first announced in 2019, later finalized in 2024, and became formally effective in November 2025.

In short, the CMMC requires contractors to meet certain security requirement thresholds depending on the type of federal information that they will handle during contract performance. For contracts that involve handling CUI, contractors must implement security controls derived from NIST SP 800-171 Rev. 2 and, in the case of highly sensitive CUI, from NIST SP 800-172 Rev. 2. Compliance with the CMMC is a prerequisite for contract award for any defense contract that involves processing, storing, or transmitting Federal Contract Information (FCI) or CUI. Pursuant to the CMMC program, DOD solicitations will explicitly inform contractors what CMMC level is required for eligibility.

The CMMC emerged, in part, from growing concerns that allowing contractors to self-certify their cybersecurity compliance could result in false or inaccurate attestations and heightened security vulnerabilities. Accordingly, a key characteristic of the CMMC program, which differentiated it from other existing agency CUI programs, is the requirement of a compliance assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). (For a more in-depth dive into the CMMC see “Final CMMC Rule Effective Nov 10, 2025: What Federal Contractors Need to Know”).

While DOD’s CMMC program attracted the most attention, other civilian agencies have also been advancing CUI program reforms. The Federal Acquisition Regulation (FAR) Council issued a proposed rule to amend the FAR in January 2025, which has yet to become final, to incorporate CUI-related requirements across federal contracting. The Guide contains similar requirements to those contemplated by the FAR proposed rule. The Guide also shares several key characteristics with the CMMC, but diverges in important ways.

GSA’s Guide

Under the new guidance, contractors must comply with NIST security controls for all contractor information systems that process, store, or transmit CUI and will require both third-party assessment and approval by GSA’s Office of the Chief Information Security Officer (OCISO) in order to remain eligible for GSA contracts. Unlike the CMMC, which is currently undergoing a four-year phased rollout to allow defense contractors time to achieve compliance, this GSA framework provides no transition period, which means implementation can begin immediately.

However, also unlike the CMMC, GSA will approve non-compliant systems so long as specific “showstopper” controls are implemented, including multi-factor authentication, vulnerability monitoring and scanning, secure remote access controls, implementation of cryptographic protection, and replacement of unsupported components. Contractors that meet these “showstopper” controls but lack other controls will be required to develop a Plan of Actions and Milestones (POA&M), which identifies deficiencies and establish a timeline for full compliance.

Five-Phase Process for Protecting CUI

The Guide is structured around NIST’s Risk Management Framework, which consists of five phases, each broken down into multiple subphases.

Phase 1: Prepare – Contractors must first determine the types of information stored, processed, or transmitted by their information systems using the Federal Information Processing Standard (FIPS) 199 security categorization template. During this subphase, contractors will collaborate with the GSA Information System Security Officer (ISSO), Information System Security Manager (ISSM) and the CISO to confirm this determination. After an initial kickoff meeting with GSA to discuss the CUI approval process, the contractor must submit details on its solution architecture and security capabilities to GSA for evaluation.

Phase 2: Document – Contractors next must prepare and submit several key deliverables: a System Security and Privacy Plan (SSPP), Privacy Threshold Assessment (PTA), Privacy Impact Assessment (PIA), Architecture Review Checklist, and Supply Chain Risk Management Plan. Importantly, contractors should be aware that security plans developed for other federal programs, such as CMMC or the Federal Risk Authorization and Management Program (FedRAMP), generally cannot be repurposed to satisfy this requirement due to GSA-specific criteria. All materials must be reviewed and approved by GSA before contractors can move forward. Phases 1 and 2 most closely align with the “scoping” phase of the CMMC.

Phase 3: Assess – The third phase requires contractors to engage a third-party independent assessor, either a FedRAMP Third Party Assessment Organization (3PAO) or GSA‑approved independent assessor, to test their systems using a plan agreed to in advance by GSA. POA&Ms are also required at this stage.

Phase 4: Authorize – GSA will conduct a multi-level review of the contractor’s approval package then prepare a Memorandum for Record evaluating whether the contractor’s systems are sufficiently secure to handle CUI.

Phase 5: Monitor – Once approved, contractors must continuously monitor their information systems and prepare quarterly deliverables (vulnerability scanning reports, POA&M updates, and shared drive access review) and annual deliverables (updated SSPPs, PTAs, and PIAs). Additionally, contractors must undergo a third-party assessment every three years and immediately report any major system changes to GSA.

One-Hour Incident Reporting

Beyond the five-phase CUI framework, the Guide imposes a stringent incident reporting requirement. Contractors must report both suspected and confirmed CUI incidents within one hour of discovery. Those who fail to meet this deadline face “escalation,” though the Guide leaves this term undefined, offering little clarity on the consequences.

This is a much shorter reporting window than the CMMC’s 72-hour window or the 8-hour window in the FAR CUI proposed rule. The tight reporting window raises practical concerns, as it leaves minimal time for contractors to conduct meaningful preliminary investigations. As a result, initial reports may be incomplete, forcing contractors to submit additional reports and potentially undermining the speed and effectiveness of their incident response efforts.

Contractor Takeaways

GSA’s CUI framework is effective immediately although it is not clear whether or how it will be incorporated into existing and new GSA contracts and leases. While the Guide may not provide all the answers, it suggests GSA contracting officers can begin enforcing the cybersecurity requirements on new contracts involving CUI. The more stringent requirements will have far-reaching impacts on any contractors holding or seeking any of the vast array of GSA contracts, including GSA’s many governmentwide acquisition contracts.
Contractors that hold or plan to pursue GSA contracts should immediately assess their CUI infrastructure under the new requirements, specifically the NIST SP 800-171 Rev. 3 and select NIST SP 800-172 Rev. 3 security controls. At the very least, contractors should ensure compliance with the more limited “showstopper” controls.
Prepare materials and get in line for a third-party assessment. Given the limited number of 3PAOs, contractors would be wise to open a dialogue and schedule an assessment. Considering the policy shift away from self-assessment and toward third-party assessment, contractors should expect other agencies to adopt similar requirements in the near future.
The careful reader will notice the Guide requires Revision 3 of both NIST SP 800-171 and -172, whereas the CMMC only requires Revision 2. This is significant, as Revision 3 reorganizes and consolidates several of the 110 security controls and places a greater emphasis on supply chain risk management, continuous monitoring, and stronger authentication. While Revision 3 is not a radical departure from its predecessor, contractors already familiar with Revision 2, such as defense contractors, must be aware of the differences.
Although the Guide does not explicitly address subcontractor flow-down requirements, contractors should consider broader trends in CUI protection, which typically require prime contractors to ensure subcontractors employ similar CUI safeguards. Given this landscape, GSA contractors are well-advised to proactively ensure their subcontractors adhere to general CUI safeguarding practices, even absent express guidance to do so.
Given the limited pool of trained and approved independent assessors, contractors should anticipate some delays in scheduling assessments. Early engagement with legal counsel experienced in federal cybersecurity and procurement requirements can be invaluable for navigating these obligations, evaluating risk, and developing a sound compliance strategy.

Cyber Update, April 8

The Coalition’s Cyber & Supply Chain Security Committee will host a meeting on the latest updates on federal cybersecurity policy developments and what they mean for contractors. Our guest speakers will be committee co-chairs Townsend Bourne, Partner at Sheppard Mullin, and Michael Gruden, Partner at Crowell & Moring. The meeting will be held virtually on April 8 at 12:00 PM (ET).

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Note: This is a members-only event. If you see a message that says “Registration Not Available” below, please log in using your member account.

Meeting on MSPV Product Addition Recommendations, April 13

The Coalition’s Medical Surgical Equipment Committee will be hosting a meeting to discuss the MSPV Product Addition Recommendations. The meeting will be held virtually on April 13, at 12:00 PM (ET).

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org. If you have any additional topics or questions you would like addressed at the meeting, please email Joseph Snyderwine at JSnyderwine@thecgp.org.

Note: This is a members-only event. If you see a message that says “Registration Not Available” below, please log in using your member account.

Update from GSA’s Office of Professional Services & Human Capital Categories, April 14

The IT/Services Committee will host an update from GSA’s Office of Professional Services & Human Capital Categories (PSHC) on April 14 at 10:00 AM (ET), featuring Sheri Meadema, PSHC Assistant Commissioner, and Adam Soderholm, Director of the Center for Professional Services. During the discussion, Sheri and Adam will provide an overview of the office’s latest priorities and initiatives, as well as insights into ongoing efforts affecting the Professional Services and Human Capital Categories and the broader federal acquisition landscape.

The meeting will take place at GDIT, 3150 Fairview Park Drive, Falls Church, VA . Virtual attendance will also be available.

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org. If you have any additional topics or questions you would like addressed at the meeting, please email Joseph Snyderwine at JSnyderwine@thecgp.org.

Note: This is a members-only event. If you see a message that says “Registration Not Available” below, please log in using your member account.

Webinar – Future-Proofing Your Contracts: Legal Compliance Updates for Government Contractors, April 23

The Coalition is pleased to host a webinar featuring PilieroMazza, Partner, Nichole Atallah to discuss legal updates impacting government contracts. The webinar will be held on April 23 at 12:00 PM (ET).

Panelists will review recent legal developments, discuss notable regulations, and provide best practices for positioning your business amidst the change.

Topics include:

New SBA rule changes
Cases impacting mentor-protégé and joint venture arrangements
Refresher on the nonmanufacturer rule (NMR)
Recent GAO protest ruling involving a reseller and the Trade Agreements Act (TAA)
Corporate Transparency Act (CTA) compliance
Updates on CMMC 2.0 implementation
National security memo on Artificial Intelligence (AI)

Join us for an informative discussion designed to keep you ahead of the latest legal and regulatory changes affecting the government contracting community.

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Webinar – Using JVs to Win Work with GSA and Beyond, April 30

The Coalition is pleased to host a webinar withMeghan Leemon, Partner at PilieroMazza, for a practical and informative discussion to help you structure and use joint ventures to expand your federal contracting opportunities. The webinar will be held on April 30 at 12:00 PM (ET).

Joint ventures are an excellent tool to win work, including with GSA. However, JVs must be structured properly to avoid significant risks that can arise in protests or in disputes between JV partners. Using JVs for GSA Schedules requires a unique approach. This panel discussion will discuss how you can structure and use JVs to win work and grow, with GSA schedules and beyond.

Topics include:

Tips for how to form and best utilize JVs
Using JVs to pursue work through GSA schedules
Latest developments with JV regulations and case law

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

GSA & VA Schedule Contracting Training for In-House Counsel, May 12

The Coalition for Government Procurement is proud to once again host its “must attend” General Services Administration (GSA) and Veterans Affairs (VA) Schedule Contracting Training for In-House Counsel on May 12! This course is designed for lawyers and contract managers at member companies with significant contract management and compliance responsibilities with GSA and/or VA Schedule contracts.

Our presenters for the day will be Robert Burton, Partner, Crowell & Moring; Ken Dodds, Executive Vice President & General Counsel, The Coalition for Common Sense in Government Procurement; and Jason Workmaster, Member, Miller & Chevalier Chartered;

During the training, Robert, Ken, and Jason will cover the following topics and more:

Pricing – Transactional Data Reporting (TDR)/Commercial Sales Practices (CSP);
Domestic Preferences;
Supply Chain;
Enforcement/Mandatory Disclosure/Ethics;
Sustainability Requirements/Policy; and
Bid Protests Update.

Reasons to Attend:

After successfully completing this course, you will receive 6 CLE credits, while also gaining an understanding of:

GSA/VA’s most favored customer pricing policy and major requirements of the government solicitation;
Current audit/oversight procedures;
Current GSA Schedule Price Negotiation Priorities; and
How the GSA Schedule can impact your company’s bottom line.

Plus, you will be able to advise your in-house clients regarding topics such as:

Disclosure of company records;
Establishing management and compliance processes;
Establishing ethics programs and mandatory disclosure;
Avoiding penalties; and
Identifying resources to assist with continuing legal support of your internal GSA/VA Schedule programs.

Who Should Attend:

This training course is excellent for:

In-house counsel for current GSA/VA Schedule contractors and/or companies considering becoming a GSA/VA Schedule contractor;
Government attorneys that advise clients with GSA/VA Schedule contracts;
Contract Managers with MAS experience; and
Compliance Personnel.

The training will be held at GDIT, Falls Church, VA, Time: 9:30 AM – 3:30 PM (ET). Virtual attendance is also offered for the course. We look forward to your participation!

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

VA MSPV PPE Industry Day, May 12

The Department of Veterans Affairs (VA) announced its PPE Industry Day on May 12 in conjunction with the Coalition’s Spring Training Conference. The in-person Industry Day will be held at the Fairview Park Marriott in Falls Church, VA and begins at 8:00 AM (ET). More details on the agenda can be found below.

This event is intended to bring together suppliers, manufacturers, and industry stakeholders involved in the production and distribution of Personal Protective Equipment (PPE) to support the VA’s Medical/Surgical Prime Vendor Program.

Personal protective equipment, as applied to this Industry Day announcement, means surgical masks, N95 masks, respirator non-surgical masks and powered air purifying respirators and required filters, face shields and protective eyewear, disposable and reusable surgical and isolation gowns, head and foot coverings, and other gear or clothing used to protect an individual from the transmission of disease, excluding gloves.

MSPV PPE Industry Day Agenda:

Welcome and Introduction
VA’s MSPV PPE Procurement Needs and Processes
Q&A Session
Supplier Presentations and Innovations in PPE (individual times will be on a signup sheet in the future)

Please register for the MSPV PPE Industry Day event April 7 at 12:30 PM (ET) by contacting Matthew McDonell (Matthew.McDonell@va.gov) and Sarah Scott (Sarah.Scott1@va.gov).

If you have any questions for the Coalition regarding the Industry Day, please contact Joseph Snyderwine at JSnyderwine@thecgp.org.

Please note that registration for the Spring Training Conference (May 13-14) and Industry Day (May 12) is separate. For more information on the Spring Training Conference and to register, click here.