Friday Flash 04/10/2026

April 9, 2026

FAR & Beyond: The RFO Highlights the Need for Evergreen Contracting

A highlight of the Revolutionary Federal Acquisition Regulation (FAR) Overhaul (RFO) is the revised competitive ordering procedures under the Federal Supply Schedule (FSS) program. The RFO, consistent with the General Service Administration’s (GSA’s) exclusive statutory authority for the FSS program, transferred the ordering procedures from FAR 8.4 to General Services Acquisition Regulation (GSAR) Subpart 538.7100. The revised FSS ordering procedures are now written in plain, clear, and concise language. The overly complex ordering guidance, especially for Blanket Purchase Agreements (BPA), has been eliminated while, at the same time, the RFO clarifies the underlying statutory competition requirements for FSS task and delivery orders. The RFO also eliminated redundant portions of FAR 8.4 already addressed in FSS contract clauses, reducing the word count from 9,449 in the old FAR 8.4 to 2,363 in GSAR 538.7100. The overhaul of the FSS ordering procedures will enhance competition, promote innovation, and drive best value commercial solutions to meet customer agency needs.

The RFO Effectively Limits FSS Contract Length

An unintended consequence of the new ordering procedures is a significant limitation on the effective length of FSS contract terms. What were 20-year contracts under the old FAR are de facto 10-year contracts under the new GSAR. To provide greater flexibility in structuring BPAs, GSAR 538.7104-1(a) authorizes customer agencies to establish the ordering period for the BPA. The GSAR removed the old FAR 8.4’s five-year limitation on the duration for BPA ordering periods. Embracing this new flexibility, customer agencies, to reduce administrative burdens and leverage competition, are now seeking BPAs with 10-year ordering periods. However, GSAR 538.7104-1(b) provides that, “FSS BPAs may be established with an ordering period that extends beyond the current term of a contractor’s FSS contract, so long as there are option periods in the contractor’s FSS contact that. . . . will cover the BPA ordering period, including options and award terms.” Thus, under the new GSAR, any contractor with less than 10 years left on their FSS contract would have to submit new offer and be awarded a new “20-year” FSS contract to be able to compete for any 10-year BPA. The practical impact is to convert “20-year” FSS contracts into “10-year” FSS contracts.

The effect of this “contractual gap” will be to limit competition under the FSS program, by unduly restricting the pool of FSS contractors who can compete for longer term BPAs. Just as significantly, GSA and its FSS contractors will see a substantial increase in workload as current contractors with less than 10 years left on their contracts will submit new contract offers to become eligible for longer term BPAs. Doing the math, the number of new offers for FSS contracts could more than double as FSS contract terms are de facto reduced to 10 years from the original 20-year term agreed to at the time of award. In other words, FSS contractors will have to submit new offers every nine years.

Evergreen Contracts Are A Timely and Revolutionary Solution

Consistent with the RFO, Evergreen contracts would reduce administrative costs, streamline operations, and enhance competition for GSA, customer agencies, and FSS contractors. As explained in the May 9, 2025, FAR & Beyond blog, Evergreen contracts are not restrictive on time or term. Rather, Evergreen contracts eliminate the 20-year term by allowing FSS contracts to remain in place with no time limit, subject to continuous five-year option periods. Evergreen contracting will save GSA, customer agencies, and industry time and money. It will eliminate the timely, costly, and redundant exercise of submitting, evaluating, negotiating, and awarding new FSS contracts. Under Evergreen, GSA and its FSS contractors can more effectively focus on the ongoing management of existing contracts to the benefit of customer agencies and the taxpayer. And, of course, Evergreen contracting will empower FSS contractors to consistently compete for the newly authorized long-term BPAs. To that end, Evergreen is a pro competition mechanism for the FSS program that is consistent with the RFO.

The growth in the use of BPAs has been a remarkable success story for the FSS program. As shown in the table below, over the last five years, FSS BPAs have accounted for over 50 percent of the dollar volume of FSS sales:

Year	BPA Obligations	% of FSS
2021	$19,958,413,064.67	50.33%
2022	$21,226,410,338.05	53.02%
2023	$25,152,838,687.86	52.24%
2024	$27,317,655,856.62	52.72%
2025	$23,368,983,225.12	45.87%

Customer agencies utilize FSS BPAs to leverage requirements, streamline ordering, and enhance competition. Evergreen contracting, in combination with the RFO, will unleash even greater savings for customer agencies and the American people.

Building on the promise of the RFO, it is time for Evergreen contracting!

Deputy Administrator to Open Spring Training Conference with Keynote Fireside Chat

The full agendas for the Coalition’s 2026 Spring Training Conference are now available. Taking place May 13–14 in Falls Church, VA, the conference will bring together government and industry leaders to discuss current priorities across the federal market, including GSA initiatives, acquisition trends, and developments in the healthcare sector. View the latest versions of the agenda below!

Day One: The New GSA for the Revolutionary Federal Market

The Governmentwide Day on May 13 will focus on how the General Services Administration (GSA) is positioning itself to support the federal mission. Sessions will explore how GSA is adapting its approach to acquisition, enhancing coordination across government, and strengthening its role as a central partner in delivering mission outcomes.

*All speakers are invited unless otherwise noted as confirmed.*

Agenda Highlights

Keynote Fireside Chat with GSA Deputy Administrator Lynch

We are honored to kick off the conference with a Keynote Fireside Chat with GSA Deputy Administrator Michael Lynch on GSA’s role in supporting the federal marketplace and advancing the Administration’s acquisition priorities.

“Nuts & Bolts” Breakout Sessions on FAS

Based on strong interest in the “Nuts & Bolts” sessions focused on GSA’s new Federal Acquisition Service (FAS) organizations, we are pleased to offer two breakout time slots to allow members the opportunity to attend more than one session. These sessions will feature GSA leadership from five key FAS organizations: CENTRALIZE, CREATE, ASSIST, DELIVER, and OPTIMIZE. They will provide a clear, practical understanding of each organization’s mission, structure, and role in supporting agency acquisition needs.

Federal Acquisition Service (FAS) Update

We have invited Laura Stanton, Federal Acquisition Service (FAS) Deputy Commissioner, to provide an update on FAS, including key priorities, initiatives, operational developments.

Luncheon Keynote: Budget & Legislative Updates

Moshe Schwartz, Coalition Defense Fellow and President of Etherton & Associates, will provide an overview of the federal budget and legislative landscape, including key developments on acquisition policy and program funding.

The Revolutionary FAR Overhaul Practitioners Panel

GSA leaders Jeff Koses, Larry Allen, and Polly Hall are invited to discuss the ongoing Revolutionary FAR Overhaul (RFO), including its objectives, current efforts, and how these reforms are expected to impact acquisition policy, processes, and outcomes across government.

View the full Day One agenda here.

Day Two: The Evolving Federal Healthcare Market

The theme for the Healthcare Day on May 14 is the Evolving Federal Healthcare Market. The conference will bring together leaders from across government to discuss acquisition priorities, supply chain challenges, and key program developments. Sessions will highlight how agencies are adapting to meet mission needs, strengthening healthcare delivery, and partnering with industry to support critical requirements.

All speakers are invited unless otherwise noted as confirmed.

Agenda Highlights

Morning Keynote Address: Healthcare Budget & Legislative Updates

We are pleased to welcome Moshe Schwartz, Coalition Defense Fellow and President of Etherton & Associates, to provide a Keynote Address on the federal healthcare budget and legislative landscape.

Lunch Keynote Address: The National Security Strategy for Medical

Wayland Coker, Acting Deputy Director and Supply Chain Optimization Director at the Administration for Strategic Preparedness and Response (ASPR), will discuss the national security strategy for medical supply chains, especially medicines, devices and other critical medical supplies.

VA Leadership Panel

Senior acquisition leaders from the Department of Veterans Affairs (VA) will provide updates on the VA’s acquisition priorities, organizational changes, and strategic initiatives. This panel will offer valuable insight into how VA is organizing its acquisition enterprise to support veteran care.

Healthcare Customer Agency Panel

Leaders from key healthcare agencies, including the Department of Health and Human Services (HHS), VA, Indian Health Service (IHS), and Defense Logistics Agency (DLA), will discuss their missions, challenges, and acquisition priorities, as well as ways for industry to support their evolving requirements across the federal healthcare system.

View the full Day Two agenda here.

To register for the Spring Training Conference, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Time is Running Out – Join the Sponsor Lineup for Spring Training Conference!

Sponsorship packages are still available for the Spring Training Conference!

Sponsoring the conference provides a unique opportunity to showcase your organization to federal procurement leaders and key industry stakeholders. With attendees from across government and industry, sponsors gain valuable visibility and direct engagement with the decision-makers shaping today’s federal marketplace.

From event promotions and on-site recognition to networking opportunities with senior acquisition leaders, sponsorship helps position your organization at the center of the federal procurement community. Join leading organizations across the federal procurement community as sponsors of this premier event!

Availability is limited and offered on a first-come, first-served basis.

View the opportunities here and secure your sponsorship today! If you have any questions, or are ready to secure your sponsorship, please contact Heather Tarpley at htarpley@thecgp.org.

Thank You to Our Current Spring Training Conference Sponsors!

GSA Highlights Administrator Forst’s Milestones in First 100 Days

The General Services Administration (GSA) recently published a blog post highlighting Administrator Edward C. Forst’s key accomplishments and initiatives during his first 100 days in the position.

GSA recently published a blog post highlighting key accomplishments and initiatives during this period.

In acquisition, GSA highlighted full implementation of Transactional Data Reporting (TDR), continued progress on the Revolutionary Federal Acquisition Regulation (FAR) Overhaul (RFO), and ongoing development of governmentwide acquisition solutions, including the OneGov initiatives and the Alliant 3 Governmentwide Acquisition Contract (GWAC).

On the technology front, GSA pointed to expansion of FedRAMP authorizations, growth of the USAi platform, and increased adoption of Login.gov across federal agencies.

In real estate, GSA cited accelerated property disposals, major project milestones, and cost savings tied to facility optimization and construction efforts.

GSA also noted the launch of “Project 410,” an initiative focused on promoting speed, agility, and innovation across the agency. According to GSA, these efforts are intended to improve efficiency, reduce costs, and enhance service delivery to agency customers and the American taxpayer.

MAS Refresh 31 is Live

GSA has released Solicitation Refresh 31 for the Multiple Award Schedule (MAS), introducing several updates impacting contractors across the program. Most notably, the refresh expands Transactional Data Reporting (TDR) to all Special Item Numbers (SINs).

With this change, TDR will become mandatory across the MAS program, representing a significant development in pricing transparency and data reporting requirements.

View the SAM notice here.

OMB Issues New Requirements to Track Federal IT Spending

The Office of Management and Budget (OMB) has issued new guidance directing federal agency chief information officers (CIOs) to submit monthly reports on information technology (IT) contracts to help build a centralized view of government technology spending.

The memo, signed by OMB Director Russ Vought, requires CIOs at major agencies to report all approved IT and IT services contracts from May through October, including certain delegate-approved agreements supporting public-facing digital services. The Department of War, national security systems, and smaller agencies are exempt.

The initiative is intended to strengthen implementation of the Federal Information Technology Acquisition Reform Act (FITARA) and reinforce the role of CIOs in IT budgeting and policy decisions. OMB is also directing agencies to collect and share vendor data on pricing and usage with OMB and GSA to improve transparency, reduce duplication, and support more consistent and efficient procurement.

Administration to Expand TMF

FedScoop reports that the Administration is seeking to expand the Technology Modernization Fund (TMF) as a key tool for helping federal agencies modernize critical systems and improve public services. The Administration’s fiscal year (FY) 2027 budget proposal includes a provision that would allow the TMF to accept unobligated balances of expired discretionary funds to support modernization efforts. GSA indicated this approach is intended to provide an alternative funding path as the program has faced challenges securing new appropriations.

According to GSA, the TMF supports high-priority technology initiatives, including system modernization, artificial intelligence (AI) adoption, and cross-government collaboration. The agency also emphasized ongoing efforts with OMB and Congress to reauthorize the TMF beyond its current expiration at the end of FY 2026. GSA noted that the proposed funding approach and continued reauthorization are intended to support long-term sustainability and enable agencies to accelerate critical IT modernization initiatives.

New OASIS+ BPA Resource Page Available

GSA has published a new Blanket Purchase Agreement (BPA) resource webpage for the One Acquisition Solution for Integrated Services Plus (OASIS+) vehicle.

Under the RFO, contracting officers may now establish single- or multiple-award BPAs under multiple award contracts (see RFO 16.507-2(c)(3)).

The OASIS+ BPA resource page provides high-level guidance on acquisition planning, threshold considerations, innovative acquisition approaches, issuing BPA solicitations, placing orders, and effective BPA administration.

USAi to Transition to Fee-Based Model

Nextgov reports that GSA’s FY 2027 budget request outlines plans to transition USAi to a cost-recoverable model, with agencies paying usage fees for the platform.

Launched in August 2025, USAi provides a centralized environment for agencies to test and use multiple AI models. The platform includes a unified chatbot interface, application programming interface (API), and management console.

According to the budget request, 15 agencies currently use USAi, with additional agencies on a waiting list. GSA indicated that the shift to a fee-based model is intended to support long-term sustainability, including continued platform operations, security and infrastructure investments, and growing demand across agencies.

VA Outlines EHRM Budget Request and Deployment Plans

MeriTalk reports that the White House’s FY 2027 budget request includes $4.24 billion for the Department of Veterans Affairs’ (VA) Electronic Health Record Modernization (EHRM) program. This represents an $840 million increase over FY 2026 enacted funding.

The EHRM program has faced delays and deployment challenges, with six VA medical centers currently using the system following a multi-year pause. VA plans to deploy the system to 13 additional sites in FY 2026.

According to VA budget documents, the department plans to expand deployments in the coming years, including 26 additional sites in FY 2027, followed by 28 in FY 2028, 32 in FY 2029, 32 in FY 2030, and 33 in FY 2033, completing deployment across VA facilities.

GSA Expands Workforce and Return to Office Initiatives

Federal News Network reports that after staffing cuts under Department of Government Efficiency (DOGE)-era directives, GSA is aiming to hire roughly 400 employees over the next six months. The agency will prioritize critical areas such as facilities management, acquisitions, and project management, while also offering career advancement opportunities for current staff.

The Public Buildings Service, which manages over 8,300 federal buildings, is central to the effort. Last year, workforce reductions outpaced GSA’s ability to shrink its real estate portfolio, which had already been partially downsized through building sales and lease terminations.

GSA is also requiring employees to submit daily updates on their work locations to track office occupancy and ensure compliance with return-to-office requirements. Leadership views these moves as a strategic investment in strengthening teams and ensuring that the right talent is in place for federal acquisition and facilities management priorities.

GSA Issues RFI for SmartPay Modernization

GSA has released a Request for Information (RFI) to gather industry input for the next generation of the GSA SmartPay program, the Federal Government’s charge card and payment services system.

GSA plans to upgrade SmartPay into a secure, data-driven platform that enhances purchasing power, user experience, oversight, and efficiency. The agency seeks innovative solutions to modernize systems, improve analytics, and prevent fraud.

SmartPay supported 82 million transactions totaling $39.4 billion in FY25 and has returned over $7.2 billion in refunds since its launch.

Responses to the RFI are due June 19, 2026, with a virtual Industry Day scheduled for May 19–21, 2026.

GSA Launches Ask FCP Virtual Assistant

GSA announced the launch of “Ask FCP,” a new AI-powered virtual assistant available within the FAS Catalog Platform (FCP). The tool is designed to help users quickly find answers to common questions using official FCP Help resources.

Ask FCP supports Multiple Award Schedule (MAS) contractors, Vendor Support Center (VSC) agents, and the acquisition workforce by:

Providing instant answers across FCP Help resources
Improving efficiency by enabling users to resolve common questions directly
Using authoritative information sourced only from official FCP documentation

The tool is intended for general “how to” questions and does not provide contract-specific guidance or access systems outside of FCP. For contract-specific or policy questions, users should continue to contact their Contracting Officer (CO), Contract Specialist (CS), or the VSC.

To access Ask FCP:

Log in to FCP at catalog.gsa.gov
Select the “Need Help? Ask FCP” button in the lower-right corner
Enter short, direct questions (for example, “How do I submit a baseline modification?”)
Clear the chat between unrelated questions using the “Clear Chat” option

GSA Updates FCP Onboarding Requirements for T&C Files

GSA announced that updating the Terms and Conditions (T&C) file is now part of the initial onboarding steps for the FCP.

A T&C file update is required for:

New contractors (awarded after August 28, 2025) that have not yet established a T&C file in FCP
New FCP users to ensure their file is current
Existing FCP users adding a new catalog offering requiring a baseline action

Existing contractors should download their T&C file from the GSA eLibrary and remove pricing and catalog details included in the Product File or Services Plus File. New awardees should refer to clause I-FSS-600 for requirements. Only vendors with SINs requiring specific Price Proposal Templates (PPTs) should include catalog details.

This requirement does not apply if:

A T&C file has already been established in FCP
The contractor has already transitioned to FCP prior to this update

Legal Corner: Executive Order Targets DEI… Again

The Legal Corner provides the procurement community with an opportunity to share insights and comments on Legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Common Sense in Government Procurement.

Alejandra Montenegro Almonte, Connor W. Farrell, Scott N. Flesch, Nate Lankford, Katherine E. Pappas, Ashley Powers, Alejandro (Alex) L. Sarria, Jason N. Workmaster; Miller & Chevalier

On March 26, 2026, President Trump issued a new diversity, equity, and inclusion (DEI)-related executive order (E.O.) titled, “Addressing DEI Discrimination by Federal Contractors.” This E.O. follows – and is in addition to – the administration’s prior efforts in E.O. 14151, “Ending Radical and Wasteful Government DEI Programs and Preferencing,” and E.O. 14173, “Ending Illegal Discrimination and Restoring Merit-Based Opportunity,” to address what it referred to as “illegal DEI” (previously discussed here). So, in addition to continuing to monitor the certification and related requirements called for in those earlier E.O.s, contractors and subcontractors will now need to be prepared to (1) address – potentially in very short order – a new contract provision aimed at what the E.O. broadly defines as “racially discriminatory DEI activities” in a way that does not clearly align with existing anti-discrimination law, and which also imposes new audit and reporting requirements, and (2) further take into account the enforcement risks associated with the administration’s view of what constitutes such activities.

Broad Definition of “Racially Discriminatory DEI Activities”

Unlike the prior DEI-related E.O.s which did not provide a definition of “illegal DEI,” leading to the issuance of further Department of Justice (DOJ) guidance on that subject (previously discussed here), this order defines “racially discriminatory DEI activities” and does so quite broadly.¹ Specifically, the E.O. defines “racially discriminatory DEI activities” as “disparate treatment based on race or ethnicity in the recruitment, employment (e.g., hiring, promotions), contracting (e.g., vendor agreements), program participation, or allocation or deployment of an entity’s resources.” And it defines “program participation” as “membership or participation in, or access or admission to: training, mentoring, or leadership development programs; educational opportunities; clubs; associations; or similar opportunities that are sponsored or established by the contractor or subcontractor.”

The reference to “allocation or deployment of an entity’s resources” in the definition of “racially discriminatory DEI activities,” and the inclusion of mentoring, leadership development, and training programs within “program participation,” suggest that many corporate programs could be subject to scrutiny by the administration – even though they are not labeled as DEI and even though the E.O. does not identify any pre-existing legal authority that would necessarily render them illegal. Consequently, the contract clause – once included in a contract – could arguably impose a contractual obligation that is broader than compliance with underlying, applicable anti-discrimination laws. By including “contracting (e.g., vendor agreements)” in the definition of “racially discriminatory DEI activities,” the E.O. also could be read to reach state and local requirements for diversity in contracting/subcontracting, thus potentially creating a conflict between state and local laws, on one hand, and the new contract clause, on the other, that contractors will need to carefully assess.

New Contract Clause

The new E.O. directs all executive departments and agencies, as well as independent establishments (collectively, agencies), “to the extent permitted by law,” to include in all contracts and contract-like instruments (at the prime and subcontract levels) a new contract clause, set forth in full text in the E.O. as follows:

In connection with the performance of work under this contract, [the contractor/appropriate party (contractor)] agrees as follows:

The contractor will not engage in any racially discriminatory DEI activities, as defined in section 2 of the Executive Order of March 26, 2026 (Addressing DEI Discrimination by Federal Contractors);
The contractor will furnish all information and reports, including providing access to books, records, and accounts, as required by the contracting agency pursuant to the Executive Order of March 26, 2026 (Addressing DEI Discrimination by Federal Contractors), for purposes of ascertaining compliance with this clause;
In the event of the contractor’s or a subcontractor’s noncompliance with this clause, this contract may be canceled, terminated, or suspended in whole or in part, and the contractor or subcontractor may be declared ineligible for further Government contracts;
The contractor will report any subcontractor’s known or reasonably knowable conduct that may violate this clause to the contracting department or agency and take any appropriate remedial actions directed by the contracting department or agency;
The contractor will inform the contracting department or agency if a subcontractor sues the contractor and the suit puts at issue, in any way, the validity of this clause; and
The contractor recognizes that compliance with the requirements of this clause are material to the Government’s payment decisions for purposes of section 3729(b)(4) of title 31, United States Code (False Claims Act).

The E.O. directs that agencies ensure inclusion of this clause within 30 days of the date of the order (i.e., April 25, 2026). It is unclear, though, whether the direction to include this new contract clause applies only prospectively to new contracts and contract-like instruments, or whether it also applies to existing ones.² It is also unclear whether the president has the authority to direct inclusion of specific clause text when that text has not been subject to publication in the Federal Register and the notice-and-comment process, and the E.O.’s limitation of its implementation “to the extent permitted by law” suggests the administration itself recognizes that it may be challenged on this basis.³ Moreover, because the E.O. could be interpreted as a labor and employment regulation (as opposed to a procurement regulation), it could potentially face challenges based on an argument that it is outside the scope of the president’s direct regulatory power under the Federal Property and Administrative Services Act (FPASA).⁴

Despite this uncertainty, however, contractors should be prepared to see the new clause included in solicitations going forward, as well as efforts by agencies to include it in existing contracts. In addition to prohibiting contractors from engaging in “racially discriminatory DEI activities” as that term is defined in the E.O., the new clause facilitates government investigations by:

Providing contracting agencies with broad audit rights, requiring contractors to “furnish all information and reports, including providing access to books, records, and accounts, as required… for purposes of ascertaining compliance” with the clause.
Requiring contractors to “report any subcontractor’s known or reasonably knowable conduct that may violate this clause.” Presumably, however, this requirement should be read in light of applicable False Claims Act (FCA) precedent, which provides that a prime contractor is entitled to reasonably rely upon the certifications of its subcontractors – unless it has reason to doubt the accuracy of those certifications. See United States ex rel. Folliard v. Gov’t Acquisitions, Inc., 764 F.3d 19, 29-31 (D.C. Cir. 2014).

Enforcement Risks

The order makes clear that the administration contemplates using several different enforcement mechanisms with respect to the new clause, including:

Contract-level remedies: Agencies are authorized to cancel, terminate, or suspend contracts (in whole or in part) for contractor or subcontractor non-compliance.
Suspension and debarment: Agencies are directed to take appropriate action to suspend and debar non-compliant contractors and subcontractors.
Civil FCA exposure: The E.O. reinforces consistent themes in prior E.O.s and agency communications, stating that the administration will consider non-compliance with the new clause to constitute the basis for an FCA violation. In this regard, the clause expressly states that compliance is “material” to the government’s payment decisions under the FCA.⁵ Moreover, the order provides: “DEI activities impose artificial costs in hiring, promotion, and operations… [and] create unnecessary costs by reducing the pool of available labor by artificially limiting companies to hiring or promoting certain individuals, suppliers, or intermediaries based on their race or ethnicity. These costs are inevitably passed on to the Federal Government when it contracts with companies who engage in racially discriminatory DEI activities, or who use subcontractors who do so.” In addition, the E.O. directs the Attorney General (AG) to consider bringing FCA actions against violators and to ensure prompt review of qui tam actions brought by private relators, including rendering a decision on intervention within the 60-day seal period to the maximum extent practicable.
Sector-specific targeting: The Office of Management and Budget (OMB), in coordination with the AG, the Domestic Policy Council, and the Equal Employment Opportunity Commission (EEOC) Chair, is directed to identify economic sectors that pose a particular risk of engaging in racially discriminatory DEI activities and issue additional compliance guidance for those sectors.

Conclusion

The administration’s ongoing focus on DEI-related issues requires continued vigilance by contractors to understand the legal and enforcement risks in question. In particular, it is advisable for contractors to assess their existing practices in light of the E.O.’s definition of “racially discriminatory DEI activities,” given the lack of clarity as to whether that definition is co-extensive with existing anti-discrimination laws. After having made such an assessment, contractors can then assess their enforcement risk, plan accordingly in light of that assessment, and be prepared to defend the rationale for activities that may come under scrutiny.

Legal Corner: Has GSA Adopted DOD’s CMMC Requirements?

Authored by Reggie Jones & Nick Feldstern; Fox Rothschild LLP

If your organization handles Controlled Unclassified Information (CUI) for the federal government, take note: the U.S. General Services Administration (GSA) has just raised the bar on compliance. On January 5, 2026, GSA published new requirements for contractors and other nonfederal entities that work with CUI, and unlike the Department of Defense’s (DOD) phased rollout of its Cybersecurity Maturity Model Certification (CMMC) program, GSA isn’t waiting around. These requirements are effective immediately and mirror FAR proposed, but not final, CUI rule published in January 2025.

In an unusual move, GSA issued its IT Security Procedural Guide, entitled “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process CIO-IT Security-21-112 Rev. 1” (the Guide), without a press release or other agency communication and without an opportunity for industry comment, which typically accompanies impactful agency rulemaking and guidance. And the Guide will make a huge impact once its requirements are included as a contractual requirement. Contractors wishing to remain eligible for GSA contracts must:

Comply with all of the security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 3 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” select enhanced controls from NIST SP 800-172, Rev. 3 (draft), “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” and select privacy controls from NIST SP 800-53 Rev. 5, “Security and Privacy Controls for Information Systems and Organizations”;
Engage in a five-step approval process, including third-party assessment and continued compliance monitoring; and
Comply with a strict one-hour cyber incident reporting requirement.

Although styled as internal agency guidance, the Guide signals the standards GSA intends to enforce going forward. Notably, however, the guide is silent on how these requirements will be incorporated into solicitations and contracts, leaving contractors with clarity on what will be expected of them but uncertainty as to how and when those expectations will be formally imposed.

Below, we break down the key elements of the Guide and highlight what organizations holding or pursuing GSA contracts—including those on GSA’s governmentwide Multiple Award Schedule (MAS)—need to know.

Federal Cybersecurity and the Standardization of CUI Compliance

In 2010, Executive Order 13556, titled “Controlled Unclassified Information,” established an open and unified program for managing information that, while unclassified, requires safeguarding or dissemination controls. The CUI program, implemented through 32 CFR § 2002, includes rules, organization, and procedures for federal and nonfederal entities that process, store, or transmit CUI. However, in practice, different agencies implemented the program and associated requirements haphazardly, leading to confusion among contractors and contracting personnel alike.

In the late 2010s, policymakers and industry began pushing for more consistency. At the forefront was DOD’s CMMC program, which was first announced in 2019, later finalized in 2024, and became formally effective in November 2025.

In short, the CMMC requires contractors to meet certain security requirement thresholds depending on the type of federal information that they will handle during contract performance. For contracts that involve handling CUI, contractors must implement security controls derived from NIST SP 800-171 Rev. 2 and, in the case of highly sensitive CUI, from NIST SP 800-172 Rev. 2. Compliance with the CMMC is a prerequisite for contract award for any defense contract that involves processing, storing, or transmitting Federal Contract Information (FCI) or CUI. Pursuant to the CMMC program, DOD solicitations will explicitly inform contractors what CMMC level is required for eligibility.

The CMMC emerged, in part, from growing concerns that allowing contractors to self-certify their cybersecurity compliance could result in false or inaccurate attestations and heightened security vulnerabilities. Accordingly, a key characteristic of the CMMC program, which differentiated it from other existing agency CUI programs, is the requirement of a compliance assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). (For a more in-depth dive into the CMMC see “Final CMMC Rule Effective Nov 10, 2025: What Federal Contractors Need to Know”).

While DOD’s CMMC program attracted the most attention, other civilian agencies have also been advancing CUI program reforms. The Federal Acquisition Regulation (FAR) Council issued a proposed rule to amend the FAR in January 2025, which has yet to become final, to incorporate CUI-related requirements across federal contracting. The Guide contains similar requirements to those contemplated by the FAR proposed rule. The Guide also shares several key characteristics with the CMMC, but diverges in important ways.

GSA’s Guide

Under the new guidance, contractors must comply with NIST security controls for all contractor information systems that process, store, or transmit CUI and will require both third-party assessment and approval by GSA’s Office of the Chief Information Security Officer (OCISO) in order to remain eligible for GSA contracts. Unlike the CMMC, which is currently undergoing a four-year phased rollout to allow defense contractors time to achieve compliance, this GSA framework provides no transition period, which means implementation can begin immediately.

However, also unlike the CMMC, GSA will approve non-compliant systems so long as specific “showstopper” controls are implemented, including multi-factor authentication, vulnerability monitoring and scanning, secure remote access controls, implementation of cryptographic protection, and replacement of unsupported components. Contractors that meet these “showstopper” controls but lack other controls will be required to develop a Plan of Actions and Milestones (POA&M), which identifies deficiencies and establish a timeline for full compliance.

Five-Phase Process for Protecting CUI

The Guide is structured around NIST’s Risk Management Framework, which consists of five phases, each broken down into multiple subphases.

Phase 1: Prepare – Contractors must first determine the types of information stored, processed, or transmitted by their information systems using the Federal Information Processing Standard (FIPS) 199 security categorization template. During this subphase, contractors will collaborate with the GSA Information System Security Officer (ISSO), Information System Security Manager (ISSM) and the CISO to confirm this determination. After an initial kickoff meeting with GSA to discuss the CUI approval process, the contractor must submit details on its solution architecture and security capabilities to GSA for evaluation.

Phase 2: Document – Contractors next must prepare and submit several key deliverables: a System Security and Privacy Plan (SSPP), Privacy Threshold Assessment (PTA), Privacy Impact Assessment (PIA), Architecture Review Checklist, and Supply Chain Risk Management Plan. Importantly, contractors should be aware that security plans developed for other federal programs, such as CMMC or the Federal Risk Authorization and Management Program (FedRAMP), generally cannot be repurposed to satisfy this requirement due to GSA-specific criteria. All materials must be reviewed and approved by GSA before contractors can move forward. Phases 1 and 2 most closely align with the “scoping” phase of the CMMC.

Phase 3: Assess – The third phase requires contractors to engage a third-party independent assessor, either a FedRAMP Third Party Assessment Organization (3PAO) or GSA‑approved independent assessor, to test their systems using a plan agreed to in advance by GSA. POA&Ms are also required at this stage.

Phase 4: Authorize – GSA will conduct a multi-level review of the contractor’s approval package then prepare a Memorandum for Record evaluating whether the contractor’s systems are sufficiently secure to handle CUI.

Phase 5: Monitor – Once approved, contractors must continuously monitor their information systems and prepare quarterly deliverables (vulnerability scanning reports, POA&M updates, and shared drive access review) and annual deliverables (updated SSPPs, PTAs, and PIAs). Additionally, contractors must undergo a third-party assessment every three years and immediately report any major system changes to GSA.

One-Hour Incident Reporting

Beyond the five-phase CUI framework, the Guide imposes a stringent incident reporting requirement. Contractors must report both suspected and confirmed CUI incidents within one hour of discovery. Those who fail to meet this deadline face “escalation,” though the Guide leaves this term undefined, offering little clarity on the consequences.

This is a much shorter reporting window than the CMMC’s 72-hour window or the 8-hour window in the FAR CUI proposed rule. The tight reporting window raises practical concerns, as it leaves minimal time for contractors to conduct meaningful preliminary investigations. As a result, initial reports may be incomplete, forcing contractors to submit additional reports and potentially undermining the speed and effectiveness of their incident response efforts.

Contractor Takeaways

GSA’s CUI framework is effective immediately although it is not clear whether or how it will be incorporated into existing and new GSA contracts and leases. While the Guide may not provide all the answers, it suggests GSA contracting officers can begin enforcing the cybersecurity requirements on new contracts involving CUI. The more stringent requirements will have far-reaching impacts on any contractors holding or seeking any of the vast array of GSA contracts, including GSA’s many governmentwide acquisition contracts.
Contractors that hold or plan to pursue GSA contracts should immediately assess their CUI infrastructure under the new requirements, specifically the NIST SP 800-171 Rev. 3 and select NIST SP 800-172 Rev. 3 security controls. At the very least, contractors should ensure compliance with the more limited “showstopper” controls.
Prepare materials and get in line for a third-party assessment. Given the limited number of 3PAOs, contractors would be wise to open a dialogue and schedule an assessment. Considering the policy shift away from self-assessment and toward third-party assessment, contractors should expect other agencies to adopt similar requirements in the near future.
The careful reader will notice the Guide requires Revision 3 of both NIST SP 800-171 and -172, whereas the CMMC only requires Revision 2. This is significant, as Revision 3 reorganizes and consolidates several of the 110 security controls and places a greater emphasis on supply chain risk management, continuous monitoring, and stronger authentication. While Revision 3 is not a radical departure from its predecessor, contractors already familiar with Revision 2, such as defense contractors, must be aware of the differences.
Although the Guide does not explicitly address subcontractor flow-down requirements, contractors should consider broader trends in CUI protection, which typically require prime contractors to ensure subcontractors employ similar CUI safeguards. Given this landscape, GSA contractors are well-advised to proactively ensure their subcontractors adhere to general CUI safeguarding practices, even absent express guidance to do so.
Given the limited pool of trained and approved independent assessors, contractors should anticipate some delays in scheduling assessments. Early engagement with legal counsel experienced in federal cybersecurity and procurement requirements can be invaluable for navigating these obligations, evaluating risk, and developing a sound compliance strategy.

Off the Shelf: An Analysis of GSA’s Proposed AI Clause

Jonathan Aronie, Partner at Sheppard Mullin, joined Off the Shelf to discuss GSA’s proposed AI clause and the Administration’s Executive Order, “Addressing DEI Discrimination By Federal Contractors.”

The proposed AI clause outlines a governance framework and defines roles and responsibilities among the government, contractors, and AI service providers. Aronie highlights considerations related to alignment with commercial practices and potential impacts on contractor access to commercial AI solutions.

The discussion also covers the executive order’s new contract requirements related to diversity, equity, and inclusion (DEI), including key provisions, timing, scope, and implementation considerations for contractors.

Listen to the full podcast here.

Med/Surg Committee Meeting with VA, April 13

The Coalition’s Medical/Surgical Equipment Committee will host a meeting on April 13, at 12:00 PM (ET). The meeting will be held virtually.

Please join us for a discussion with Lenearo Ashford, Acting Commodities Director, Veterans Health Administration (VHA) and Jeremy Parker, Division Chief, Medical/Surgical Prime Vendor (MSPV) Supplies, VHA, on opportunities to improve the product addition process for the MSPV program.

The Coalition has developed recommendations based on member feedback to help facilitate discussion with the VA on improvements to the product addition process. To view the comments, click here.

If you have any additional topics or questions you would like addressed at the meeting, please email Joseph Snyderwine at JSnyderwine@thecgp.org.

To register, click here. For any assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org for further assistance.

This is a members-only event. If you see a message that says “Registration Not Available” please log in using your member account.

Update from GSA’s Office of Professional Services & Human Capital Categories, April 14

The IT/Services Committee will host an update from GSA’s Office of Professional Services & Human Capital Categories (PSHCC) on April 14, featuring invited speaker, Adam Soderholm, Director of the Center for Professional Services. During the discussion, Adam will provide an overview of the office’s latest priorities and initiatives, as well as insights into ongoing efforts affecting the PSHCC and the broader federal acquisition landscape.

The meeting will be held at 10:00AM-11:00AM EST, at GDIT, Falls Church, VA. Virtual attendance will also be available.

If you have any additional topics or questions you would like addressed at the meeting, please email Joseph Snyderwine at JSnyderwine@thecgp.org.

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org

This is a members-only event. If you see a message that says “Registration Not Available” please log in using your member account.

What Contractors Need to Know About the New DEI Clause, April 16

On March 26, 2026, President Trump issued Executive Order (EO) 14398, which directed federal agencies to include in contracts and contract-like instruments a new clause aimed at “ending racial discrimination in American society, including so called ‘diversity, equity, and inclusion’ (DEI) activities.”

The EO directs contracting officers to begin using an ad hoc contract clause no later than April 25, and the FAR Council to amend the FAR to include the new deviation clause by May 25.

Because the new clause imposes significant new compliance obligations on federal contractors and subcontractors (beyond those created by the January 2025 DEI EOs) – and because the EO expands the penalties applicable to noncompliance – contractors are well advised to pay close attention to the changes that are on the horizon.

The Coalition is pleased to welcome back Sheppard Mullinattorneys Jonathan Aronie, Anne Perry, and Ryan Roberts on April 16 at 12:00 PM (ET) to walk us through the EO and forthcoming contract clause, discuss its implications, and share a framework for approaching the new compliance obligations.

Attendees will gain practical and actionable insights that will be valuable to a range of corporate functions whose roles are implicated by the EO, including Legal, Human Resources, Contracts, and Subcontracts Management. You don’t want to miss this timely and insightful virtual discussion.

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Please note: The webinar will be recorded and sent to all registrants.

Transactional Data Reporting: Key Updates and Considerations for MAS Contractors, April 22

The Coalition will host a webinar on Transactional Data Reporting (TDR) on April 22 at 12:00 PM (ET), featuring The Gormley Group’s Andrew Sisti, Principal GSA Schedule Consultant and GSA Systems Subject Matter Expert, and Lauren Keshavarz, Senior GSA Schedule Consultant.

With TDR expanded across the Multiple Award Schedule (MAS) program through Refresh 31, contractors are now facing important updates. This session will provide an overview of key TDR requirements and compliance considerations.

During the webinar, Andrew and Lauren will cover:

The transition from Commercial Sales Practices (CSP) to TDR
Key reporting elements, including new requirements from Refresh 31
How to report firm-fixed price orders
TDR best practices

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Please note: The webinar will be recorded and sent to all registrants.

Future-Proofing Your Contracts: Legal Compliance Updates for Government Contractors, April 23

The Coalition is pleased to host a webinar featuring PilieroMazza, Partner, Nichole Atallah to discuss legal updates impacting government contracts. The webinar will be held on April 23 at 12:00PM ET.

Panelists will review recent legal developments, discuss notable regulations, and provide best practices for positioning your business amidst the change.

Learning objectives include:

new SBA rule changes
cases impacting mentor-protégé and joint venture arrangements
refresher on the nonmanufacturer rule (NMR)
recent GAO protest ruling involving a reseller and the Trade Agreements Act (TAA)
Corporate Transparency Act (CTA) compliance
updates on CMMC 2.0 implementation
national security memo on Artificial Intelligence (AI)

Join us for an informative discussion designed to keep you ahead of the latest legal and regulatory changes affecting the government contracting community.

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

Using JVs to Win Work with GSA and Beyond, April 30

The Coalition is pleased to host a webinar with Meghan Leemon, Partner at PilieroMazza, for a practical and informative discussion to help you structure and use joint ventures (JVs) to expand your federal contracting opportunities. The webinar will be held on April 30 at 12:00 PM (ET).

JVs are an excellent tool to win work, including with GSA. However, JVs must be structured properly to avoid significant risks that can arise in protests or in disputes between JV partners. Using JVs for GSA Schedules requires a unique approach. This webinar will discuss how you can structure and use JVs to win work and grow, with GSA Schedules and beyond.

Topics include:

Tips for how to form and best utilize JVs
Using JVs to pursue work through GSA Schedules
Latest developments with JV regulations and case law

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.

GSA & VA Schedule Contracting Training for In-House Counsel, May 12

The Coalition is proud to once again host its “must attend” General Services Administration (GSA) and Veterans Affairs (VA) Schedule Contracting Training for In-House Counsel on May 12! This course is designed for lawyers and contract managers at member companies with significant contract management and compliance responsibilities with GSA and/or VA Schedule contracts.

Our presenters for the day will be Robert Burton, Partner, Crowell & Moring; Ken Dodds, Executive Vice President & General Counsel, The Coalition for Common Sense in Government Procurement; and Jason Workmaster, Member, Miller & Chevalier Chartered;

During the training, Robert, Ken, and Jason will cover the following topics and more:

Pricing – Transactional Data Reporting (TDR)/Commercial Sales Practices (CSP);
Domestic Preferences;
Supply Chain;
Enforcement/Mandatory Disclosure/Ethics;
Sustainability Requirements/Policy; and
Bid Protests Update.

Reasons to Attend:

After successfully completing this course, you will receive 6 CLE credits, while also gaining an understanding of:

GSA/VA’s most favored customer pricing policy and major requirements of the government solicitation;
Current audit/oversight procedures;
Current GSA Schedule Price Negotiation Priorities; and
How the GSA Schedule can impact your company’s bottom line.

Plus, you will be able to advise your in-house clients regarding topics such as:

Disclosure of company records;
Establishing management and compliance processes;
Establishing ethics programs and mandatory disclosure;
Avoiding penalties; and
Identifying resources to assist with continuing legal support of your internal GSA/VA Schedule programs.

Who Should Attend:

This training course is excellent for:

In-house counsel for current GSA/VA Schedule contractors and/or companies considering becoming a GSA/VA Schedule contractor;
Government attorneys that advise clients with GSA/VA Schedule contracts;
Contract Managers with MAS experience; and
Compliance Personnel.

The training will be held at GDIT, Falls Church, VA, Time: 9:30 AM – 3:30 PM (ET). Virtual attendance is also offered for the course. We look forward to your participation!

To register, click here. For assistance with registration, please contact Mady Whiting at mady.whiting@thecgp.org.