Government Contracting Blog

The General Services Administration (GSA) is working on consolidating the certification framework for cloud service providers who are new to the FedRAMP Program. Right now, a full traditional security assessment and review is expensive and cumbersome for the government and creates barriers for cloud service providers looking to get FedRAMP certified. The goal is to reduce the initial review burden with consolidated rules that are anticipated to be published by the end of June 2026, and retire the FedRAMP Ready designation program. If you offer cloud services and are currently doing business with the federal government, or plan to in the future, read on to learn more about these changes.

This probably isn't the first time you're hearing about Multiple Award Schedule (MAS) Solicitation Refresh #31, but it might be the first time you're hearing of GSA's latest updates to the Refresh since the timeline was extended to March/April. GSA is planning significant changes with Refresh #31, including making Transactional Data Reporting (TDR) mandatory for all GSA MAS contractors, and proposing strict AI provisions. This is a big move for the MAS Program because Commercial Sales Practices (CSP) and reporting will no longer be a part of the Solicitation, and contractors may have to rethink the way they use AI. GSA also plans to make several other updates surrounding the Startup Springboard Program, clause provisions, and specific Large Categories. Since GSA is giving industry a brief opportunity to comment on the AI provisions, it's important you know what's to come in the next few months.

It's a great time to be in the public sector if you offer professional services. Earlier this year, GSA opened Phase II of their OASIS+ contract vehicle and expanded the scope with 5 new domains. There is currently no deadline for submission or limit on contract awards, so we're encouraging companies to get their foot in the door now. If you offer non-IT professional services, this vehicle might be for you. Let's review what OASIS+ is and how your business may be able to benefit from the contract.

The GSA Multiple Award Schedule (MAS) Program is comprised of 12 Large Categories to sell through, including the popular Information Technology, Professional Services, and Industrial Products and Services Large Categories. However, there are additional Large Categories that align with different industries and allow for the sale of more niche offerings. Did you know you can sell air charter services, delivery services, vehicles, boats, and shipping containers to federal buyers through GSA MAS? If your business specializes in these or similar services, then the Transportation and Logistics Services Large Category, or Large Category K, could be an opportunity for you to expand into the federal marketplace.

In the near future, many GSA Schedule holders will need to add another acronym to their vocabulary of federal contracting terms, TDR. TDR, which stands for Transactional Data Reporting, started as a pilot program in 2016, and is finally rolling out to all Schedule holders. As of MAS Solicitation Refresh #28, TDR became mandatory for any Schedule holder with a TDR-eligible Special Item Number (SIN).

Earlier this year, GSA released cybersecurity requirements that mimic the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). The “IT Security Procedural Guide”, or more formally known as CIO-IT Security 21-112, establishes a new framework of security requirements and privacy controls for contractors who deal with Controlled Unclassified Information (CUI) in nonfederal systems. Since this requirement was rolled out quickly and quietly without a formal announcement, some contractors may not be aware of the change. You may be wondering if this applies to your company or affects your contract. We’ll cover everything you need to know below.