In order to safeguard national security, and protect sensitive information, the federal government has procurement restrictions regarding Information Technology (IT) services and products. Any company that sells IT goods or services to the federal government must abide by these requirements, including GSA Multiple Award Schedule (MAS) contract holders. These procurement regulations are fast-evolving compared to other facets of government acquisition because of the shifting nature of technology and cyber threats. There are some buzzwords floating around that you may have heard of, such as “covered telecommunications” and “C-SCRM.”

Contractors need to keep a lookout for new cybersecurity regulations or requirements when completing work for federally funded contracts. If you’ve heard of the newly proposed CUI rule submitted by the Federal Acquisition Regulation (FAR) Council earlier this year, it’s aimed at standardizing the handling of Controlled Unclassified Information (CUI). This proposed rule was created to enhance the integrity and security of federal contracting processes by establishing uniform requirements across agencies for safeguarding CUI.

Contractors in the IT space, especially those offering cloud services, may be familiar with the Federal Risk and Authorization Management program, also known as FedRAMP. FedRAMP underwent a major change recently as the Emerging Technology Prioritization Framework was eliminated as part of an executive action from the Trump Administration. In this blog, we’ll go over what the framework was, why it was eliminated, and what this means for contractors going forward.

The rapid evolution of information technology has shaped virtually everything in today’s world, including how the federal government functions. For years, the government has lagged behind industry advancements for various reasons. As the Office of Management and Budget (OMB) puts it:

The government contracting landscape is full of acronyms. As a GSA Multiple Award Schedule (MAS) contractor ourselves, we know this new terminology can be a lot to make sense of, especially if you are going through the MAS acquisition process at the same time. However, with some time and dedication, you can start unravel the meaning behind these acronyms.

The day has arrived—after over 5 years of development and delays, the Department of Defense (DoD) has released the final rule for Cybersecurity Maturity Model Certification (CMMC). It was released for public comment in October, and went into effect on December 16, 2024, establishing the CMMC program and process into law. No updates were made during the public comment period. Let’s dive into what this rule entails and the timeline for implementation so you can be prepared for this new requirement.