Cyberthreats don’t stop nor do they stop evolving (and at a dizzying pace). Federal agencies are responding with smarter strategies, stronger partnerships and a focus on mission resilience.
Our latest ebook brings together insights from top government and industry experts shared on Day 1 of our Cybers Leaders Exchange 2025, presented by Carahsoft and Cisco. You’ll find tips, strategies and tactics on how to tackle today’s most complex cybersecurity challenges.
Featured voices include:
Nick Andersen, executive assistant director for cybersecurity, CISA
Darren Death, chief information security officer, Export–Import Bank
Ollie Gagnon, chief homeland security advisor, Idaho National Laboratory
Bart Larango, strategic industry advisor for federal, Splunk
Michael Overstreet, director of security solutions engineering, U.S. public sector, Cisco
Matthew Rogers, OT cyber lead, CISA
Madhuri Sammidi, deputy associate CIO, Bureau of Safety and Environmental Enforcement, Interior Department
Jason Warfield, head of solutions and adoption engineering, Cisco ThousandEyes
Explore how Carahsoft and its partners — Cisco, Splunk and Cisco ThousandEyes — are helping agencies stay secure, agile and mission ready.
In the Army, a new acquisition bureaucracy is starting to take shape. It means new names for some longstanding Army organizations. But at its core, the reorganization is about letting Army officials manage the acquisition system as portfolios of capabilities with less of a focus on individual programs.
That idea’s been championed by outside reform advocates for years, including when the “Section 809 panel” on acquisition reform released its final report in 2019. The Congressional panel on Planning, Programming, Budgeting and Execution Reform echoed the call as part of its recommendations. So did both the House and Senate in their respective versions of the latest Defense authorization bill. And last month, it got the explicit endorsement of the secretary of Defense.
“We will leverage taxpayer dollars in a more accountable, flexible and deliberate manner to maximize their value across capability portfolios,” Defense Secretary Pete Hegseth said during an address at the National War College. “We will shift funding within portfolios’ authorized boundaries swiftly and decisively to maximize mission outcomes. If one program is faltering, funding will be shifted within the portfolio to accelerate or scale a higher priority. If a new or more promising technology emerges, we will seize the opportunity and not be held back by artificial constraints and funding boundaries that take months or even years to overcome.”
In that address, Hegseth credited the military services with laying the groundwork for some of the reforms he wants to make department-wide. And the Army started its implementation work last month, naming six new “portfolio acquisition executives.” Each of those PAEs will oversee different “capability areas” with programs managed by what had, up until now, been called program executive offices (PEOs), and will now be called capability program executives (CPEs).
But there’s more in those portfolios than just the former PEOs, said Brig. Gen. Christine A. Beeler, the capability program executive for Simulation, Training and Instrumentation (CPE STRI).
“The PAE is going to be able to wrangle all of those enablers, and we are just one enabler to the PAE,” said Beeler during a staff town hall late last month. “There are also folks up at big Army that are going to help us on the programming side … and you’ve got requirement folks. That can get combined and come to us in a single requirements community of practice, so that things that get decided at the PAE level will be easier to understand and make trades on.”
Last week, another of those former PEOs announced the details of its own internal reorganization. Leaders of the newly-dubbed Capability Program Executive for Command, Control, Communications, and Network say most of their changes will be at the program manager level — both to align with the Army’s broader acquisition “transformation” agenda, and to orient the office more explicitly around the Army’s plans for Next Generation Command and Control.
The changes there include four new program offices — one each for applications, data and AI, infrastructure and transport, plus changing roles for several other offices. CPE C3N officials expect to detail the changes during the next Army technical exchange meeting at Aberdeen Proving Ground next month.
Beeler said there will be program office changes within her organization as well, but the reorganization will take until the summer of 2027 to fully unfold. Along with that, she said, will be a reduction in senior officer positions.
“The key changes were a mandated reduction of command select list billets by 30% at both the O-6 and the O-5 level,” she said. “So that means, over time, we’re going to transition from three CSL billets to two CSL billets at the O-6 level, and from eight CSL billets eventually to five CSL billets at the O-5 level.”
And at the even more senior levels, Beeler says the end state of the Army’s acquisition reorganization is that the new PAEs will be two-star generals or the civilian SES equivalents. And the CPEs will be one-star positions.
But those details — like many others in the reorganization — are still subject to change.
“This is a very time and event-driven process,” she said. “We’re not jumping in tomorrow, both feet and everything’s changed. That wouldn’t make any sense, and we would lose the discovery part of how these pathfinder adjustments to the acquisition process are actually going to work. For the time being, we will be the Capability Program Executive STRI. We believe in the future we’re going to change the logo and we’ve got some ideas out there for how we’re going make other changes over time, but at the end of the day, this is what we’re going to do. We simulate the fight, we replicate the threat, and we’re going to make sure that the Army can win across all domains.”
U.S. Army soldiers walking along Constitution Ave., on the National Mall ahead of a parade commemorating the Army's 250th anniversary and coinciding with President Donald Trump's 79th birthday, Saturday, June 14, 2025, in Washington. (AP Photo/Pablo Martinez Monsivais)
A compromise version of the fiscal 2026 National Defense Authorization Act, released late Sunday, includes several key civilian personnel reforms that could change how the Defense Department hires and manages its civilian workforce.
Most notably, the draft text includes a provision that would allow the Defense Department to promote employees based on skills and qualifications without requiring them to satisfy minimum time-in-grade requirements before being eligible for promotion.
Ron Sanders, a former career human capital leader in government, said the provision is emblematic of the long-running debate to allow DoD to secede from the rest of the federal civil service due to the nature of its mission.
“It is a big deal, and it underscores a bigger issue … You should be able to promote people, regardless of time served, if they can do the job — promote them,” Ron Sanders, a former career human capital leader in government, told Federal News Network. “There have been numerous attempts to carve out more flexibilities for the DoD civilian workforce than the rest of the civil service had.”
“I’m of the mind, and I’m not alone in this, that the federal civil service should be broken up. It should be glued together by a series of standards and principles — there are some cross cutting government-wide principles that should always remain in effect. But DoD has a different mission than the intel community, and it has a different mission than FBI and the law enforcement and other aspects of Homeland Security. Trying to treat all of that as one-size-fits-all is problematic. And I think you’re seeing a continuation of the debate that DoD is different,” he added.
The time-in-grade requirement is antiquated anyway, Sanders argued, and should be revisited for the rest of the federal civil service.
The bill would also allow the Defense Department to use skill-based assessments to determine whether applicants are qualified for open positions.
“If you sum it all up, DoD would basically have its own civilian personnel system, separate and apart from the rest of the federal civil service. I think we’ve gone to the other extreme, and we’ve been living there for decades now, and that is a one-size-fits-all mentality. What’s good for the SEC is good for DoD, and that’s just not true anymore,” Sanders said.
In addition, if enacted into law, DoD would be able to share certificates of top candidates for various roles across the department. Certificates would remain valid for at least a year, and they are subject to agency-specific qualification checks.
This particular provision is not new, Sanders said. “If you have the applicant’s permission, sharing certificates, to me, is not a big deal, and it should have been done years and years and years ago, if it hasn’t been.”
Congress is also tightening the department’s ability to make workforce cuts by adding new analysis requirements, reporting mandates and restrictions on conducting reductions-in-force.
If passed, the bill would prohibit DoD from reducing its workforce levels or realigning functions if such changes involve more than 50 employees and occur outside the normal programming process, including ad hoc, immediate or unprogrammed workforce changes. The Defense secretary is also required to notify Congress about planned workforce reductions.
“I think it is part of a larger trend, and that is a growing realization that civilian personnel in DoD are important and they should be managed. If something affects 50 or more employees or some small number like that, that’s micromanaging,” Sanders said. “I don’t think that was in intent on the part of Congress to actually worry about 50 employees. I think it was just a failure to fully comprehend the full scope of the DoD civilian workforce, which is just plain huge.”
Lawmakers are also seeking to centralize and elevate civilian personnel management within each military service by placing it under senior uniformed leaders. If the measure passes, senior leaders who manage military manpower would also oversee the department’s civilian workforce.
“I think at least part of the reasoning is the necessity of having what I would argue are redundant staffs at the military department headquarters and at the major command level. There’s a pendulum here, and it goes back and forth. But at the end of the day, somebody really does need to take a hard look at the staffs that have emerged and decide whether they’re redundant and whether they could be centralized,” Sanders said.
Cyber workforce
The legislation also expands which positions DoD can hire using special cyber authorities, as well as significantly increases the maximum pay DoD can offer for cyber talent.
Under current law, Cyber Excepted Services hiring authorities apply to U.S. Cyber Command, as well as certain cybersecurity and IT operations roles across the services. The 2026 defense policy bill could expand it to positions held in combatant commands, defense agencies, and field activities supporting CYBERCOM. DoD would also expand Cyber Excepted Services to 500 more cyber roles that don’t neatly fit into existing categories but are still vital and hard-to-fill jobs
The legislation would also give the defense secretary greater pay flexibility for cyber talent, allowing DoD to offer up to 150% of the maximum basic pay authorized for Executive Schedule Level I roles.
“Neither Homeland Security nor DoD has taken full advantage of the authorities that Congress gave them literally decades ago. In DoD case, I think the mandate, and I read this as a mandate, to put more people under CES is generally a good thing. It just again underscores whether DoD should be treated differently or whether you need a separate set of personnel flexibilities for all cyber ninjas at DoD,” Sanders said.
The Trump administration has laid out its President’s Management Agenda, providing a framework for the administration’s overarching priorities to drive change in the federal government for the next few years.
The new PMA, which the Office of Management and Budget published Monday, includes three key priority areas, each of which contain several underlying goals the administration wants to meet, such as eliminating “woke” government, ending “over-classification” and “buying American.”
Many of the goals contained in the management agenda are already taking shape through a number of President Donald Trump’s executive orders and other changes to government the president has initiated since taking office.
“In his first months in office, President Trump already took bold and decisive actions to begin to reshape the federal government and end its weaponization against American citizens,” OMB Deputy Director for Management Eric Ueland wrote Monday in a memo to agencies.
A senior OMB official, speaking on background, said the PMA takes the president’s promises, as well as the administration’s work already underway, and creates a framework to “institutionalize” those end goals.
“Some of the previous PMAs have been all-encompassing and trying to be everything to everybody, whereas this PMA is very clearly tied to what President Trump promised the American people he would do when he got elected,” the official said in an interview with Federal News Network. “These are going to be priorities every agency focuses on for the full Trump administration.”
The Trump administration’s three PMA priorities are:
Shrink the government and eliminate waste
Ensure accountability for Americans
Deliver results, buy American
The PMA has been a staple of presidential administrations for more than 20 years. Generally, each PMA aims to address systemic challenges in government management by setting goals and holding agency executives accountable. It’s a way for the White House to work with agencies to establish top priorities, then monitor progress toward priority-based goals.
Performance.gov, the website that hosts the administration’s PMA, so far contains only an outline of the Trump’s management agenda. Details are missing on which federal leaders will be tasked with delivering on the goals, where there has already been progress, and how the administration will measure results for each priority.
An OMB official blamed the 43-day government shutdown for the limited details on the PMA website. Though confirming that more information would eventually be available, the official did not provide a specific timeline.
“We’ll work with the agencies and identify where they’re already making progress and start putting out — as PMAs in the past have — updates on the success that’s been had, what metrics we’re going to be looking at measuring and what agencies are going to be part of different leads for the individual goals,” the official said.
Shrinking the government
For the Trump administration, the first priority in the PMA focuses on shrinking the government and eliminating waste, particularly in programs that Trump has described as “woke” or “weaponized.”
To meet that end, the PMA’s first priority defines three key goals:
Eliminate woke, weaponization and waste
Downsize the federal workforce
Optimize federal real estate
Already, the Trump administration has taken significant steps toward the overarching goals. Agencies spent much of this year under a hiring freeze, while the administration simultaneously reduced the size of the federal workforce by more than 300,000 employees.
Going forward, the OMB official pointed to Trump’s latest executive order on federal hiring as a way to measure progress toward the PMA’s first priority. The Oct. 15 order called on agencies to form strategic hiring committees composed mainly of political appointees, as well as create staffing plans for the coming year.
“A key part of that will be making sure agencies are putting in place those hiring committees,” the official said. “They’re making very strategic decisions around who they’re hiring and what positions they’re hiring for, so we don’t just inflate the federal government again and overwhelm all the success we’ve had in reductions to date.”
Trump’s first priority area in the PMA is a clear departure from the Biden administration’s agenda, which had centered on strengthening the federal workforce and included efforts to increase federal hiring and workforce development.
On top of reducing the federal workforce, the Trump administration’s first PMA priority additionally focuses on removing programs related to diversity, equity, inclusion and accessibility (DEIA), as well as ending a number of federal programs the administration described as “wasteful.”
That goal already began taking shape earlier this year, as the Trump administration directed agencies to end DEIA programs, and remove federal employees who worked on DEIA-related projects. The administration has also sought to shrink certain agencies, including USAID and the Education Department.
As a final piece of its first PMA priority, the administration said it plans to shrink the government’s real estate holdings by offloading “unnecessary” leases and federal buildings, as well as moving agency facilities to more “cost-effective” locations.
In addition to shrinking government, the administration will also be focused particularly on driving “accountability” as the second PMA priority. The effort will impact federal employees, agency programs and government contractors, according to the agenda’s outline.
The underlying goals for achieving Trump’s second priority area are:
Foster merit-based federal workforce
End censorship and over-classification
Demand partners who deliver
Many of the goals under the second PMA priority are familiar, as the administration has already attempted to reach those ends. For instance, the administration has created a new “Schedule Policy/Career” classification for federal employment, and altered performance management standards for federal employees.
“One benefit of the way that PMA is structured for this administration is it’s going to be easy to integrate this PMA into performance reviews for individual employees across the government and hold them accountable for delivering on the president’s priorities,” the OMB official said.
The Office of Personnel Management in May also issued a “merit hiring plan,” which in part called on agencies to question job applicants on how they will adhere to the president’s priorities.
“A lot of this is following up on executive orders and policy decisions made by the president early on,” the OMB official said. “We’re going to be having agencies strategically hiring [and] they need to do so following the merit hiring plan.”
The second priority area also includes a focus on implementing Trump’s orders related to collective bargaining and labor-management relations at agencies. On top of that, the administration also detailed goals of promoting transparency in the federal government, such as through “find[ing] and annihilat[ing] government censorship of speech.”
Additionally, the second PMA priority includes goals of changing government contracting by working with “the best businesses,” and tasking political appointees, rather than career employees, with leading grant processing work.
“It’s making sure that those receiving federal dollars were chosen based on merit, because they’re going to deliver the outcomes that are expected,” the OMB official said.
Modernize technology, “deliver results”
The third and final priority area in the Trump administration’s PMA focuses on consolidating federal procurement, as well as adopting more modern technology into government services.
The priority contains two key goals:
Efficiently deploy the buying power of the federal government and buy American
Leverage technology to deliver faster, more secure services
Attempting to advance technology in government has been a long-standing goal across multiple administrations and throughout many agencies. But the OMB official said for the Trump administration, the goal will be to focus on finding modernization initiatives that can be turned around in shorter timeframes, and “moving out of 10-year, 15-year efforts.”
“We are being more specific in where we’re focused and making sure that we’re tackling projects that we can get done, so that we get the results and the benefits of that,” the official said.
The third priority, once again, mirrors many steps that the administration has already taken, such as attempting to reshape the federal acquisition process.
The priority area also focuses on a familiar throughline from the Trump administration and the Department of Government Efficiency of eliminating “waste.”
Underlying goals in the PMA’s third priority area, for instance, focus on reducing the number of “confusing” government websites. Another focuses on removing “duplicative” data collections and eliminating data siloes.
“Instead of having dozens or hundreds siloed IT systems,” the OMB official said. “We’re going to be able to work off of consolidated IT systems that can operate in an integrated fashion.”
A top human resources official at the State Department, who played a major role in the agency’s widespread reduction in force this summer, is moving on to a new role within the agency.
Lew Olowski, the chief human capital officer for the Bureau of Personnel and Training, is stepping down from that role to become the senior bureau official for the Office of Foreign Missions, two sources familiar with the decision told Federal News Network. The State Department declined to comment.
In this role, Olowski oversaw layoffs of nearly 1,350 State Department employees in July. The department sent reduction-in-force notices to more than 1,100 civil service employees and nearly 250 Foreign Service employees who were based in the United States at the time.
Politico first reported on Olowski’s new role within the State Department.
Most of the employees who received RIF notices this summer officially separated from the agency in September.
The State Department sought to finalize layoffs for nearly 250 Foreign Service officers and several civil service employees last week. But a federal judge in San Francisco temporarily blocked the department from officially separating those employees.
The temporary restraining order signed last Thursday is part of an ongoing lawsuit unions filed on the eve of the government shutdown, which blocked the Trump administration from conducting widespread layoffs during a lapse in congressional funds.
The amended lawsuit states that several agencies, including the State Department, aren’t fully adhering to a provision in the shutdown-ending stopgap funding bill that temporarily blocked the Trump administration from carrying out layoffs.
The nonprofit Democracy Forward, which is also part of the lawsuit, said the amended lawsuit seeks to reverse “other unlawful RIF actions” at the Small Business Administration and the General Services Administration, as well as the departments of Education and Defense.
A recent survey led by the American Foreign Service Association found the State Department’s diplomatic workforce, given sweeping changes happening under the Trump administration, felt overburdened, under-resourced and more likely to leave in the next few years.
In a survey of more than 2,100 active-duty Foreign Service employees, AFSA found that 98% of respondents reported reduced morale this year. About 86% of respondents said workplace changes since January have affected their ability to advance U.S. diplomatic priorities.
Before the Trump administration, about 17,000 active-duty Foreign Service officers worked for the State Department. AFSA estimates that nearly 25% of its workforce left this year — when counting layoffs, retirements and those who accepted deferred resignation offers.
AFSA said in April that it was “deeply concerned” by Olowski’s appointment to the department’s top HR role, which is typically held by career members of the Foreign Service with decades of relevant experience.
“The Foreign Service is a competitive, merit-based institution, built on a foundation of expertise, service, and nonpartisanship. Placing an untenured, entry-level officer who has only served one complete overseas tour into this critical role, even in an acting capacity, not only disregards that tradition but also sends a clear message about the value this administration places on experience and professional progression,” AFSA wrote.
There's more discouraging news for the Pentagon’s prospects of obtaining a clean financial audit by the current 2028 deadline. A new evaluation by the Defense Department inspector general found the department’s plan to remediate one of its key, longstanding material weaknesses — an inability to keep track of government property in the possession of contractors — doesn’t appear to be working. DoD intended to fix the problem largely by tracking the contractor-managed property in a software module within the Procurement Integrated Enterprise Environment. But according to the IG, key DoD leaders haven’t mandated the use of that module, and the military services haven’t updated their own systems to properly interface with it.
Today marks the final day of Open Season. Enrollees in the Federal Employees Health Benefits Program have until midnight tonight to make any desired changes to their health insurance options. The open enrollment period also applies to Postal Service employees, as well as those with dental and vision coverage. Any changes made during Open Season will take effect in January.
Army Cyber Command has a new leader. Lt. Gen. Christopher Eubank officially assumed command during a ceremony on Dec. 3 at Fort Gordon, Georgia. Eubank took over for Lt. Gen. Maria Barrett, who is retiring after nearly 38 years of service and three years leading Army Cyber Command. Eubank previously served as special assistant to the commander of Army Space and Missile Defense Command. He also led the Army’s Network Enterprise Technology Command. In his new role, Eubank will lead Army cyber operations and provide Army forces to U.S. Cyber Command.
The Program Executive Office Command, Control, Communications and Network, or PEO C3N, is undergoing another major reorganization. As part of the Army and Defense Department-wide acquisition reform efforts, the program executive office is changing its name to the "Capability Program Executive Command, Control, Communications and Network,” or CPE C3N. The office is realigning its structure to better support the Army’s Next Generation Command and Control effort. Brig. Gen. Jack Taylor will continue to lead the organization as the capability program executive. As part of the overhaul, the organization is standing up new project offices focused on C2 applications, data and AI, infrastructure and transport.
An appeals court has ruled in favor of President Donald Trump’s firings of two Democratic board members. The split 2-to-1 decision of the appeals court panel has no immediate effect, since the removals of Cathy Harris at the Merit Systems Protection Board, and Gwynne Wilcox at the National Labor Relations Board, were already finalized. But Friday’s decision comes as the Supreme Court is expected to hear arguments on whether to overturn a 90-year-old ruling known as Humphrey’s Executor. If the decision is overturned, it has the potential to expand the president’s power in shaping independent agencies and may further reinforce the outcomes of Harris' and Wilcox’s terminations.
Palo Alto Networks is joining the ever-growing list of vendors signing up for GSA's OneGov program. The cybersecurity company will now offer agencies up to a 60% discount from its schedule prices for three of its cyber tools. Agencies can now buy Palo Alto's software next generation firewall, its secure access service edge (SASE) solution and its code to cloud platform for deep discounts through January 2028. This is GSA's fifteenth OneGov agreement since it launched the program in April. Last week, GSA also signed a similar deeply discounted deal with SAP.
Small businesses in the 8(a) program will now have a busy holiday season. The Small Business Administration is asking participants in the 8(a) contracting program for a trove of data as part of the agency's ongoing audit of the long-standing socioeconomic initiative. In a letter sent to more than 4,300 8(a) firms, SBA set a deadline of Jan. 5, 2026, for these companies to deliver 13 data sets. These include everything from a copy of the all 8(a) contracts for the last three fiscal years to full financial statements to their full general ledger. SBA said firms that fail to meet the deadline may lose their eligibility to participate in the 8(a) program and could face further investigative or remedial actions.
A top human resources official at the State Department who played a major role in the agency’s widespread reduction in force this summer is moving on to a new role. Lew Olowski, the chief human capital officer in the Bureau of Personnel and Training, is stepping down from that role to become the senior bureau official for the Office of Foreign Missions, according to two sources. The State Department declined to provide an on-the-record comment.
If 2025 felt like a whirlwind for regulatory compliance, you’re not imagining it. Between the finalization of Cybersecurity Model Maturity Certification 2.0 rules, the launch of FedRAMP’s 20x initiative promising faster authorizations, and new AI governance requirements from the Office of Management and Budget and the National Institute of Standards and Technology, organizations working with federal agencies faced enormous regulatory change.
As we head into 2026, the tempo isn’t slowing. The Defense Department is phasing CMMC into contracts to protect the defense industrial base. FedRAMP continues evolving as more agencies migrate critical systems to the cloud. And AI regulations are moving from principles to prescriptive requirements as governments grapple with the risks and opportunities of deploying AI at scale.
After leading hundreds of companies through compliance journeys and assessments — and going through them ourselves — we’ve learned that while each framework has nuances, three universal lessons apply.
Three lessons that apply to each framework
1) These frameworks are not like the ones you already know.
The biggest mistake? Treating CMMC like SOC 2 or assuming FedRAMP is “ISO 27001 for government.”
For example, CMMC Level 2 requires implementing all 110 NIST 800-171 requirements and 320 assessment objectives. Your system security plan alone could reach 200 pages. Budget more time, resources and specialized expertise than you think you need.
2) Scoping is a critical first step that organizations often get wrong.
Determining what’s in scope is one of the hardest and most important steps. I’ve seen companies believe 80% of infrastructure was in scope for CMMC, only to learn it was closer to 30%. Be ruthless about where controlled unclassified information actually lives. Every system you include can add months of work and tens of thousands in costs.
For FedRAMP, define your authorization boundary early. For AI governance, inventory every AI system, including embedded features in SaaS tools. Invest in scoping before implementing controls.
3) Automation is mission-critical, not optional.
Manual processes don’t scale when juggling multiple frameworks, and they leave you vulnerable to errors and inefficiencies. That’s why FedRAMP 20x and other frameworks today are evolving to put automation at the center of the process. Organizations that want continuous improvement must treat automation as core infrastructure, especially for monitoring controls, collecting evidence and surfacing real-time compliance data.
The real cost of playing catch-Up
Companies treating compliance as a last-minute sprint face hundreds of thousands of dollars in average costs for CMMC Level 2 alone. They scramble, rush documentation and often fail their first assessment — and non-compliance can come at a hefty price.
Organizations that delay addressing compliance gaps are vulnerable to security risks. IBM’s 2025 Cost of a Data Breach Report showed that noncompliance with regulations increases the average cost of a breach by nearly $174,000.
Regulatory actions are rising too. The Department of Health and Human Services’ Office for Civil Rights issued 19 settlements and over $8 million in fines for HIPAA violations this year to date, already the highest on record for a single year.
Organizations that start early spend less and use compliance as a competitive advantage. When you’re behind, compliance is a burden; when you’re ahead, it’s a differentiator.
What you need to know right now
For CMMC 2.0
If you’re a prime contractor, subcontractor handling CUI, or external service provider in the DoD supply chain, start now.
Identify what type of information you handle, what certification level you need, and define your scope. Build your system security plan early and categorize assets as CUI, security-protected, contract-risk managed or out of scope.
When selecting a C3PAO assessor, look for transparent pricing, strong references and clear data-handling processes. You can achieve conditional certification with a plan of action and milestones, but you have only 180 days to remediate and must score at least 80% in SPRS.
For FedRAMP 20x
Keep in mind that FedRAMP isn’t a one-time audit. The true 20x objective is not just to speed up authorizations, but to achieve smarter and stronger security — and this requires preparation.
These steps are non-negotiable:
Build continuous monitoring infrastructure and processes from day one.
Ensure your authorization boundary is correct and your architecture documentation is precise. Ambiguity causes delays that stretch timelines beyond a year.
Automate evidence collection and continuous monitoring for monthly deliverables required to maintain authorization.
For AI governance
Federal AI regulations are quickly moving from principles to requirements. Establish AI governance councils now. Inventory AI systems comprehensively, document training data provenance, implement bias testing protocols and create transparency mechanisms.
As OMB and NIST frameworks take hold, AI governance will become a standard procurement requirement through 2026.
Five steps to start today
1) Start with an honest gap assessment.
Most companies are further behind than they think, particularly on incident response and supply chain risk management. Know your baseline before building your roadmap.
2) Treat documentation like code.
Your system security plan, policies and authorization package shouldn’t be static Word documents. Your documentation needs to be a living architecture that is version-controlled, regularly updated and, ideally, machine readable.
3) Build compliance into procurement.
Create vendor risk assessment processes that evaluate CMMC readiness, FedRAMP authorization status and AI governance practices before signing contracts. For CMMC, ensure vendors provide Customer Responsibility Matrices documenting which NIST 800-171 controls they are responsible for.
4) Invest in your people.
Build exceptional compliance programs by upskilling existing staff. Send operations teams to CMMC training. Have developers learn secure coding for FedRAMP environments. Create AI literacy programs. Make compliance competency a core skill.
5) Prepare for continuous monitoring.
CMMC includes provisions for ongoing assessments and affirmations of compliance. FedRAMP requires continuous monitoring. AI governance demands continuous bias testing. Invest in automation systems and tools like trust centers that are able to demonstrate your up-to-date security and compliance posture any day of the year.
The opportunity in the complexity
Despite the challenges, companies getting compliance right are winning work they couldn’t before. Defense contractors and small businesses can use CMMC certification to compete for prime contracts. Cloud service providers who achieve FedRAMP authorization can significantly accelerate their federal sales cycles, cutting months from procurement timelines. AI startups land pilots by demonstrating responsible AI practices.
The companies that thrive treat compliance as something they control, not something that happens to them. They build security-first cultures, invest in the right tools and training, and transform compliance from cost center to competitive advantage.
The best time to start was yesterday. The second-best time is today, because 2026 promises even more compliance complexity, and it’s coming faster than you think.
Shrav Mehta is the founder and CEO of Secureframe.
Terry Gerton Well, as we speak, the shutdown is at least temporarily over, but it left some major disruptions in its wake and one of those programs that we want to talk about today is the National Flood Insurance Program. Can I ask you first to tell us what that program is, but then also talk about how the shutdown and the extension of the shutdown affected that program?
Nicole Upano Sure. The National Flood Insurance Program is an important program for single-family home buyers as well as multifamily owners and operators. It is a backstop to ensure that borrowers have flood insurance even in areas where there is elevated risk, and private insurance companies may be less likely to offer coverage in that area without having some sort of elevated cost because of their risk. So it’s a very important program for many Americans.
Terry Gerton And it really provides a a stability in markets that are flood prone, right?
Nicole Upano That’s exactly right, Terry. It is an important program for many Americans. It provides stability in the market if there is a national disaster to ensure that money flows back into that community for rehabilitation and repair.
Terry Gerton And during the shutdown, NFIP’s borrowing authority dropped dramatically. What does that mean in terms of practical terms?
Nicole Upano That means that, as I had mentioned previously, this program is an important — or, flood insurance is an important part of home sales and multifamily sales. And without that borrowing authority, those purchases could not move forward since it is a contingency to home buying. And there also is that greater risk that if a natural disaster could occur, that there wouldn’t be an ability to fill those claims and push financing back into those communities.
Terry Gerton So the way that works then is in a disaster FEMA actually uses that borrowing authority to pay out the claims that it may receive. Is that correct? That’s right. So then how did the lapse in the NFIP operations affect home buyers who rely on that flood insurance to maybe close on a mortgage?
Nicole Upano We have certainly seen this across the federal government for many HUD-assisted or agency-assisted programs, that it put a pause in those home sales until the government is back up and running and doing the people’s business.
Terry Gerton So we’re in a continuing resolution now. Did the CR provide additional borrowing authority for FEMA through the National Flood Insurance Program?
Nicole Upano Yes, it sure did. It reauthorized it since September 30. And there is a piece of bipartisan legislation that was also offered that would reauthorize the program until 2026 to provide even greater certainty for homebuyers and and renters across the country.
Terry Gerton Does that mean that folks who were kind of in limbo for the last 40+ days of the shutdown can renew their policies or maybe submit their claims? Does that open the window back up? Yes, it certainly does.
Terry Gerton I’m speaking with Nicole Upano. She’s the AVP for housing policy and regulatory affairs for the National Apartment Association. So, Nicole, let’s go back to this, the program itself, even with existing policies still active, there were some limits. What do policy holders need to know about their coverage, their claims, and their change in funding if we should find ourselves in another funding lapse, perhaps?
Nicole Upano Sure. So if someone had a valid policy during the shutdown, those remained valid throughout the shutdown. But if in terms of a new policy or a renewal, that’s where the rub would be, as well as potentially processing any claims, there would be limitations on that.
Terry Gerton Did you see any misconceptions or misunderstandings on the part of policy owners about what services and coverage would be available to them during the shutdown?
Nicole Upano NAA represents professionally-owned and managed housing across the country. And so they kept the shutdown and any implications very much top of mind and continue to use NAA as a resource to get the most up to date information.
Terry Gerton And so you’re dealing with apartment owners, condo owners, those kinds of things. What are some of their biggest questions when it comes to the NFIT program?
Nicole Upano Well, for our members, they are looking across the federal government at all the implications. For example, HUD and FHA, they provide financing and backing not just for affordable housing but for market rate housing as well. So there was an issue with those closings. And while Section 8 and USDA rural housing — you know, rural housing benefits for renters and their families in rural areas — while those benefits did benefit from an advanced appropriation, there was that similar issue, similar to the NFIP, that renewals and new applications could not be processed and there would have been payment uncertainty for those renters and their families. And so having government back up and running and doing the people’s business is important to both housing providers and renters to ensure the stability of those properties and that renters in those communities remain stable.
Terry Gerton NAA is obviously very sensitive to the real estate market, especially in flood prone or disaster prone areas. Beyond NFIP itself, what does this moment really reveal about the fragility of our disaster response programs and how people can get relief if they’re affected?
Nicole Upano Sure, that’s a great question. Many of the federal government’s housing programs are not mandatory appropriations. And we’ve seen that with other industries, that they are seeking now opportunities to have a backstop if and when this happens again to ensure that agencies can access reserves or that they can expand their budget authority in these times, knowing that eventually the government will be back up and running. And folks will be repaid
Terry Gerton How should policymakers then or legislators be thinking about long-term resilience and continuity for programs like NFIP, especially as climate risks grow and shutdowns maybe remain a threat?
Nicole Upano We would certainly encourage policymakers to reevaluate whether some of these programs should have a mandatory appropriation so there won’t be disruptions. We never know what’s going to happen, certainly with climate risks and change across the country, and so having that certainty is critical.
Terry Gerton So what is NAA’s message then to housing providers and renters on navigating these kinds of disruptions? What do they do to stay informed? How do they make sure that they’re current? What’s your advice?
Nicole Upano Yeah, so NAA continued to release live updates on our website to our members. We continue to encourage our members to work with their residents as their business allows and provided them with resources and how to navigate those conversations. We were pleased to see that the the CR does include a reversal of the rifts that happened during the shutdown. And especially for folks in the DMV, this is extremely helpful to ensure there’s certainty for those residents and that housing providers can know they have a stop gap at the end of the day.
Terry Gerton And what are you hearing from lawmakers? Are they inclined to support those kinds of proposals?
Nicole Upano Yeah, as you can see from the bipartisan legislation to reauthorize the program in 2026, this program has long had bipartisan support. We just want to use this time to encourage policymakers to take that next step.
A member of the North Carolina Task Force urban search and rescue team wades through a flooded neighborhood looking for residents who stayed behind as Florence continues to dump heavy rain in Fayetteville, N.C., Sunday, Sept. 16, 2018. (AP Photo/David Goldman)
The United States Navy has awarded Saronic a $392 million production contract to rapidly deliver drone boats under the Other Transaction Authority (OTA) framework. Secretary of the Navy John C. Phelan said nearly $200 million of that total has already been obligated, as the service pushes forward with a new model of fast-paced, open-competition procurement […]
The Security Service of Ukraine (SBU) has released a new recruitment video featuring a robotic dog armed with an assault rifle. The promotional clip, published this week by the SBU, includes footage from tactical training exercises in which a quadrupedal unmanned ground vehicle, resembling a robotic dog, is seen maneuvering indoors and firing a rifle. […]
A Ukrainian Su-27 fighter jet was lost during a combat mission on December 8 in the eastern region of the country, the Ukrainian Air Force confirmed in a public statement. “At noon on December 8, 2025, in the eastern direction, during the execution of a combat mission in a Su-27 aircraft, the senior navigator of […]
Login
The United States Navy has awarded Saronic a $392 million production contract to rapidly deliver drone boats under the Other Transaction Authority (OTA) framework. Secretary of the Navy John C. Phelan said nearly $200 million of that total has already been obligated, as the service pushes forward with a new model of fast-paced, open-competition procurement […] 
The Security Service of Ukraine (SBU) has released a new recruitment video featuring a robotic dog armed with an assault rifle. The promotional clip, published this week by the SBU, includes footage from tactical training exercises in which a quadrupedal unmanned ground vehicle, resembling a robotic dog, is seen maneuvering indoors and firing a rifle. […] 
A Ukrainian Su-27 fighter jet was lost during a combat mission on December 8 in the eastern region of the country, the Ukrainian Air Force confirmed in a public statement. “At noon on December 8, 2025, in the eastern direction, during the execution of a combat mission in a Su-27 aircraft, the senior navigator of […] 
