DoD’s System to Protect Classified Information Held by Contractors Is Under Strain
A recent GAO review found that DCSA, the agency responsible for clearing contractor facilities and personnel across roughly 90–95% of U.S. classified contracts, lacks the staffing and resources to conduct security assessments at the required frequency. Open recommendations remain unaddressed, and DoD has separately proposed expanding FOCI disclosure requirements to unclassified contracts, potentially impacting up to 37,740 contractors. Comments on that proposed rule are due July 6, 2026.
GovCon Takeaway: Defense contractors handling classified work should audit their security posture now, ensure DD Form 254 and NIST compliance documentation is current, and monitor DCSA developments closely.
Federal Acquisition Service Reorg Driven by Market Forces
GSA’s Federal Acquisition Service is restructuring after its revenue more than doubled over the past decade, reaching $115 billion in FY2025. Acting FAS Commissioner Laura Stanton cited shifting agency buying habits and direct industry feedback as the primary drivers, with the reorg targeting better alignment across business processes, IT systems, and contract vehicle management.
GovCon Takeaway: Contractors on GSA Schedules or other FAS-managed vehicles should monitor changes in how those vehicles are structured and engage their GSA contracting officer proactively to stay ahead of any transition.
House Lawmakers Seek More AI Transparency from the SBA
The House Small Business Committee unanimously advanced the SBA Artificial Intelligence Utilization Act, requiring the SBA to submit annual reports to Congress on its AI and machine learning use. The committee also advanced a bill clarifying that SBA 7(a) loans can be used to purchase AI tools, cloud services, and modern business software and a separate measure directing GAO to evaluate cybersecurity risks facing small businesses.
GovCon Takeaway: Small business contractors should explore the updated 7(a) loan eligibility as a financing path for technology upgrades and treat AI governance and cybersecurity readiness as baseline expectations going forward.
House NDAA Would Set Up Protected Disclosure Program for AI Incidents
A provision in the FY2027 NDAA would require DoD to establish a department-wide program for reporting, tracking, and remediating AI incidents and vulnerabilities, covering contractors across the full AI lifecycle from development through fielding. Contractors reporting in good faith would be explicitly protected from adverse contract action or retaliation.
GovCon Takeaway: Defense contractors building or operating AI systems for DoD should start developing internal AI incident tracking processes now, before any formal mandate takes effect.
OMB Replaces Biden-Era Cybersecurity Logging Memo with Risk-Based Approach
OMB Director Russell Vought issued Memo M-26-14, rescinding the post-SolarWinds Biden-era logging directive and replacing it with a risk-based approach focused on two priorities: Continuous Event Monitoring (CEM) and Threat Hunting, Investigation, Response and Forensics (THIRF). CISA has 90 days to publish a Logging Reference Architecture, after which agencies must submit updated compliance plans.
GovCon Takeaway: Contractors providing IT, cybersecurity, or managed services to federal agencies should watch for the CISA Logging Reference Architecture, it will define the technical standards your solutions need to meet on agency engagements.
