Hoping to score a federal contract during the Trump years? Prepare your security plans now
This is a guest post by Will Sweeney, managing partner at data privacy and cyber risk consulting firm Zaviant.
With a new administration now in office, cybersecurity is likely to take center stage as overall national security efforts become increasingly prioritized.
As a result, we will continue to see stricter cyber policies from the US government, some of which will have a direct impact on federal contractors. For example, the Pentagon recently posted the final rule for the Cybersecurity Maturity Model Certification 2.0, solidifying their plans to implement new cybersecurity standards for contractors later this year.
To avoid business disruptions, it's essential that companies align their cybersecurity programs with evolving standards.
Here's how your businesses can strengthen their privacy and security protocols to stay secure and hopefully land more deals with the government in 2025 and beyond.
Document how you follow current protocols
Any contractor working with the US government should create and maintain a comprehensive system security plan (SSP). It's not just best practice — it's a requirement under frameworks like NIST SP 800-171 and the Federal Acquisition Regulation clauses.
This document outlines how your company protects sensitive government data, covering all aspects of system design, data handling and security controls. It demonstrates your company's commitment to data security if legislators crack down.
Preparing this plan takes a few key steps like defining the scope of the SSP, gathering existing documentation, conducting a gap analysis, closing any gaps, drafting the SSP and reviewing and validating it.
Furthermore, all prime contractors and their subcontractors will need a Cybersecurity Maturity Model Certification (CMMC) if they do business with the Department of Defense (DOD). Having an SSP will be helpful here because CMMC requires your business to have an SSP to satisfy the requirements for systems where Controlled Unclassified Information (CUI) is stored or shared.
Check your current protocols against government best practices
Ahead of enhanced cybersecurity protocols, all government contractors should take a serious look at their current program. This is best done through a gap analysis, an assessment that compares your existing security controls against industry standards.
For example, companies can anticipate that they'll need to comply with frameworks like NIST 800-171, which is widely adopted by US government contractors to ensure that CUI is properly protected. The framework provides a set of 14 families of security requirements, covering everything from access control to incident response.
By assessing your company's compliance with these standards, you can identify any gaps or deficiencies in your security posture ahead of any upcoming changes.
Find out your SPRS score
Once you have a solid grasp of your security program's current state, it's time to focus on your Supplier Performance Risk System (SPRS) score.
The SPRS score is a measure of your compliance with the Defense Federal Acquisition Regulation Supplement clause 252.204-7012, which requires defense contractors to report their compliance with NIST 800-171. Contractors are required to input their compliance status into SPRS, and the resulting score is used by government agencies to assess the risk level of contracting with your company.
A higher SPRS score indicates a strong cybersecurity posture, which is likely to become increasingly important moving forward. If you don't have an acceptable score, you may not be able to do business with the government until you improve it by fixing the gaps it points out.
Outline a plan to fix any gaps and comply with future regulations
When conducting a gap analysis, you're likely to uncover areas where your security program falls short of government requirements. This happens, but it's important to address these gaps by creating a Plan of Action and Milestones (POA&M) document, which serves as a roadmap for outlining the steps, responsible parties and timelines for achieving compliance.
The document should prioritize actions based on risk levels and ensure that milestones are met to demonstrate progress. The POA&M is particularly important for contractors working with the DOD because it shows what gaps are in place and gives specific timelines on when those gaps will be closed.
Follow through on your plans to improve
Once your POA&M is in place, it's time to work toward improving your security maturity and increasing your SPRS score. This involves addressing the gaps identified during the assessment and executing the corrective actions in your POA&M.
Improving your security maturity may involve regularly reviewing and refining your security policies and procedures in response to new regulations, implementing automation where possible to streamline compliance activities, training staff on cybersecurity best practices and engaging third-party auditors to assess the effectiveness of your program.
Make sure your other vendors are in compliance, too
Government contractors are responsible not only for their own data security but also that of third-party vendors they engage to support their business. Flowing down government requirements is crucial to ensure that your entire ecosystem of contractors and subcontractors meets the necessary standards to protect sensitive data.
To accomplish this, companies should clearly communicate security expectations to third-party vendors, ensure that they are compliant with NIST 800-171 and other relevant frameworks, and include compliance requirements in contracts.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Technical.ly
02-05-2025
- Technical.ly
As AI reshapes work, some Pittsburgh jobs vanish while others surge
Power Moves is a recurring series where we chart the comings and goings of talent across the region. Got a new hire, gig or promotion? Email us at pittsburgh@ AI is reshaping Pittsburgh's job landscape, eliminating roles for some while creating new opportunities for others. Popular edtech company Duolingo recently announced they will stop hiring contractors for work they believe AI can handle, for example. Conversely, the AI data center–fueled energy demand is behind a local company's 100-person hiring push. Will these trends show up in government? It's now up to a Pittsburgher, at least in part, after he was appointed as the Pentagon's new chief digital and artificial intelligence officer, tasked with helping the US Department of Defense adopt new AI tech. Read on below the chart for more on these developments, and other power moves. Duolingo goes 'AI-first' in contracts and hiring Earlier this week, Duolingo CEO Luis von Ahn announced via a memo that the company will gradually replace contractors with AI for tasks that can be automated, as part of its shift to become more 'AI-first.' Along with moving away from contracted work, Ahn announced 'AI use' will be part of what the company looks for when hiring and evaluating employee performances. The announcement follows Duolingo's decision to cut about 10% of its contractor workforce in late 2023 for similar reasons. In a statement to Bloomberg, the company confirmed that AI was part of the reason for those cuts. In the recent memo, Ahn likened the move to Duolingo's previous bets on emerging technologies. 'When there's a shift this big, the worst thing you can do is wait,' Ahn wrote in the memo. 'In 2012, we bet on mobile. While others were focused on mobile companion apps for websites, we decided to build mobile-first because we saw it was the future… Betting on mobile made all the difference. We're making a similar call now, and this time the platform shift is AI.' Ahn said Duolingo will provide more training, mentorship and AI tools for existing staff, as it remains 'a company that cares deeply about its employees.' 'This isn't about replacing Duos with AI,' he wrote. 'It's about removing bottlenecks so we can do more with the outstanding Duos we already have.' Pittsburgh native named AI officer for Department of Defense The US Department of Defense has named Pittsburgh native Douglas Matty as its new chief digital and artificial intelligence officer (CDAO). In his new role, Matty will lead the DOD's accelerated adoption of data, analytics and artificial intelligence to 'generate decision advantage,' according to the CDAO website. He is the third official to lead the Pentagon's AI office. Prior to this appointment, Matty founded the US Army Artificial Intelligence Integration Center (AI2C), which focuses on developing, coordinating and synchronizing the Army's AI capabilities, and is located in a Bakery Square office space leased by Carnegie Mellon University. He was the director of US Army AI Capabilities for the Army Futures Command from 2020 to 2022. Matty was critical in bringing AI2C to Pittsburgh, Joanna Doven, the executive director of Pittsburgh's AI Strike Team, told the Pittsburgh Business Times. The center has been extremely significant in 'thickening the defense tech ecosystem in Pittsburgh and especially AI Avenue,' she said. ECI Telecom hiring 100 new employees A local employee-owned company is looking to hire 100 new people in the coming months because of the growing demand for energy and industrial automation. ECI, an automation control company located in Lawrence, PA, specializes in delivering Emerson Electric's industrial control products, such as control valves, regulators, and actuators, to market, along with engineering support and automation solutions for industries like oil and gas, power and manufacturing. The company is currently hiring for 100 new positions, 25% of its current workforce, in a variety of positions, including engineers, executive leadership, salespeople and project managers. 'When you look at the incredible demand on the power grid from things like artificial intelligence and growing investments of data centers, you look at new life science programs and pharmaceuticals, there's a growing investment bed that's happening here in Pittsburgh,' said ECI Chief Revenue Officer Loren Sjoquist in an interview with TechVibe Pittsburgh, a podcast produced by the Pittsburgh Technology Council. As an employee-owned company, ECI has a profit-sharing program and a high employee retention rate, according to Sjoquist, who said the average tenure is eight years. ECI is hosting a Tech Connect hiring event in partnership with the Pittsburgh Technology Council on May 15 at the ECI Operations Center in Lawrence. More power moves: An employment data analysis by the Pittsburgh Business Times found Pittsburgh's robotics and AI firms employ over 6,300 people locally, with the top employers being the Robotics Institute at CMU with 1,001 employees, Aurora Innovation with 800 and Google with 800. PNC COO William Parsley will step down from his position in July and take on the role of executive advisor until December, according to a filing from the US Securities and Exchanges Commission. Panopto, a Pittsburgh-based CMU spinout offering an AI-powered video learning platform, appointed Stephen Laster as its new CEO. Laster brings over two decades of executive experience to the role and will lead the company as it scales its platform. Local healthcare software firm Net Health named Christy Totin its new CFO, succeeding Patrick Rooney who will remain with the company as COO. Totin held several roles with Net Health before being promoted to her new position. Jeune Aesthetics, a subsidiary of Pittsburgh-based Krystal Biotech, has appointed Marc Forth as its new CEO. With over 30 years of leadership experience, including helping launch Botox, he'll guide the company's effort to reverse skin aging using Krystal's gene-delivery platform. Moon Township-based digital transformation firm Mastech Digital appointed Kannan Sugantharaman as both its new CFO and COO. His appointment coincides with Mastech's transition to be a more data and AI-led technology services company. Local nonprofit Prototype PGH recently launched Step On Up: Maker to Manufacturer, a six-month workforce development program that trains students in skills needed to fill advanced manufacturing positions. Abridge CEO Shiv Rao cited 'hypergrowth' as the reason why the AI startup is shifting its expansion focus to San Francisco, sparking debate in Pittsburgh's ecosystem over local talent acquisition challenges. Pittsburgh's job figures have steadily increased over the last five years, with the city adding more than 45,000 jobs since June 2020, according to recently released census data. Despite some losses due to the rise of remote work, downtown remains the region's largest job center. Kashif Henderson, executive director of the nonprofit Neighborhood Learning Alliance, won the Pittsburgh Tech Council's 2025 Tech Community Impact Award for his digital literacy efforts.
Technical.ly
17-02-2025
- Technical.ly
Hoping to score a federal contract during the Trump years? Prepare your security plans now
This is a guest post by Will Sweeney, managing partner at data privacy and cyber risk consulting firm Zaviant. With a new administration now in office, cybersecurity is likely to take center stage as overall national security efforts become increasingly prioritized. As a result, we will continue to see stricter cyber policies from the US government, some of which will have a direct impact on federal contractors. For example, the Pentagon recently posted the final rule for the Cybersecurity Maturity Model Certification 2.0, solidifying their plans to implement new cybersecurity standards for contractors later this year. To avoid business disruptions, it's essential that companies align their cybersecurity programs with evolving standards. Here's how your businesses can strengthen their privacy and security protocols to stay secure and hopefully land more deals with the government in 2025 and beyond. Document how you follow current protocols Any contractor working with the US government should create and maintain a comprehensive system security plan (SSP). It's not just best practice — it's a requirement under frameworks like NIST SP 800-171 and the Federal Acquisition Regulation clauses. This document outlines how your company protects sensitive government data, covering all aspects of system design, data handling and security controls. It demonstrates your company's commitment to data security if legislators crack down. Preparing this plan takes a few key steps like defining the scope of the SSP, gathering existing documentation, conducting a gap analysis, closing any gaps, drafting the SSP and reviewing and validating it. Furthermore, all prime contractors and their subcontractors will need a Cybersecurity Maturity Model Certification (CMMC) if they do business with the Department of Defense (DOD). Having an SSP will be helpful here because CMMC requires your business to have an SSP to satisfy the requirements for systems where Controlled Unclassified Information (CUI) is stored or shared. Check your current protocols against government best practices Ahead of enhanced cybersecurity protocols, all government contractors should take a serious look at their current program. This is best done through a gap analysis, an assessment that compares your existing security controls against industry standards. For example, companies can anticipate that they'll need to comply with frameworks like NIST 800-171, which is widely adopted by US government contractors to ensure that CUI is properly protected. The framework provides a set of 14 families of security requirements, covering everything from access control to incident response. By assessing your company's compliance with these standards, you can identify any gaps or deficiencies in your security posture ahead of any upcoming changes. Find out your SPRS score Once you have a solid grasp of your security program's current state, it's time to focus on your Supplier Performance Risk System (SPRS) score. The SPRS score is a measure of your compliance with the Defense Federal Acquisition Regulation Supplement clause 252.204-7012, which requires defense contractors to report their compliance with NIST 800-171. Contractors are required to input their compliance status into SPRS, and the resulting score is used by government agencies to assess the risk level of contracting with your company. A higher SPRS score indicates a strong cybersecurity posture, which is likely to become increasingly important moving forward. If you don't have an acceptable score, you may not be able to do business with the government until you improve it by fixing the gaps it points out. Outline a plan to fix any gaps and comply with future regulations When conducting a gap analysis, you're likely to uncover areas where your security program falls short of government requirements. This happens, but it's important to address these gaps by creating a Plan of Action and Milestones (POA&M) document, which serves as a roadmap for outlining the steps, responsible parties and timelines for achieving compliance. The document should prioritize actions based on risk levels and ensure that milestones are met to demonstrate progress. The POA&M is particularly important for contractors working with the DOD because it shows what gaps are in place and gives specific timelines on when those gaps will be closed. Follow through on your plans to improve Once your POA&M is in place, it's time to work toward improving your security maturity and increasing your SPRS score. This involves addressing the gaps identified during the assessment and executing the corrective actions in your POA&M. Improving your security maturity may involve regularly reviewing and refining your security policies and procedures in response to new regulations, implementing automation where possible to streamline compliance activities, training staff on cybersecurity best practices and engaging third-party auditors to assess the effectiveness of your program. Make sure your other vendors are in compliance, too Government contractors are responsible not only for their own data security but also that of third-party vendors they engage to support their business. Flowing down government requirements is crucial to ensure that your entire ecosystem of contractors and subcontractors meets the necessary standards to protect sensitive data. To accomplish this, companies should clearly communicate security expectations to third-party vendors, ensure that they are compliant with NIST 800-171 and other relevant frameworks, and include compliance requirements in contracts.
Technical.ly
23-11-2024
- Technical.ly
Skills, not schools: A new path for government tech
The White House's decision to remove degree requirements from major federal IT contracts isn't just about procurement reform — it's about economic mobility. It's creating real economic mobility for talented people who've been systematically shut out of the tech industry. I've spent years advocating for more inclusive hiring practices, and I see this as a pivotal moment to reshape not just who builds government technology, but who gets to build wealth through tech careers. The White House announcement means major federal agencies are removing unnecessary degree requirements from their IT contracts. The General Services Administration, Department of Energy and Department of Defense are leading this change, affecting billions in contract spending and thousands of positions across government technology work. Each of these jobs represents a chance for someone to build a stable career in tech and create intergenerational wealth, often for the first time in their family's history. But this policy change only matters if we, as business leaders, step up to create real pathways into these opportunities. At Fearless, we're excited about the potential to tap into talent from all backgrounds. The tech industry is full of creative problem-solvers who've gained their skills through alternative paths — from hands-on experience to specialized training programs. Current contracting rules have kept many of these skilled individuals out of government tech work. That's about to change, and what will matter is how well someone can do the job, not where they learned to do it. We understand what it takes to succeed in government contracting because the Fearless team has lived it. The mentorship and support we've received along the way helped us grow from a company of one into what we are today. That's why we created Hutch, our incubator program that helps founders build successful digital services companies. Over 24 months, we provide mentorship, training and support to help these companies navigate the complex world of government contracting. Through five cohorts, we've supported 28 companies in building stronger digital services capabilities. It's our way of strengthening the entire government tech ecosystem. The federal government spends $74 billion annually on civilian IT. That's $74 billion that could be creating economic opportunities in communities across America. But making this happen requires more than just removing degree requirements. We need to build robust talent pipelines, create meaningful training programs, and provide real mentorship opportunities. Don't just change your job postings — change how you develop talent. This isn't just about federal contracting — it's about creating opportunities at every level. As a member of Maryland's Governor's Workforce Development Board, I've seen how state-level initiatives like the new Talent Innovation Fund will create pathways into technology careers. This fund specifically targets high-demand fields like cybersecurity and artificial intelligence, helping Marylanders access the training they need for these roles. When we combine federal policy changes with state-level workforce development, we create a powerful engine for economic mobility. But it only works if business leaders actively participate in building these bridges between talent and opportunity. Here's my challenge to other tech leaders: Don't just change your job postings — change how you develop talent. Create apprenticeship programs. Partner with technical training programs in underserved communities. Build mentorship structures that support people through their entire career journey, not just their first few weeks on the job. The technology we build for government directly impacts millions of Americans. Making it better starts with bringing in people who understand those impacts firsthand. People who've navigated complex benefit systems know exactly how to make them more user-friendly. People who've helped family members access government services understand which friction points need fixing. As business leaders, we have a choice. We can treat this policy change as just another contracting rule, or we can seize it as an opportunity to create real economic change. The talent is out there. The opportunities are opening up. Now it's on us to build the bridges between them.
