Government-Wide Technology Funding and Measurement in Flux

Posted on by

For more than a decade, the Federal Information Technology Acquisition Reform Act (FITARA) and the Technology Modernization Fund (TMF) have served as twin pillars of accountability and investment. Together, they helped move federal IT away from fragmented decision-making and aging systems toward a more strategic, enterprise-focused approach.

However, both programs are in a sort of holding pattern while Congress decides on 2026 funding, and while it re-examines how best to measure the agency IT modernization process against the quickly evolving tech environment and ongoing changes in the current administration's goals. Continue reading

Exploring the State of State and Local Cyber Resources

Posted on by

State and local organizations are highly targeted by cyber criminals due to the value of the data they hold and the criticality of the systems they operate. In 2024, there were over 40,000 potential cyber attacks targeting state, local, and tribal governments. Despite this very real threat, these same organizations are largely underfunded and understaffed when it comes to cyber protection.

The federal government has looked to fill this gap between risk and preparedness. The State and Local Cybersecurity Grant Program (SLCGP) was established under the Infrastructure Investment and Jobs Act of 2021, providing (when combined with the Tribal Cybersecurity Grant Program) $1 billion in funding available over four years for state, local, tribal, and territorial cybersecurity efforts. This program ended at the close of the 2025 government fiscal year but received a short-term extension under the stopgap funding agreement that reopened the government in November 2025. Continue reading

Acquisition Impacts of the 2026 National Defense Authorization Act (NDAA)

Posted on by

The 2026 National Defense Authorization Act (NDAA) was passed by both houses of Congress and signed by the President. It authorizes $900 billion in spending and includes significant reforms to the acquisition process, impacting how that money is spent.

Provisions in the NDAA that impact acquisition include: Continue reading

2026 Government Event Trends

Posted on by

The government market has seen an unprecedented level of change in the past year. From integrating new technologies to adapting to new policies, government professionals need opportunities for collaboration and learning now more than ever. The event market has been adapting to all of these changes; here are some key trends we're keeping an eye on for 2026.

Shutdown and Travel Restrictions

The disruption of extended government shutdown threw a wrench in carefully crafted event plans. The annual meeting of the Association of the United States Army (AUSA), drawing 40,000 attendees, was scheduled as always, in the middle of October. Alex Brody, AUSA's director of events, shares, "We had 12-14 months to plan the event and then had two weeks to create alternatives and contingency plans." In the end, the event had full participation in terms of speakers and attendees. Brody is thankful that they now have solid contingency plans in place for any future disruptions, stating, "We now know how to operate in a shutdown."

Continue reading

Tracking the Rollout of CMMC

Posted on by

The Cybersecurity Maturity Model Certification (CMMC) is a framework that requires companies contracting with the Department of Defense (DoD) to meet security standards based on the sensitivity of the data they manage. These standards, based on the National Institute of Standards and Technology's (NIST) SP 800-171 standard, have been in place for eight years, but CMMC further formalizes compliance.

As of November 10, 2025, Defense agencies now require at least a Level 1 certification to award any new contract. To meet this requirement, companies must self-certify that they comply with 15 controls--specified by 800-171--that cover basic cyber hygiene. Next November 10 (in 2026), DoD will require that Level 2 status for contracts dealing with Controlled Unclassified Information (CUI), which currently can be self-assessed, be verified through a third-party assessment of compliance with all 110 controls in the NIST standard. Then in 2027, contracting officers can start requiring those seeking Level 3 certification to undergo an assessment by the Defense Industrial Base Cybersecurity Assessment Center. A Level 3 requirement would apply to technology dealing with highly sensitive data or systems, where a breach could have far-reaching impact. Continue reading