Cybersecurity Updates at Department of Defense

The Department of Defense (DoD) and Department of War (DoW) have jointly released a comprehensive Post Quantum Cryptography (PQC) Strategy aimed at securing military communications and command systems against emerging quantum computing threats. The strategy targets full deployment of quantum-resistant cryptographic solutions across all high-impact systems by 2030 and the entire force by 2031. It emphasizes accelerated procurement of commercial PQC technologies, centralized governance for acquisitions, and enhanced collaboration with the Defense Industrial Base to meet forthcoming Federal Acquisition Regulation compliance requirements. Additionally, the DoD is expanding its cybersecurity workforce through a new Cyber Registered Apprenticeship Program focused on skills-based hiring to support these modernization efforts.

• Why this matters: This strategy signals significant upcoming procurement opportunities for contractors specializing in quantum-resistant cryptography and cybersecurity solutions.
• Agencies and contractors should prepare for accelerated acquisition timelines and centralized oversight mechanisms that will shape contract awards through 2031.
• The emphasis on workforce development indicates potential demand for training and apprenticeship program support services within the defense cybersecurity sector.
• Organizations should align their offerings with Federal Acquisition Regulation updates related to PQC compliance to remain competitive in defense contracting.

The Department of Defense (DoD) continues to advance cybersecurity requirements for the Defense Industrial Base (DIB) through the Cybersecurity Maturity Model Certification (CMMC) framework. This framework mandates contractors to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across all supplier networks. Carahsoft, serving as a key distributor and integrator, offers a comprehensive portfolio of CMMC-compliant technology solutions spanning all maturity levels and domains. Procurement professionals and contractors should engage with Carahsoft's offerings and expertise to ensure alignment with evolving DoD cybersecurity mandates and to strengthen their compliance posture.

• Why this matters: The CMMC framework is a critical compliance requirement for DoD contractors, impacting contract eligibility and information security standards.
• Carahsoft's role as a trusted distributor provides streamlined access to vetted cybersecurity products and services tailored for CMMC compliance.
• Organizations should leverage Carahsoft's subject matter experts and solution portfolio to address unique IT environment challenges and prepare for upcoming compliance deadlines.
• Procurement teams can benefit from established vendor partnerships and resources to support cybersecurity readiness across all CMMC domains and maturity levels.

The Cybersecurity and Infrastructure Security Agency (CISA) is shifting federal cybersecurity strategy from deploying isolated point solutions to implementing an integrated, full-spectrum defense system. This strategic evolution aims to enhance visibility, coordination, and intelligence sharing across federal civilian agencies to better counter increasingly sophisticated cyber threats. Contractors with expertise in cybersecurity integration, rapid prototyping, and compliance with federal mandates such as FedRAMP and FISMA are positioned to support this transition and meet emerging agency requirements.

• CISA’s focus on integration indicates growing demand for vendors capable of delivering interoperable cybersecurity solutions rather than standalone tools.
• Procurement professionals should anticipate requirements emphasizing comprehensive defense architectures, continuous diagnostics, and vulnerability management.
• Companies with experience in federal cybersecurity compliance frameworks will have competitive advantages in upcoming solicitations.
• This shift signals opportunities for contractors to engage in rapid prototyping and collaborative development to enhance federal cyber resilience.

The Department of Defense is undertaking significant organizational changes to unify and strengthen its cyber, IT, and artificial intelligence leadership. The Senate Armed Services Committee (SASC) has proposed creating a new Undersecretary of Defense for Cyber, Information, and Networks to consolidate the roles of CIO and principal cyber advisor, aiming to reduce fragmentation and improve integration across cybersecurity, IT, and AI efforts. Concurrently, the DoD has realigned the Chief Digital and Artificial Intelligence Office (CDAO) under the Office of the Under Secretary for Research and Engineering to better align AI initiatives with research and engineering functions. The House Armed Services Committee (HASC) also supports a Pentagon review to enhance accountability and alignment in cyber and IT operations. These changes reflect a strategic shift to streamline leadership and oversight of digital transformation and AI capabilities within the DoD.

• Procurement professionals should anticipate evolving requirements and potential new contract vehicles as the DoD integrates cyber, IT, and AI functions under unified leadership.
• Vendors specializing in cybersecurity, AI, and IT services may find emerging opportunities aligned with the new organizational structure and priorities.
• Contracting officers should prepare for updated acquisition strategies that reflect the consolidated oversight and enhanced coordination of digital and cyber programs.
• Organizations supporting DoD digital transformation should evaluate how these leadership changes impact program management, funding streams, and collaboration across research, engineering, and operational units.

The Department of Defense's Chief Information Officer has officially approved Hack The Box's Defensive Operations Analyst certificate under the Cyber Workforce Framework 8140. This endorsement confirms that the training platform meets DoD cybersecurity workforce standards, positioning it as a recognized resource for defense-related cybersecurity education and workforce development.

• Why this matters: DoD contractors and training providers can leverage this approval to align their workforce development programs with DoD standards, enhancing eligibility for defense contracts requiring certified cybersecurity personnel.
• Organizations supporting defense cybersecurity initiatives should consider integrating Hack The Box training to meet mandated workforce certification requirements.
• This approval signals growing emphasis on standardized cybersecurity training within DoD, potentially increasing demand for compliant training solutions and related services.
• Procurement professionals should evaluate opportunities to incorporate approved training platforms like Hack The Box into contract requirements and workforce development strategies.

The Senate Armed Services Committee's fiscal 2027 defense policy bill introduces expanded authorities aimed at attracting and retaining cybersecurity talent within the Department of Defense. Key provisions include easing personnel transfers between cyber excepted and competitive service positions, shortening probationary periods, limiting civilian workforce reductions, enhancing telework transparency, and piloting programs to retain high-performing managers. The bill also grants pay-setting authority to address labor shortages in the defense industrial base. Despite these legislative efforts, feedback from cyber professionals highlights ongoing challenges such as insufficient raises, limited telework options, and increased workloads due to prior workforce reductions, which continue to impact recruitment and retention negatively.

• Why this matters: Procurement professionals should anticipate evolving workforce policies that may affect contract staffing requirements and labor market dynamics within defense cybersecurity projects.
• The bill's pay-setting authority and retention initiatives signal potential shifts in compensation structures, influencing contractor labor costs and talent availability.
• Enhanced telework policies and workforce stability efforts may improve contractor workforce flexibility and reduce turnover risks.
• Organizations supporting DoD cybersecurity missions should evaluate how these legislative changes impact workforce planning, contract proposals, and compliance with evolving personnel policies.

New Relic has committed to achieving FedRAMP High and Department of Defense Impact Level 4 (IL4) authorizations for its platform hosted on AWS GovCloud. This initiative aims to enhance security and compliance capabilities to support highly regulated government workloads, including sensitive cloud migration and AI monitoring applications. The authorization process involves collaboration with FedRAMP advisory and assessment partners, positioning New Relic to provide standardized observability solutions for mission-critical federal systems.

• Why this matters: Achieving FedRAMP High and DoD IL4 authorizations enables New Relic to meet stringent federal security requirements, expanding opportunities to serve agencies with sensitive and classified workloads.
• Government procurement professionals should consider New Relic’s enhanced compliance posture when evaluating observability and monitoring solutions for cloud-native environments.
• Contractors and vendors supporting cloud migration and AI applications in federal agencies may find increased demand for integrated, secure monitoring platforms compliant with FedRAMP and DoD standards.
• This development signals a broader trend toward securing digital infrastructure with standardized, high-assurance cloud services tailored to federal mission needs.

The Senate Armed Services Committee (SASC) has advanced a provision to authorize a pilot program enabling the Department of Defense to engage civilian contractors in conducting cyber operations aimed at gaining access to target systems under the operational control of United States Cyber Command (CYBERCOM). This initiative seeks to leverage private sector innovation and infrastructure to enhance U.S. cyber capabilities and better compete with adversaries such as China, which maintains a larger cyber workforce. The pilot program represents a significant shift in DoD cyber operations strategy by potentially expanding contractor roles into offensive cyber activities, raising important considerations around legal frameworks, oversight mechanisms, and adherence to international norms.

• Why this matters: Procurement professionals should anticipate new contracting opportunities related to cyber operations support services under this pilot, which may require specialized cybersecurity expertise and compliance with evolving legal and operational standards.
• The initiative signals increased demand for contractors capable of supporting offensive cyber missions, potentially broadening the market for cybersecurity firms with advanced capabilities.
• Organizations should prepare for rigorous oversight and legal compliance requirements as the pilot program develops, impacting proposal strategies and contract management.
• This development may influence future DoD cyber acquisition strategies, emphasizing partnerships with private sector entities to augment government cyber workforce capacity.

Senators have introduced a pilot program proposal within the 2027 defense policy bill to allow Department of Defense (DoD) civilian employees access to military commissaries for grocery shopping. This initiative aims to extend cost-saving benefits traditionally reserved for military personnel and their families to DoD civilian staff, contingent on assessments of cost-effectiveness and operational impact. The pilot's success could lead to permanent policy changes enhancing civilian workforce support without compromising commissary operations or troop readiness.

• This proposal signals potential changes in DoD procurement and supply chain management related to commissary operations, requiring adjustments in vendor contracts and inventory planning.
• Procurement professionals should anticipate new requirements for commissary service providers to accommodate increased user eligibility and possibly expanded service scopes.
• Contractors and vendors serving military commissaries may find opportunities to support expanded logistics, inventory, and point-of-sale systems tailored to a broader customer base.
• Agencies and stakeholders should monitor legislative progress and pilot outcomes to align procurement strategies with evolving DoD workforce support policies.

The U.S. Department of Energy (DOE) has initiated a three-year, $10 million cybersecurity project in partnership with Idaho National Laboratory and New Zealand-based firm Kry10 to develop and implement formal methods—a mathematics-based approach—to defend critical infrastructure against AI-driven cyber threats. This initiative reflects a growing shift in federal agencies and allied governments toward proactive, mathematically rigorous cybersecurity solutions, moving beyond traditional reactive AI-versus-AI defenses. The project aligns with similar pilot programs by the U.S. Air Force and DARPA, and funding efforts in the UK and Germany, signaling increased government investment in advanced cybersecurity technologies for defense and critical infrastructure protection.

• Why this matters: Procurement professionals should note the rising demand for formal methods expertise and solutions in federal cybersecurity contracts, especially within DOE and defense sectors.
• The $10 million DOE project offers opportunities for contractors specializing in formal verification, secure operating systems, and AI-resilient cybersecurity technologies.
• Agencies are prioritizing mathematically verifiable security approaches to address vulnerabilities exposed by AI-enabled attacks, indicating a strategic procurement trend.
• Companies should evaluate partnerships and innovation strategies to align with government initiatives emphasizing formal methods and proactive cybersecurity frameworks.