NSA Updates Zero Trust Guidelines

HM Revenue & Customs (HMRC) has initiated a consultation proposing enhanced reporting requirements for close companies and their participators, including directors of contractor limited companies. The proposed changes aim to modernize the reporting framework to provide HMRC with clearer visibility into financial transactions such as salaries, dividends, loans, and other value transfers. This signals a potential shift toward increased scrutiny and regulatory controls on remuneration structures commonly used by contractor directors, particularly the low-salary, high-dividend approach.

• Procurement professionals and contractors should anticipate evolving compliance obligations that may affect contractor company financial reporting and tax planning.
• Organizations providing payroll, tax advisory, and compliance services may see increased demand for expertise in navigating the new reporting requirements.
• This development indicates a government focus on transparency and control over director remuneration, which could influence contract structuring and contractor engagement strategies.
• Businesses operating in or with UK-based contractor limited companies should evaluate the impact of these proposals on their financial and contractual arrangements.

The Air Force District of Washington is conducting a Virtual Industry Day on March 27, 2026, to engage potential contractors for the A10 Strategic Plans and Policy Support Services (SPPSS) contract opportunity. This procurement involves an IDIQ contract under the OASIS+ schedules (UR and SB) to provide strategic planning, policy analysis, program management, and related support services requiring high-level security clearances. Performance will primarily occur at Joint Base Andrews, Maryland, with additional work at multiple Air Force bases and federal locations. This event is critical for vendors interested in supporting Air Force strategic policy, arms control, nuclear enterprise, counter-WMD efforts, and cybersecurity initiatives.

• The contract opportunity spans multiple Air Force installations including Joint Base Andrews (MD), Langley AFB (VA), Wright-Patterson AFB (OH), Peterson AFB (CO), and Hurlburt Field (FL), indicating a geographically distributed scope.
• The requirement emphasizes high-level strategic and policy expertise, including international treaties, deterrence education, and compliance oversight, necessitating cleared personnel.
• Procurement professionals should note the use of OASIS+ UR and SB schedules, which may influence proposal strategies and subcontracting opportunities.
• Interested vendors must contact Timothy Prymak at timothy.prymak@us.af.mil to receive invitations and further details for the March 27 Virtual Industry Day.

Federal agencies are actively confronting a critical shortage of skilled Microsoft Azure professionals necessary for advancing cloud modernization and enhancing cybersecurity capabilities. To mitigate this challenge, agencies are advised to implement targeted role-based training programs, establish internal Centers of Excellence to foster knowledge sharing, engage in strategic partnerships for expertise transfer, and adopt automation technologies to optimize limited human resources.

• Why this matters: Addressing the Azure skills gap is essential for successful cloud deployments and cybersecurity resilience within federal IT environments.
• Agencies should prioritize investments in workforce development and collaborative frameworks to build sustainable cloud expertise.
• Technology vendors and service providers can leverage this demand by offering tailored training, automation tools, and partnership opportunities.
• Procurement professionals should consider these strategic approaches when evaluating cloud modernization contracts and workforce support services.

The 2026 Womble Bond Dickinson Client Survey reveals that AI governance and regulatory uncertainty are the foremost concerns for organizations adopting artificial intelligence technologies. Despite fragmented and evolving regulations across federal, state (including California, Texas, Illinois, New York), and international (European Union) jurisdictions, businesses continue to implement AI while facing challenges in compliance, risk management, and operational integration. The survey emphasizes that AI governance is now an immediate operational requirement rather than a future consideration, underscoring the need for disciplined governance frameworks to manage risks and capitalize on AI's value in the emerging Algorithm Economy.

• Procurement professionals should recognize the increasing demand for AI governance frameworks and compliance solutions that address multi-jurisdictional regulatory environments.
• Contractors offering AI-related services must incorporate robust risk management and governance capabilities to meet client expectations and regulatory demands.
• Organizations can leverage this insight to prioritize investments in AI governance tools and consulting services to support disciplined decision-making and operational compliance.
• Awareness of state-level regulatory variations (e.g., California, Texas, Illinois, New York) and international standards (EU) is critical for tailoring procurement strategies and contract requirements.

The General Services Administration (GSA) has updated its IT Security Procedural Guide to mandate that government contractors comply with the latest NIST SP 800-171 Revision 3 cybersecurity standards for handling controlled unclassified information (CUI). This update introduces nine critical "showstopper" requirements, enforces a strict one-hour incident reporting deadline for both suspected and confirmed cybersecurity incidents, and requires the use of independent assessors to verify compliance. These changes significantly raise the bar for contractor cybersecurity obligations and directly affect eligibility for GSA procurement opportunities.

• Contractors working with GSA must implement the new NIST SP 800-171 Rev 3 standards, including the nine critical requirements, to maintain contract eligibility.
• The one-hour incident reporting mandate requires rapid internal processes and readiness to report incidents to GSA via the designated email (GSA-IR@gsa.gov).
• Independent assessments are now required, increasing the need for third-party cybersecurity validation and potentially impacting contractor costs and timelines.
• Procurement professionals should update acquisition strategies and compliance monitoring to align with these enhanced cybersecurity mandates, ensuring contractors meet the stricter requirements to avoid disqualification.

The Department of Veterans Affairs (VA) is organizing an in-person Medical/Surgical Prime Vendor (MSPV) Personal Protective Equipment (PPE) Industry Day on May 12, 2026, at the Fairview Marriott in Falls Church, Virginia. This event is designed to engage suppliers, manufacturers, and distributors to discuss VA's PPE procurement needs and processes under the MSPV program. It offers an opportunity for industry participants to collaborate directly with VA officials, learn about upcoming PPE requirements, and showcase innovative products that could support VA healthcare facilities nationwide.

• Why this matters: Procurement professionals and contractors specializing in PPE should consider participating to gain direct insights into VA's sourcing strategies and upcoming contract opportunities.
• The event facilitates networking with key VA contacts, including Matthew McDonell and Sarah Scott, who are points of contact for registration and program details.
• Companies can leverage this engagement to align their product offerings with VA's evolving PPE needs, potentially increasing their competitiveness in future MSPV solicitations.
• Attendance supports understanding of VA's procurement timelines and compliance expectations, aiding strategic planning for government contracting in the healthcare supply sector.

The General Services Administration (GSA) has extended the public comment deadline to April 3, 2026, for its proposed artificial intelligence (AI) acquisition clause (552.239-7001) intended for inclusion in the Multiple Award Schedule (MAS) Refresh 31. This draft clause represents the first federal acquisition regulation specifically targeting AI systems, imposing comprehensive requirements on contractors regarding data ownership, licensing, disclosure, and government rights to AI use. Industry stakeholders have expressed significant concerns about the clause's broad scope, stringent government-unique provisions, immediate implementation timeline without a phase-in period, and contractor liability extending to subcontractors. These concerns have prompted GSA to delay the clause's inclusion in the upcoming MAS refresh to gather further industry input.

• Why this matters: Procurement professionals and contractors should prepare for potential new compliance obligations related to AI procurements under MAS contracts, including data and IP rights management.
• The clause signals a major shift in federal AI governance, emphasizing government control and oversight that may affect contract negotiations and risk management.
• Companies providing AI products or services to federal agencies should evaluate their current agreements and readiness to meet these requirements, especially given the lack of a phase-in period.
• Industry feedback during the extended comment period could influence the final clause terms, making active engagement critical for stakeholders seeking to shape AI acquisition policies.

The US Federal Government, under the Trump Administration, has implemented a new National Cyber Strategy emphasizing proactive and offensive cyber operations alongside enhanced collaboration with private sector partners. This strategic shift moves beyond traditional deterrence to active defense and response, aiming to strengthen national cybersecurity posture. Industry experts at the RSAC 2026 Conference and other forums have recognized tangible improvements resulting from this approach, highlighting increased government-private sector cooperation and a more muscular federal cyber posture.

• Procurement professionals should note the growing demand for cybersecurity solutions that support offensive and defensive capabilities aligned with federal strategy.
• Vendors with expertise in advanced cyber defense, threat intelligence, and government collaboration stand to benefit from expanded contracting opportunities.
• Organizations should evaluate how this strategy impacts federal cybersecurity requirements and consider aligning proposals with the emphasis on active defense and public-private partnerships.
• The strategy's focus on interagency cooperation indicates potential for multi-agency contracts and integrated cybersecurity service offerings.

The UK Government has introduced its strongest reforms in over 25 years to address late payments to contractors, particularly benefiting small businesses. Effective immediately, large firms are capped at a 60-day payment term, must pay mandatory interest on late payments, and the Small Business Commissioner is empowered with enhanced investigative and fining authority to enforce compliance. These measures aim to improve cash flow reliability for contractors and subcontractors across the UK construction and service sectors.

• Procurement professionals should anticipate stricter enforcement of payment timelines and prepare for potential contract adjustments to comply with the 60-day payment cap.
• Contractors and suppliers can expect improved protections and faster payments, reducing financial risk and improving operational stability.
• Organizations working with UK government contracts should review payment terms and ensure alignment with the new regulations to avoid penalties.
• The enhanced role of the Small Business Commissioner signals increased oversight and potential fines for non-compliance, emphasizing the importance of transparent payment practices.

Several key vendors including Albany International, Sonepar USA, and Ames Federal Contracting Group have achieved Cybersecurity Maturity Model Certification (CMMC) Level 2, demonstrating their compliance with Department of Defense cybersecurity requirements. These certifications validate their ability to protect Controlled Unclassified Information (CUI) and support federal and defense-related contracts requiring enhanced cybersecurity measures.

• Why this matters: Achieving CMMC Level 2 is mandatory for contractors handling sensitive DoD information, positioning these vendors to compete effectively for defense and federally regulated contracts.
• Procurement professionals should prioritize vendors with CMMC Level 2 certification to meet DoD cybersecurity mandates and reduce supply chain risk.
• Contractors and subcontractors can leverage these certifications to expand opportunities in defense manufacturing, critical infrastructure, and federal projects.
• Organizations should consider integrating CMMC requirements into procurement evaluations and contract award criteria to ensure compliance with evolving cybersecurity standards.