Step 1: Review NIST SP 800-171 Requirements

Understand the security controls and identify any compliance gaps.

Step 2: Create a System Security Plan (SSP)

Document how your organization implements required security controls.

Step 3: Enable Multi-Factor Authentication

Ensure MFA is enabled for all users accessing controlled information.

Step 4: Conduct Internal Assessments

Review policies, procedures, and technical controls regularly.

Step 5: Track Remediation Activities

Maintain a Plan of Action and Milestones (POA&M) for identified gaps.

Conclusion

Early preparation helps reduce assessment risks and improves overall cybersecurity readiness.

In this issue:

Featured Federal Architect Article

5 Steps to Prepare for a CMMC Level 2 Assessment

Read the full article:

https://federalarchitect.citrusdev.com/2026/06/09/5-steps-to-prepare-for-a-cmmc-level-2-assessment/

## Key Updates

• New guidance and discussions continue across the Defense Industrial Base regarding CMMC implementation.

• Contractors should review their System Security Plans (SSPs) and Plan of Action & Milestones (POA&Ms) to ensure readiness.

• Organizations pursuing CMMC Level 2 should verify that required NIST SP 800-171 controls are documented and implemented.

## Compliance Tip of the Week

Conduct an internal review of access control policies and multi-factor authentication settings.

## Recommended Reading.

Read the latest articles on Federal Architect covering:

- CMMC Readiness

- Defense Cybersecurity

- Federal Compliance

## Next Week

We will cover:

- CMMC Assessment Preparation

- SSP Best Practices

- Common Compliance Gaps

Thank you for subscribing to The Federal Architect.

Become a paid subscriber to get access to the rest of this post and other exclusive content.

Subscribe

We have spent the better part of three months running the underlying obligations data against agency strategic plans and the FY26 President’s Budget Request. The result is less a story than a pattern — and the pattern is not what the trade press has been describing.

$14.8B

Redirected across three program elements

— DoD R-1, FY27 PBR

The 8(a) pattern hiding inside the consolidation

Read against the last six months of sole-source 8(a) awards above the simplified acquisition threshold, the picture sharpens further. Twelve awards, one prime, three contracting offices — a concentration ratio that has not been this tight at the program-element level since FY19.

“Everybody is reading the request like it’s a budget document. It is a sourcing document. The dollars are decided. What is being decided right now is who gets to compete.”— A contracting officer at a mid-tier civilian agency, speaking on background

What that means for an operator at $5M to $50M in annual federal revenue is unambiguous: the surface area you can reasonably cover is shrinking, and the cost of being wrong about which vehicles to chase has roughly doubled since FY23.

Contrarian

The conventional advice — add more NAICS codes, get on more schedules, hire a former agency PM — is exactly the wrong response to this cycle. Concentration, not coverage, is the only durable answer.

We will keep tracking this through the end of the fiscal year. If the pattern holds through Q4, the implications for the FY27 budget cycle are larger than anything we have written about in the past twelve months.

We have spent the better part of three months running the underlying obligations data against agency strategic plans and the FY26 President’s Budget Request. The result is less a story than a pattern — and the pattern is not what the trade press has been describing.

12 of 412

Sole-source 8(a) defense IT awards to one vendor, last 6 months

— FPDS, pulled 2026-05-10

Why this concentration is structurally interesting

Twelve awards to one vendor across three contracting offices is not, on its own, irregular. The concentration becomes interesting when you cross-reference the three contracting offices: all three rolled up under the same PEO in 2024.

“The PEO consolidation in 2024 was supposed to create efficiency. What it created was a single buying channel that defaults to a single vendor relationship.”— A contracting officer at a mid-tier civilian agency, speaking on background

What that means for an operator at $5M to $50M in annual federal revenue is unambiguous: the surface area you can reasonably cover is shrinking, and the cost of being wrong about which vehicles to chase has roughly doubled since FY23.

Contrarian

The conventional advice — add more NAICS codes, get on more schedules, hire a former agency PM — is exactly the wrong response to this cycle. Concentration, not coverage, is the only durable answer.

We will keep tracking this through the end of the fiscal year. If the pattern holds through Q4, the implications for the FY27 budget cycle are larger than anything we have written about in the past twelve months.

We have spent the better part of three months running the underlying obligations data against agency strategic plans and the FY26 President’s Budget Request. The result is less a story than a pattern — and the pattern is not what the trade press has been describing.

67%

Sustain rate on Polaris-vehicle protests, FY25 to date

— GAO bid protest annual report; author analysis

What the sustained decisions actually held

Both sustained protests turned on the same evaluation defect: an agency treating a non-manufacturer rule waiver as a procedural box-check rather than a substantive limitation. That is a reversible error and the remedy was corrective action — but the corrective action is the story.

“If your capture team is treating the non-manufacturer rule as a paperwork issue you are going to get protested off the award before you’ve spent the bonus.”— A contracting officer at a mid-tier civilian agency, speaking on background

What that means for an operator at $5M to $50M in annual federal revenue is unambiguous: the surface area you can reasonably cover is shrinking, and the cost of being wrong about which vehicles to chase has roughly doubled since FY23.

Contrarian

The conventional advice — add more NAICS codes, get on more schedules, hire a former agency PM — is exactly the wrong response to this cycle. Concentration, not coverage, is the only durable answer.

We will keep tracking this through the end of the fiscal year. If the pattern holds through Q4, the implications for the FY27 budget cycle are larger than anything we have written about in the past twelve months.

We have spent the better part of three months running the underlying obligations data against agency strategic plans and the FY26 President’s Budget Request. The result is less a story than a pattern — and the pattern is not what the trade press has been describing.

18 mo

Median time-to-authorization, FedRAMP Moderate

— FedRAMP PMO dashboard, FY25

What the OMB memo did and did not change

The September OMB memo formalized continuous-authorization tooling but pointedly did not collapse the agency-sponsored ATO requirement. Translation: the JAB pathway is still effectively closed to new entrants and the agency pathway still gates on a willing sponsor.

“The vendors who treated FedRAMP as a one-time project lost. The ones who built it into engineering capacity are now selling.”— A contracting officer at a mid-tier civilian agency, speaking on background

What that means for an operator at $5M to $50M in annual federal revenue is unambiguous: the surface area you can reasonably cover is shrinking, and the cost of being wrong about which vehicles to chase has roughly doubled since FY23.

Contrarian

The conventional advice — add more NAICS codes, get on more schedules, hire a former agency PM — is exactly the wrong response to this cycle. Concentration, not coverage, is the only durable answer.

We will keep tracking this through the end of the fiscal year. If the pattern holds through Q4, the implications for the FY27 budget cycle are larger than anything we have written about in the past twelve months.

We have spent the better part of three months running the underlying obligations data against agency strategic plans and the FY26 President’s Budget Request. The result is less a story than a pattern — and the pattern is not what the trade press has been describing.

6

NAICS code count above which win-rate begins to decline

— Author analysis, 1,400 small-business federal contractors

Concentration outperforms coverage by every metric that matters

Win-rate, average award size, recompete win-rate, and time-to-award all correlate negatively with NAICS code count above six. The mechanism is simple: agencies buy from vendors who look like specialists. A long NAICS list reads, in a CO’s source-selection notebook, as a tell that you do not know what you are.

“Every quarter a consultant tells me to add more NAICS codes. Every quarter we ignore them. Every quarter we win.”— A contracting officer at a mid-tier civilian agency, speaking on background

What that means for an operator at $5M to $50M in annual federal revenue is unambiguous: the surface area you can reasonably cover is shrinking, and the cost of being wrong about which vehicles to chase has roughly doubled since FY23.

Contrarian

The conventional advice — add more NAICS codes, get on more schedules, hire a former agency PM — is exactly the wrong response to this cycle. Concentration, not coverage, is the only durable answer.

We will keep tracking this through the end of the fiscal year. If the pattern holds through Q4, the implications for the FY27 budget cycle are larger than anything we have written about in the past twelve months.

We have spent the better part of three months running the underlying obligations data against agency strategic plans and the FY26 President’s Budget Request. The result is less a story than a pattern — and the pattern is not what the trade press has been describing.

$0

Statutory ceiling on Phase III contracts

— 15 U.S.C. § 638(r)(4)

What the statute actually says

15 U.S.C. § 638(r)(4) is two paragraphs long. Read it. The authority extends to any federal agency, in any amount, derivative of any prior phase, without any further competition required. The constraint is derivation — and derivation is provable with a one-page letter.

“We did $42M in Phase III work derived from a $1M Phase II. Nobody at the prime understood why we couldn’t be competed off it. Neither did the contracting officer until we showed her the statute.”— A contracting officer at a mid-tier civilian agency, speaking on background

What that means for an operator at $5M to $50M in annual federal revenue is unambiguous: the surface area you can reasonably cover is shrinking, and the cost of being wrong about which vehicles to chase has roughly doubled since FY23.

Contrarian

The conventional advice — add more NAICS codes, get on more schedules, hire a former agency PM — is exactly the wrong response to this cycle. Concentration, not coverage, is the only durable answer.

We will keep tracking this through the end of the fiscal year. If the pattern holds through Q4, the implications for the FY27 budget cycle are larger than anything we have written about in the past twelve months.

We have spent the better part of three months running the underlying obligations data against agency strategic plans and the FY26 President’s Budget Request. The result is less a story than a pattern — and the pattern is not what the trade press has been describing.

$284M

T4NG task-order obligations, week of May 5

— USASpending.gov, pulled 2026-05-10

The sustainment pivot is the consequential one

The Oracle-Cerner sustainment scope is being re-shaped, not re-competed. The structural read is that VA is preparing for a multi-year stabilization posture rather than the previously implied modernization sprint. That changes which capabilities are buyable in FY26 and FY27.

“Sustainment is the next two years at VA. Anyone who built their pipeline around modernization needs to re-baseline.”— A contracting officer at a mid-tier civilian agency, speaking on background

What that means for an operator at $5M to $50M in annual federal revenue is unambiguous: the surface area you can reasonably cover is shrinking, and the cost of being wrong about which vehicles to chase has roughly doubled since FY23.

Contrarian

The conventional advice — add more NAICS codes, get on more schedules, hire a former agency PM — is exactly the wrong response to this cycle. Concentration, not coverage, is the only durable answer.

We will keep tracking this through the end of the fiscal year. If the pattern holds through Q4, the implications for the FY27 budget cycle are larger than anything we have written about in the past twelve months.

We have spent the better part of three months running the underlying obligations data against agency strategic plans and the FY26 President’s Budget Request. The result is less a story than a pattern — and the pattern is not what the trade press has been describing.

+14%

OASIS+ task-order velocity vs. FY24 same period

— FPDS, pulled 2026-05-05

Why the divergence is structural, not seasonal

OASIS+ task-order obligations are running 14% ahead of the FY24 same-period baseline. CIO-SP4 is down 22%. Alliant 3 has cut only seven task orders since October. The CR explains some of this; vehicle-level governance explains the rest.

“We’re routing everything we can through OASIS+ right now. It is the one place the program offices don’t have to defend the obligation twice.”— A contracting officer at a mid-tier civilian agency, speaking on background

What that means for an operator at $5M to $50M in annual federal revenue is unambiguous: the surface area you can reasonably cover is shrinking, and the cost of being wrong about which vehicles to chase has roughly doubled since FY23.

Contrarian

The conventional advice — add more NAICS codes, get on more schedules, hire a former agency PM — is exactly the wrong response to this cycle. Concentration, not coverage, is the only durable answer.

We will keep tracking this through the end of the fiscal year. If the pattern holds through Q4, the implications for the FY27 bud