The federal procurement landscape is undergoing a major shift to streamline and accelerate the acquisition and implementation of advanced capabilities that could enhance the delivery of government services or support mission execution. At the heart of these changes is the Revolutionary Federal Acquisition Regulation Overhaul, a multi-year initiative mandated under the Restoring Common Sense to Federal Procurement executive order.
The FAR Overhaul aims to reduce regulatory burdens for the government contracting industry and ensure the efficient use of taxpayer dollars.
At the same time, the Department of War has started its multi-phase rollout of Cybersecurity Maturity Model Certification, or CMMC, which requires contractors to adopt measures to secure federal contract information or controlled unclassified information.
Get updates on the next phase of CMMC at the Potomac Officers Club’s 2026 Cyber Summit on May 21. The Department of War’s Chief Information Security Officer Aaron Bishop and Katherine Sutton, the Pentagon’s assistant secretary of cyber policy, are expected to explore cyber initiatives across defense agencies. Do not miss the chance to learn about CMMC directly from defense leaders. Sign up for this critical GovCon summit today.
To help companies navigate these changes, BDO International officials, who have extensive experience advising companies on regulatory challenges, break down shifting requirements across government in a GovCon Wire webinar hosted by Executive Mosaic and Unanet.
Why Should Organizations Shift Their Mindset About Compliance?
Melissa Morgan, senior director for product and industry marketing at Unanet, said that multiple agencies are shaping cybersecurity compliance, each introducing its own rules and timelines. She shared that the organizations successfully managing all the changes in the government contracting landscape are those who treat cybersecurity not as a compliance project, but as a “strategic priority that touches every part of the business.”
Morgan stressed that cybersecurity must be built into the organization’s operations, making compliance easier over time. Organizations must adopt a more proactive cybersecurity posture instead of reconstructing evidence every time there is an audit, she added.
Revolutionary FAR Overhaul Updates
Tom Tagle, principal of government contracts practice at BDO, discussed updates to the Revolutionary FAR Overhaul, which he said has moved beyond just issuing class deviations to rulemaking.
The first set of class deviations was issued in May 2025 as part of Phase I of the overhaul. The Department of War kicked off Phase 2 of the program in February with a request for industry to identify FAR and Defense FAR Supplement, or DFARS, provisions that need to be revised or removed.
Class deviations are how the government implements the FAR Overhaul, with most agencies issuing deviations in the past year. Tagle noted that there have been a lot of changes to FAR clauses and it is the duty of the contractor to be aware of updates applicable to them.
Tagle stated, “It’s always good advice to know what’s in your contract. And now I think more than ever, because the likelihood of a change is greater than it has been, at least in my time working with federal government contractors.”
What Changes Will the CAS Board Introduce?
Tagle also noted during his presentation that the Cost Accounting Standards, or CAS, Board has been meeting and has taken several actions to modernize standards that have been in place for decades.
The CAS Board, which operates within the Office of Management and Budget’s Office of Federal Procurement Policy, sets and amends cost accounting practices across all government contracts.
According to Tagle, the CAS Board has eliminated standards related to tangible capital assets, appreciation material acquisition costs and accounting for cap compensated absences. He also mentioned that the board has taken out 68 requirements across four CAS standards that have become obsolete and removed thousands of words from regulatory text.
The CAS Board has already published two proposed rules to streamline accounting requirements and ensure that the government uses Generally Accepted Accounting Principles, or GAAP, to protect its interests.
What the CMMC Rollout Means for Subcontractors
The first phase of CMMC’s four-phase rollout began in November 2025 and will end in November 2026. Under the current phase, organizations are only required to self-attest their CMMC Level 1 or Level 2 score.
However, Christina Reynolds, managing director of the government contracts practice at BDO, said some prime contractors are already preparing to bid on contracts in 12 months and may require subcontractors that have received certification now, not in November when the next phase of the CMMC rollout comes into effect.
Cyber adversaries are after sensitive federal data, prompting the government to introduce measures to protect critical information and systems. At the 2026 Cyber Summit, attendees will get to hear about the initiatives that agencies, such as the FBI and the Department of Education, are implementing to secure federal data. Register today to get the latest updates about cyber programs across government.
During her presentation, she noted that DFARS 7020 will require not just prime contractors, but also subcontractors to report their scores to the Supplier Performance Risk System. Reynolds also emphasized that DFARS 7020, not DFARS 7019, is the requirement that flows down from primes to subcontractors.
How Will GSA’s New Compliance Framework Impact Industry?
Reynolds also discussed upcoming changes the General Services Administration plans to introduce through CIO-IT Security-21-112, Revision 1, a five-phase compliance framework for contractors to protect CUI. Issued in February, the updated IT security procedural guide mandates compliance with security requirements set by the National Institute of Standards and Technology Special Publication 800-171r3 and NIST SP 800-172r3.
GSA CIO-IT Security-21-112 will introduce requirements that Reynolds described as “fundamentally different” from the security standards that the DOW and the proposed FAR CUI rule, both of which were hardcoded to NIST 800-171r2.
If implemented, GSA CIO-IT Security-21-112 will be “utterly destructive, according to Reynolds, because the majority of industry has implemented NIST 801-71 Rev. 2, and the new compliance framework introduces more assessment objectives that organizations need to meet.
“So they decided their baseline would be the newer revision three, which nobody has implemented. And while it looks smaller, what they did is they tucked controls under other controls. So it’s actually not smaller,” the executive explained. “It’s actually 30 percent more assessment objectives.”
Be more prepared to face complex regulatory shifts and meet urgent federal requirements at the 2026 Cyber Summit. Attendees will gain critical insights into federal initiatives, including zero trust and artificial intelligence implementation. There will also be opportunities to forge new partnerships with top industry leaders influencing the cyber landscape. Tickets are available here!
