Hoping to score a federal contract during the Trump years? Prepare your security plans now

With a new administration now in office, cybersecurity is likely to take center stage as overall national security efforts become increasingly prioritized. 

As a result, we will continue to see stricter cyber policies from the US government, some of which will have a direct impact on federal contractors. For example, the Pentagon recently posted the final rule for the Cybersecurity Maturity Model Certification 2.0, solidifying their plans to implement new cybersecurity standards for contractors later this year. 

To avoid business disruptions, it’s essential that companies align their cybersecurity programs with evolving standards. 

Here’s how your businesses can strengthen their privacy and security protocols to stay secure and hopefully land more deals with the government in 2025 and beyond.

Document how you follow current protocols

Any contractor working with the US government should create and maintain a comprehensive system security plan (SSP). It’s not just best practice — it’s a requirement under frameworks like NIST SP 800-171 and the Federal Acquisition Regulation clauses. 

This document outlines how your company protects sensitive government data, covering all aspects of system design, data handling and security controls. It demonstrates your company’s commitment to data security if legislators crack down. 

Preparing this plan takes a few key steps like defining the scope of the SSP, gathering existing documentation, conducting a gap analysis, closing any gaps, drafting the SSP and reviewing and validating it.

Furthermore, all prime contractors and their subcontractors will need a Cybersecurity Maturity Model Certification (CMMC) if they do business with the Department of Defense (DOD). Having an SSP will be helpful here because CMMC requires your business to have an SSP to satisfy the requirements for systems where Controlled Unclassified Information (CUI) is stored or shared.

Check your current protocols against government best practices

Ahead of enhanced cybersecurity protocols, all government contractors should take a serious look at their current program. This is best done through a gap analysis, an assessment that compares your existing security controls against industry standards.

For example, companies can anticipate that they’ll need to comply with frameworks like NIST 800-171, which is widely adopted by US government contractors to ensure that CUI is properly protected. The framework provides a set of 14 families of security requirements, covering everything from access control to incident response. 

By assessing your company’s compliance with these standards, you can identify any gaps or deficiencies in your security posture ahead of any upcoming changes.

Find out your SPRS score

Once you have a solid grasp of your security program’s current state, it’s time to focus on your Supplier Performance Risk System (SPRS) score. 

The SPRS score is a measure of your compliance with the Defense Federal Acquisition Regulation Supplement clause 252.204-7012, which requires defense contractors to report their compliance with NIST 800-171. Contractors are required to input their compliance status into SPRS, and the resulting score is used by government agencies to assess the risk level of contracting with your company.

A higher SPRS score indicates a strong cybersecurity posture, which is likely to become increasingly important moving forward. If you don’t have an acceptable score, you may not be able to do business with the government until you improve it by fixing the gaps it points out.

Outline a plan to fix any gaps and comply with future regulations

When conducting a gap analysis, you’re likely to uncover areas where your security program falls short of government requirements. This happens, but it’s important to address these gaps by creating a Plan of Action and Milestones (POA&M) document, which serves as a roadmap for outlining the steps, responsible parties and timelines for achieving compliance.

The document should prioritize actions based on risk levels and ensure that milestones are met to demonstrate progress. The POA&M is particularly important for contractors working with the DOD because it shows what gaps are in place and gives specific timelines on when those gaps will be closed.

Follow through on your plans to improve

Once your POA&M is in place, it’s time to work toward improving your security maturity and increasing your SPRS score. This involves addressing the gaps identified during the assessment and executing the corrective actions in your POA&M. 

Improving your security maturity may involve regularly reviewing and refining your security policies and procedures in response to new regulations, implementing automation where possible to streamline compliance activities, training staff on cybersecurity best practices and engaging third-party auditors to assess the effectiveness of your program.

Make sure your other vendors are in compliance, too

Government contractors are responsible not only for their own data security but also that of third-party vendors they engage to support their business. Flowing down government requirements is crucial to ensure that your entire ecosystem of contractors and subcontractors meets the necessary standards to protect sensitive data. 

To accomplish this, companies should clearly communicate security expectations to third-party vendors, ensure that they are compliant with NIST 800-171 and other relevant frameworks, and include compliance requirements in contracts.