The Exchange Weekly Newsletter

December 22-28, 2025

Graphic Courtesy of Google Gemini Nano Banana Pro

Preview: The Week Government IT Changed Direction

December 22-28, 2025, will be remembered as the week when three years of planning collided with political reality, budget constraints forced immediate strategic pivots, and the federal government’s technology leadership experienced its most dramatic transformation in decades.

Today marks the December 29 deadline for federal agencies to finalize AI acquisition and use policies under OMB Memorandum M-25-22. This isn’t paperwork compliance. These policies will determine how agencies procure, deploy, and govern artificial intelligence for years to come, crystallizing expectations for contractors and setting the template for how the federal enterprise manages algorithmic decision-making at scale. The policies arrive alongside OMB M-26-04, issued December 11, which requires all federal large language model procurements to immediately include “truth-seeking” and “ideological neutrality” as material contract terms. Agencies must update their full procurement policies by March 11, 2026.

Simultaneously, the Technology Modernization Fund sits frozen. Its authorization expired December 12, leaving approximately $160-200 million in available funding inaccessible and closing off the flexible capital mechanism that had invested roughly $1 billion across 70 projects in 34 federal agencies since 2017. House appropriators zeroed out TMF for the third consecutive year. With 11 legacy IT systems identified by GAO as critically needing modernization and the federal government spending roughly 80 percent of its $100+ billion annual IT budget on operations and maintenance, the timing couldn’t be worse.

The workforce picture grew even more complex. On December 28, approximately 1,000 IRS IT positions were reassigned from the IT organization to the Chief Operating Officer, requiring affected employees to upload resumes by January 23 for consideration elsewhere at IRS and Treasury. This restructuring occurs during critical tax season preparation and follows a pattern visible across government. In 2025, 85 percent of CFO Act agency CIOs departed their positions. GSA’s Technology Transformation Services narrowly avoided layoffs only after a court order during the October-November shutdown. The U.S. Tech Force launched December 15 to recruit approximately 1,000 technologists for two-year federal assignments, but it arrives after the loss of over 300,000 federal employees in 2025.

Commercial investment targeting government operations reached unprecedented levels. Amazon Web Services announced up to $50 billion to expand AI and supercomputing infrastructure for U.S. government customers, adding nearly 1.3 GW of compute capacity across AWS Top Secret, AWS Secret, and AWS GovCloud Regions. Google Cloud was selected to power the GenAI.mil platform serving 3 million Department of War civilian and military personnel. Microsoft Azure is expanding with three Availability Zones coming to US Government Arizona region in early 2026. The Department of Energy’s Genesis Mission gained partnerships with NVIDIA and Oracle to build Solstice, DOE’s largest AI supercomputer with 100,000 NVIDIA Blackwell GPUs at Argonne National Laboratory.

Yet infrastructure constraints persist. Data center power demand increased 22 percent in 2025, requiring 61.8 GW, with demand expected to nearly triple by 2030. Grid connection queues in hotspots like Virginia have stretched to seven years. Community opposition blocked or delayed $98 billion in data center projects in Q2 2025 alone. Some 188 active opposition groups across 24 states now organize against developments, with 66 percent of protested projects blocked or delayed.

The cybersecurity picture remained urgent. Salt Typhoon remains active in U.S. telecommunications networks despite months of remediation efforts. Senator Mark Warner received conflicting assessments December 12 about whether the Chinese state-sponsored group has been fully eradicated. Recorded Future reports Salt Typhoon hit five additional telecom networks between December and January, including two in the United States. A December 9 joint advisory from CISA, FBI, NSA, DOE, EPA, and international partners detailed ongoing attacks by pro-Russia hacktivist groups against U.S. water and energy systems, with four threat groups specifically identified.

President Trump’s December 11 Executive Order “Ensuring a National Policy Framework for Artificial Intelligence” represents the most aggressive federal preemption effort after congressional attempts failed. The order directs DOJ to establish an AI Litigation Task Force within 30 days to challenge state AI laws and conditions BEAD broadband funding on states not maintaining objectionable AI regulations. On December 19, attorneys general from 23 states filed reply comments urging the FCC to stand down on AI preemption.

The full analysis of this week’s developments—including detailed examination of Medicare’s controversial AI pilot launching January 1, the Revolutionary FAR Overhaul’s impact on acquisition, Department of War’s deployment of Grok AI to 3 million personnel, VA’s $37 billion EHR restart timeline, FedRAMP 20x automation advances, and strategic guidance for navigating the January 30 CR expiration—is available to paid subscribers.

Subscribe Now: Your Last Free Issue

This is the final Exchange Weekly Newsletter available without a subscription. Starting January 6, 2026, the newsletter moves to paid-only access. For the cost of a single coffee each month - just $10 /month (now on sale through the end of the year to just $7/month) - you’ll receive weekly 10,000+ word analysis of the government IT developments that matter, synthesized from dozens of authoritative sources and filtered through 32 years of federal technology experience. Each Monday morning, you’ll know what happened in the previous week, why it matters, and what decisions you need to make. No hunting through press releases, vendor blogs, or agency announcements. No wading through generic consulting commentary. Just direct, actionable intelligence for federal, state, and local government IT executives.

Want an even better deal? Annual subscriptions are just $60—saving you $60 over monthly billing while locking in coverage for the entire year. That’s less than the cost of a single vendor lunch for 52 weeks of strategic insight.

For those who want more than just the newsletter, we offer Inner Circle Access—a leader’s plan providing deeper engagement, direct consultation access, and advance notice of major developments before they hit the weekly newsletter. Contact us at podcasts@metorasolutions.com for details.

• Subscribe Monthly - $10/month $7/month during the year-end promo

• Subscribe Annually - $120/year $60/year during the year-end promo

• Inner Circle Access - Contact Us at podcasts@metorasolutions.com about how you can get

Your subscription ensures we can continue delivering this level of depth and quality every week. Thank you for being part of The Exchange community.

TL;DR: The Critical Developments

AI Governance Deadline Arrives: December 29 marks the deadline for agencies to finalize AI acquisition policies (OMB M-25-22), while M-26-04 requires immediate “Unbiased AI Principles” in all federal LLM procurements. Trump’s December 11 Executive Order directing DOJ to challenge state AI laws has drawn opposition from 23 state attorneys general.

TMF Authorization Expired: The Technology Modernization Fund’s authorization lapsed December 12, freezing approximately $160-200 million and blocking new modernization investments. House appropriators zeroed out TMF for the third consecutive year despite GAO identifying 11 critical legacy systems needing immediate modernization.

Workforce Transformation Accelerates: IRS reassigned 1,000 IT positions December 28; 85 percent of CFO Act agency CIOs departed in 2025; U.S. Tech Force launched to recruit 1,000 technologists for two-year federal assignments after 300,000+ federal employee departures.

Commercial AI Investment Surges: AWS committed up to $50 billion for government AI infrastructure; Google Cloud selected for GenAI.mil serving 3 million DoD personnel; Microsoft Azure expanding government regions; DOE’s Genesis Mission partnered with NVIDIA/Oracle for 100,000-GPU supercomputer.

Infrastructure Constraints Persist: Data center power demand up 22 percent in 2025, expected to triple by 2030; grid queues stretch to seven years in Virginia; community opposition blocked/delayed $98 billion in Q2 2025 projects; 188 active opposition groups across 24 states.

Cybersecurity Threats Continue: Salt Typhoon remains in U.S. telecom networks despite remediation; pro-Russia hacktivists targeting water/energy systems per December 9 CISA advisory; React2Shell (CVSS 10.0) exploited by China-linked groups within hours of disclosure.

Key January Deadlines: Medicare WISeR AI pilot launches January 1; DOJ AI Task Force due January 10; OASIS+ Phase II reopens January 12; current CR expires January 30; agency AI procurement updates due March 11.

1: AI Governance Frameworks Collide as December 29 Deadline Crystallizes Federal Expectations

Graphic Courtesy of Google Gemini Nano Banana Pro

The convergence of two Office of Management and Budget memoranda, a sweeping Executive Order, and sustained state resistance has created the most complex AI governance environment federal technology leaders have faced. The December 29 deadline for agencies to finalize AI acquisition and use policies under OMB M-25-22 arrives as a hard stop, not a milestone. These policies will govern how agencies identify AI in procurement, review planned acquisitions, convene cross-functional teams, and ensure appropriate contract terms for intellectual property rights.

OMB’s Memorandum M-25-21, issued February 2025, directed agencies to accelerate AI adoption through innovation, governance, and public trust. M-25-22 followed with specific acquisition guidance. Agencies were required to publish strategic AI plans by September 2025. The December 29 policies translate those strategies into operational mandates around AI inventories, data governance, human oversight, rigorous testing, and alignment with agency-specific expectations. Agencies including the Department of Homeland Security, Department of Energy, Department of State, Department of Veterans Affairs, Consumer Financial Protection Bureau, General Services Administration, National Archives and Records Administration, and the Federal Reserve Board have already published AI strategies. These plans converge on several themes: scalable AI infrastructure, quality data, an AI-ready workforce, proportional risk governance, and standardized secure development and testing.

Unbiased AI Principles add immediate procurement layer

The December 11 release of OMB Memorandum M-26-04 added unexpected complexity. The memo requires all federal large language model procurements to immediately include “truth-seeking” and “ideological neutrality” as material contract terms. Agencies must update their full procurement policies by March 11, 2026, to reflect these principles derived from the July 23, 2025 Executive Order “Preventing Woke AI in the Federal Government.”

The practical implications are substantial. Federal procurement officers must now request vendor disclosures including acceptable use policies, model cards describing training data and known limitations, and feedback mechanisms for any AI system. Non-compliance constitutes grounds for contract termination. GSA’s OneGov agreements with OpenAI, Anthropic, Google, Meta, and xAI offer models for $1 or less per agency and provide a ready compliance path. Agencies using other vendors face heightened documentation requirements and must verify that LLM outputs align with truth-seeking and ideological neutrality standards, which remain somewhat ambiguous in implementation.

For federal contractors and systems integrators, the December 29 and March 11 deadlines represent concrete requirements with enforcement risk. Organizations that treat these as aspirational guidance will find themselves retrofitting systems under pressure when regulations tighten or when incidents trigger investigations. Building capabilities now around clear data lineage, bias testing at each model update, documented override processes, and audit trails that can reconstruct decisions provides both compliance readiness and operational resilience.

Federal preemption efforts escalate despite state resistance

President Trump’s December 11 Executive Order “Ensuring a National Policy Framework for Artificial Intelligence” represents the most aggressive federal preemption effort since congressional attempts failed in both the National Defense Authorization Act and the July “One Big Beautiful Bill.” The order directs the Department of Justice to establish an AI Litigation Task Force within 30 days to challenge state AI laws that the administration considers onerous or duplicative. It requires the Department of Commerce to identify problematic state laws within 90 days and conditions BEAD broadband funding on states not maintaining objectionable AI regulations.

The order specifically criticizes Colorado’s algorithmic discrimination law, which was delayed from February 1 to June 30, 2026, but remains on the books pending litigation. It frames state-level AI regulation as creating a patchwork that hampers innovation and weakens America’s competitive position against China. The order positions the federal government as the sole appropriate regulator of AI systems, invoking Commerce Clause authority and arguing that interstate AI deployment requires uniform national standards.

State response has been swift and bipartisan. On December 19, attorneys general from 23 states filed reply comments urging the Federal Communications Commission to stand down on AI preemption, arguing the commission lacks jurisdiction over AI as a category of information services. This follows November’s letter from 36 state attorneys general opposing NDAA preemption provisions and December’s letter from 42 attorneys general directly to AI companies defending state authority to protect residents. The attorneys general argue that states serve as laboratories of democracy and must retain flexibility to confront new digital challenges as they arise.

For state and local government IT leaders, this creates genuine compliance uncertainty. Federal preemption efforts proceed through regulatory channels while state laws remain in effect pending litigation. The prudent approach requires maintaining compliance with applicable state requirements while monitoring DOJ Task Force actions due January 10 and Commerce Department evaluations due March 11. Any AI system touching high-risk decisions in housing, credit, employment, education, or public benefits should be mapped to both current state rules and potential federal standards.

The legal trajectory remains uncertain. State attorneys general have demonstrated they will defend state authority aggressively. Courts will ultimately determine whether federal agencies have the statutory authority to preempt state AI laws or whether Congress must act. The process will take years, not months. Organizations operating across multiple states must build scenario plans for at least three outcomes: state rules remain in effect, federal preemption overrides them, or a hybrid model emerges where federal law sets a floor and states can add requirements on top.

Medicare WISeR Model launches amid clinical controversy

The WISeR Model (Wasteful and Inappropriate Service Reduction) begins January 1, 2026, representing Medicare’s first-ever AI-powered prior authorization system. Operating in six states—Arizona, New Jersey, Ohio, Oklahoma, Texas, and Washington—the pilot covers 17 treatments including skin substitutes, electrical nerve stimulator implants, knee arthroscopy, facet joint interventions, and various spinal procedures.

The program’s structure has drawn sharp criticism from physician groups and some lawmakers. Six AI vendors, one per state, receive payment as a percentage of savings from denied claims. Critics argue this model incentivizes denials over clinical accuracy and creates a financial conflict of interest that could reduce access to medically necessary care for older adults. CMS Administrator Dr. Mehmet Oz frames the initiative as “crushing fraud, waste, and abuse,” citing up to $5.8 billion in “low-value” Medicare services provided in 2022.

The American Medical Association reports that basic implementation information remains unclear days before launch. Questions persist about which specific AI systems will be used, how clinical decisions will be explained to providers and patients, what appeal processes exist for denials, and how the program will measure success beyond cost reduction. Representative Suzan DelBene (D-WA), whose district includes Washington state, co-sponsored repeal legislation introduced in December, arguing the model was insufficiently vetted and poses patient safety risks.

For CIOs and chief data officers in healthcare and public programs, this pilot underscores that algorithmic decision-making in entitlement programs will face intense scrutiny from clinicians, advocacy groups, and Congress if perceived as prioritizing cost reduction over patient care. Any AI used in coverage, utilization management, or payment requires robust explainability, well-designed appeals processes, rigorous data quality management, and ongoing monitoring for bias and adverse outcomes. The WISeR Model will be a live case study throughout 2026 of what works and what fails when AI makes decisions affecting millions of beneficiaries.

HHS Claude deployment shows enterprise AI adoption at scale

The Department of Health and Human Services rolled out Anthropic’s Claude as a department-wide tool in December, building on earlier deployments of ChatGPT through government OneGov contracts. Staff across operating divisions will use Claude to draft documents, summarize regulatory text, and support day-to-day analytical tasks within guardrails defined by HHS’s internal AI policies and broader federal guidance.

This is a live case study of what scaled AI adoption looks like inside a cabinet agency. It pairs a written AI strategy with a small set of enterprise platforms and shared services rather than a sprawl of pilots. It signals the level of governance needed around access controls, logging, and data residency when generative AI becomes a standard productivity tool for tens of thousands of knowledge workers. The deployment demonstrates that agencies are willing to move forward with AI adoption even as broader policy questions remain unresolved.

Organizations that can demonstrate responsible AI use at scale will have credibility when procurement opportunities expand. Those that wait for perfect clarity will find themselves behind agencies and contractors that built operational muscle through real deployment. The key capabilities that enabled HHS’s rollout—clear data classification, access control frameworks, audit logging, user training, acceptable use policies, and incident response procedures—are not AI-specific. They are foundational IT governance practices applied to a new technology category.

Department of War deploys Grok AI across entire defense enterprise

The Department of War announced a partnership with Elon Musk’s xAI on December 22 to deploy Grok AI across government systems. By early 2026, all 3 million military and civilian personnel will have access through the GenAI.mil platform. Defense Secretary Pete Hegseth launched GenAI.mil with Google Gemini as the initial commercial LLM in December, enabling research, document formatting, video analysis, and imagery analysis.

The scale is unprecedented. This represents the largest federal deployment of commercial AI tools to date, dwarfing previous pilots and limited rollouts. The GenAI.mil platform approach allows the Department of War to offer multiple commercial LLMs through a single interface with consistent security controls, data handling protocols, and acceptable use policies. Users can select the most appropriate model for their task rather than being locked into a single vendor.

The addition of Grok AI alongside Gemini signals that the Department of War is taking a multi-model strategy seriously. Different LLMs have different strengths. Some excel at code generation, others at natural language summarization, still others at mathematical reasoning or multilingual tasks. Offering choice allows personnel to match tools to needs while maintaining centralized governance.

Security and data handling protocols will be closely watched as implementation proceeds. The platform must handle data at multiple classification levels, maintain separation between classified and unclassified workloads, prevent data leakage between models and users, and provide audit trails for accountability. How the Department of War solves these challenges will inform enterprise AI deployments across the rest of government.

For defense contractors and systems integrators, the GenAI.mil deployment creates both opportunity and expectation. Contractors supporting Department of War programs should expect questions about how their proposed AI capabilities integrate with GenAI.mil, whether they can leverage the platform’s capabilities rather than building redundant tooling, and how they govern AI use by contractor personnel working on government projects.

Sources:

• Federal News Network, “Acquisition more than IT drove the news in 2025,” December 2025, https://federalnewsnetwork.com/reporters-notebook/2025/12/acquisition-more-than-it-drove-the-news-in-2025/

• Federal News Network, “OMB sets procurement guardrails for buying AI tools,” December 2025, https://federalnewsnetwork.com/acquisition-policy/2025/12/omb-sets-procurement-guardrails-for-buying-ai-tools/

• GovWin, “White House Expands Stance on Federal AI Regulation,” December 2025, https://iq.govwin.com/neo/marketAnalysis/view/White-House-Expands-Stance-on-Federal-AI-Regulation/8761

• Fiddler AI, “What OMB M-26-04 Means for Federal Agencies Deploying AI,” December 2025, https://www.fiddler.ai/blog/omb-m-26-04

• DLA Piper, “New Executive Order aims to preempt state AI regulation,” December 2025, https://www.dlapiper.com/en-us/insights/publications/2025/12/new-executive-order-aims-to-preempt-state-ai-regulation

• Mayer Brown, “President Trump Issues Executive Order on Ensuring a National Policy Framework for Artificial Intelligence,” December 2025, https://www.mayerbrown.com/en/insights/publications/2025/12/president-trump-issues-executive-order-on-ensuring-a-national-policy-framework-for-artificial-intelligence

• CNN, “Trump signs executive order blocking states from enforcing their own regulations around AI,” December 11, 2025, https://www.cnn.com/2025/12/11/tech/ai-trump-states-executive-order

• Sidley Austin LLP, “Unpacking the December 11, 2025 Executive Order: Ensuring a National Policy Framework for Artificial Intelligence,” December 2025, https://www.sidley.com/en/insights/newsupdates/2025/12/unpacking-the-december-11-2025-executive-order

• Alston & Bird, “The Digital Download December 2025,” December 2025, https://www.alston.com/en/insights/publications/2025/12/the-digital-download-december-2025

• Stateline, “Medicare’s new AI experiment sparks alarm among doctors, lawmakers,” December 4, 2025, https://stateline.org/2025/12/04/medicares-new-ai-experiment-sparks-alarm-among-doctors-lawmakers/

• FedScoop, “HHS rolls out Claude, Anthropic AI tool,” December 4, 2025, https://fedscoop.com/hhs-rolls-out-claude-anthropic-ai-tool/

• Google Cloud, “Chief Digital and Artificial Intelligence Office Selects Google Cloud’s AI to Power GenAI.mil,” December 9, 2025, https://www.googlecloudpresscorner.com/2025-12-09-Chief-Digital-and-Artificial-Intelligence-Office-Selects-Google-Clouds-AI-to-Power-GenAI-mil

• Association of Defense Communities, “Hegseth Encourages DOD Personnel to Use AI,” December 2025, https://defensecommunities.org/2025/12/hegseth-encourages-dod-personnel-to-use-ai/

2: TMF Expiration and Workforce Upheaval Reshape Federal IT Capacity

Graphic Courtesy of Google Gemini Nano Banana Pro

The Technology Modernization Fund’s authorization expired December 12, 2025, marking the first lapse since its 2017 inception. GSA can oversee existing investments but cannot make new awards, effectively freezing approximately $160-200 million in available funding. The fund had invested roughly $1 billion in 70 projects across 34 federal agencies. House appropriators zeroed out TMF for the third consecutive year in the FY2026 Financial Services and General Government appropriations bill, signaling that congressional skepticism about the fund’s repayment model has not abated despite GSA’s defense of the program.

The timing couldn’t be worse. GAO’s most recent report identifies 11 legacy IT systems as critically needing modernization across 10 federal agencies. Eight of these systems use COBOL or Assembly language. Four run on unsupported hardware or software. Seven have known cybersecurity vulnerabilities that cannot be remediated without modernization. The federal government spends approximately 80 percent of its $100+ billion annual IT budget on operations and maintenance of existing systems. TMF was designed to help agencies break this cycle by providing flexible capital for modernization projects that could reduce long-term operating costs.

The fund’s track record has been mixed. Since inception, TMF received over 100 project submissions from 43 agencies, requesting more than $2.1 billion in funding. This demand underscores the urgency and potential for meaningful modernization. Projects funded through TMF have delivered measurable improvements in cybersecurity, citizen services, and operational efficiency. However, a GAO report found that as of February 2023, only 8 of 37 awarded projects had realized cost savings totaling $14.8 million, with five anticipating further savings totaling $2.6 million and an additional 16 projects anticipating $738.6 million in combined savings.

The initial premise that the fund would be a self-sustaining mechanism fueled by repayments from agencies that reaped savings from their modernizations has not panned out. Repayment rules were relaxed by the Biden administration, and the fund now requires a minimum 50 percent repayment rate rather than full repayment within five years. This change acknowledged that not all modernization projects generate direct cost savings that can be quantified and returned to TMF, even when they deliver substantial value in improved security, better user experience, or enhanced mission capability.

IRS restructuring signals broader pattern

Effective December 28, approximately 1,000 IRS IT positions are being reassigned from the IT organization to the Chief Operating Officer. Impacted employees must upload resumes by January 23, 2026, for consideration elsewhere at IRS and Treasury. The National Treasury Employees Union has filed a grievance, arguing the reassignments violate collective bargaining agreements and were implemented without adequate notice or consultation.

Treasury CIO Sam Corcos defended the reorganization in public statements, stating IRS “has had poor technical leadership for roughly 40 years” and needs to “recompose” its engineering organization. Corcos argued that IRS technology leadership has been overly focused on maintaining legacy systems rather than driving innovation, and that embedding technical talent more directly into business units will improve outcomes. Critics counter that breaking up the IT organization during critical tax season preparation, while simultaneously pursuing ambitious modernization initiatives, creates operational risk that could manifest in system outages or delayed service delivery.

This restructuring occurs as IRS pursues multiple complex technology transformations. The agency paused its previous 23 modernization programs in March 2025 to develop a new framework with nine consolidated initiatives. GAO released a report in December noting that IRS is developing this new framework but has not yet finalized details around governance, funding, or timelines. Treasury simultaneously announced commercial partnerships with Salesforce for taxpayer services modernization, Palantir for a unified API layer, and multiple vendors for the Zero Paper Initiative, which aims to eliminate paper-based processing across IRS operations.

The apparent contradiction between reducing IT organization headcount while increasing reliance on commercial technology partners reflects a broader federal trend. Agencies are shifting from large internal IT organizations building custom systems to smaller technical teams managing commercial platforms and vendor relationships. This model can work when properly resourced and when vendor management capabilities are strong. It creates significant risk when technical capacity is reduced faster than vendor management maturity develops.

Federal CIO departures reach historic levels

In 2025, 85 percent of CFO Act agency CIOs departed their positions. This represents the highest turnover rate in the two decades since the Federal CIO position was established. The departures reflect a combination of factors: the end of the Biden administration and resulting political transitions, voluntary retirements accelerated by workforce reduction pressures, forced resignations tied to DOGE efficiency reviews, and burnout after years of pandemic response, supply chain challenges, and cybersecurity crises.

The impact on agency IT operations is substantial. New CIOs typically take 6-12 months to fully onboard, understand agency-specific systems and priorities, build relationships with business unit leaders and external stakeholders, and begin implementing strategic initiatives. During transition periods, agencies often default to maintaining current operations rather than pursuing new initiatives, delaying modernization projects and strategic planning until leadership stabilizes.

The CIO departures occurred alongside broader federal workforce reductions. The Department of Government Efficiency reduced federal employment by approximately 271,000 jobs, representing 9 percent of the federal workforce. This constitutes the fastest peacetime decline since World War II demobilization. Despite workforce cuts, federal spending rose $248 billion higher than the same period last year, reaching $7.6 trillion in the first 11 months of calendar year 2025. The disconnect between reduced headcount and increased spending reflects that much federal spending is mandatory programs like Social Security and Medicare that are not affected by workforce levels.

U.S. Tech Force aims to rebuild technical capacity

Against this backdrop of workforce reduction, the Office of Personnel Management launched the U.S. Tech Force on December 15. The cross-government program aims to recruit approximately 1,000 technologists for two-year federal assignments. Salaries range from $130,000-$195,000, corresponding to GS-13 and GS-14 levels, with most hires expected by end of March 2026.

Private sector partners include AWS, Apple, Microsoft, NVIDIA, Oracle, Palantir, Salesforce, Meta, xAI, OpenAI, and approximately 25 others who can nominate employees for government service stints. The model allows private sector employees to maintain their corporate benefits and return to their companies after the federal assignment, reducing barriers to government service. Companies participating view it as a way to give employees public service experience, build relationships with government customers, and demonstrate commitment to American competitiveness.

Applications are open at TechForce.gov with skills-based assessment and no degree requirement. Agencies must have designated Tech Force contacts by December 22 to participate in the program. The positions focus on emerging technology areas including artificial intelligence, cybersecurity, cloud computing, data science, software engineering, and digital services. The initiative represents the largest federal tech hiring effort since U.S. Digital Corps and U.S. Digital Service were established, though it comes after the loss of over 300,000 federal employees in 2025.

The critical question is whether 1,000 two-year assignments can offset the loss of 271,000 permanent employees and 85 percent of agency CIOs. The program will bring valuable technical expertise and private sector perspective into government, but it is not a workforce strategy. It is a talent injection that can accelerate specific projects and build capabilities in emerging areas, but it cannot replace the institutional knowledge and continuity that permanent federal employees provide.

GSA avoids TTS layoffs after court intervention

GSA’s Technology Transformation Services narrowly avoided layoffs only after a court order required the administration to pause reductions during the October-November government shutdown. TTS oversees critical shared services including Login.gov, which provides authentication for over 100 federal websites; FedRAMP, which authorizes cloud services for federal use; and Cloud.gov, which provides platform-as-a-service capabilities for agency applications. Disruption to any of these services would cascade across multiple agencies.

The court order provided temporary relief, but the underlying budget pressures remain. TTS operates as a revolving fund, charging agencies for services rather than receiving direct appropriations. When agencies face budget cuts, their ability to pay for shared services declines, creating a funding squeeze for TTS even when demand for services remains high. The organization must constantly balance investing in new capabilities, maintaining existing services, and managing costs to stay within its revenue constraints.

The near-miss at TTS highlights the fragility of shared services models during budget austerity. Services like Login.gov and FedRAMP have become critical infrastructure that dozens of agencies depend on, but their funding model leaves them vulnerable to agency budget fluctuations. Congress and OMB should consider whether certain shared services warrant direct appropriations to ensure stability, rather than leaving them dependent on fee-for-service models that can become unstable during fiscal uncertainty.

Treasury modernization shows commercial partnerships can work

On a more positive note, the Treasury Department announced December 19 that it has made major progress on IT modernization initiatives despite budget constraints. The department completed migration of 50 mission-critical applications to cloud infrastructure, deployed zero trust architecture across all Treasury bureaus, and consolidated 14 separate data centers into four modern facilities. These accomplishments occurred while Treasury reduced its IT workforce by approximately 15 percent through attrition and reorganization.

Treasury’s success reflects several factors. First, the department made deliberate investments in vendor management and contract oversight capabilities before pursuing large commercial partnerships. Second, Treasury adopted an incremental migration approach rather than attempting big-bang transformations, allowing teams to learn and adjust as they progressed. Third, leadership maintained consistent messaging about modernization priorities across political transitions, providing stability even as individual leaders changed.

The Treasury example demonstrates that federal IT modernization is possible even during workforce reductions and budget constraints, but it requires strategic focus, strong vendor management, and leadership continuity. Agencies attempting to modernize without these foundations will struggle regardless of how much funding is available.

Sources:

• FedScoop, “Why Congress must reauthorize the Technology Modernization Fund,” December 1, 2025, https://fedscoop.com/technology-modernization-fund-reauthorization-congress/

• GovCIO Media, “Impending TMF Sunset Redirects Federal Modernization Trajectories,” December 2025, https://govciomedia.com/tmf-runs-out-of-time/

• Nextgov, “Technology Modernization Fund reauthorization not included in NDAA,” December 2025, https://www.nextgov.com/modernization/2025/12/technology-modernization-fund-reauthorization-not-included-ndaa/409999/

• Federal News Network, “House lawmakers to try again to extend TMF through NDAA,” December 2, 2025, https://federalnewsnetwork.com/congress/2025/12/house-lawmakers-to-try-again-to-extend-tmf-through-ndaa/

• GAO, “Information Technology: IRS Is Developing a New Modernization Framework,” December 2025, https://files.gao.gov/reports/GAO-25-107611/index.html

• Federal News Network, “IRS moves 1,000 IT employees out of its tech shop, with few signs of what work they’ll do next,” December 2025, https://federalnewsnetwork.com/it-modernization/2025/12/irs-moves-1000-it-employees-out-of-its-tech-shop-with-few-clear-signs-of-what-work-theyll-do-next/

• U.S. Department of the Treasury, “U.S. Treasury Department Announces Major Progress in IT Modernization Initiatives,” December 2025, https://home.treasury.gov/news/press-releases/sb0260

• Nextgov, “GSA backs off planned layoffs within its technology team after court order,” December 2025, https://www.nextgov.com/people/2025/12/gsa-backs-planned-layoffs-within-its-technology-team-after-court-order/410304/

• FedScoop, “Trump’s Tech Force treads familiar ground for former government tech leaders,” December 2025, https://fedscoop.com/trump-tech-force-government-opm-workforce-engineers-artificial-intelligence/

3: Cybersecurity Threats Persist Despite Shutdown Disruptions

Graphic Courtesy of Google Gemini Nano Banana Pro

The 43-day government shutdown from October 1 through November 12, 2025, disrupted federal cybersecurity operations across most agencies. CISA, NSA, and FBI maintained skeleton crews focused on imminent threats, but proactive threat hunting, vulnerability research, and coordination activities largely halted. Classified briefings to cleared contractors stopped. Security clearance processing froze. Cybersecurity vendors supporting federal agencies saw contracts suspended or delayed.

Threat actors did not pause. Salt Typhoon remains active in U.S. telecommunications networks despite months of remediation efforts. Senator Mark Warner, who chairs the Senate Select Committee on Intelligence, received conflicting assessments on December 12 about whether the Chinese state-sponsored group has been fully eradicated from compromised networks. Recorded Future reports Salt Typhoon hit five additional telecom networks between December and January, including two in the United States. One telecom executive, speaking on background, stated that “complete confidence in eradication is impossible when you’re dealing with nation-state actors who have had persistent access for months or years.”

The attack vector remains viable across much of U.S. telecommunications infrastructure. Salt Typhoon primarily exploited vulnerabilities in Cisco IOS XE software running on network routers, gaining access to lawful intercept systems established under the Communications Assistance for Law Enforcement Act. Nine or more U.S. companies were compromised, including AT&T, Verizon, T-Mobile, Spectrum, and Lumen. The attackers accessed metadata of millions of Americans’ communications and, in some cases, the content of calls and messages for specific targeted individuals including senior government officials and campaign staff during the 2024 election.

CISA and FBI issued updated guidance in December recommending end-to-end encryption for all sensitive government communications. The agencies specifically recommended Signal, WhatsApp with encryption enabled, or iMessage between Apple devices for communications requiring confidentiality. This represents a significant shift from previous guidance that focused primarily on network security and assumed that properly configured government networks provided adequate protection.

Pro-Russia hacktivists systematically target critical infrastructure

A December 9 joint cybersecurity advisory from CISA, FBI, NSA, Department of Energy, Environmental Protection Agency, and international partners from Australia, Canada, and the United Kingdom details ongoing attacks by pro-Russia hacktivist groups against U.S. critical infrastructure. The advisory identifies four specific threat groups and their tactics, techniques, and procedures:

Cyber Army of Russia Reborn has confirmed ties to Russian military intelligence and has disrupted water supplies in the United States, Poland, and France. The group specifically targets small and medium water utilities with unsecured remote access to SCADA and HMI devices. Attacks have caused pumping failures, chemical feed disruptions, and loss of monitoring visibility. In at least two cases documented by FBI, attacks caused temporary service disruptions affecting thousands of residents.

Z-Pentest specializes in OT intrusion and avoids distributed denial-of-service attacks to maintain persistent access without detection. The group has demonstrated sophisticated understanding of industrial control systems and has accessed critical systems at energy facilities. NSA analysis indicates Z-Pentest may be a front organization for Russian state-sponsored actors rather than independent hacktivists.

NoName057(16) uses a proprietary DDoSia tool distributed to supporters who voluntarily run attack scripts. The group is funded by Kremlin-linked organizations and coordinates with Russian state media to time attacks for maximum propaganda value. NoName057(16) has targeted financial services, government websites, and critical infrastructure operators across NATO countries.

Sector16 formed in January 2025 and claims to have compromised U.S. energy infrastructure including natural gas pipeline SCADA systems. The group has published screenshots purporting to show access to pipeline control systems, though the authenticity of some screenshots remains unverified. Department of Energy is working with pipeline operators to validate claims and remediate any confirmed compromises.

Attack methods documented in the advisory include exploiting unsecured VNC connections to access SCADA and HMI devices, password brute-forcing via temporary virtual private servers that are discarded after attacks, and simultaneous DDoS attacks to distract defenders while conducting intrusions. The advisory notes that attacks have caused physical damage in some instances, including pump failures at water treatment facilities and valve closures on energy pipelines.

State and local government operators of water utilities, wastewater treatment plants, energy facilities, and other critical infrastructure face elevated risk. The advisory provides specific mitigation recommendations including disabling direct internet access to OT devices, implementing multi-factor authentication on all remote access, segmenting IT and OT networks, monitoring for anomalous VNC and RDP traffic, and establishing out-of-band communication channels for coordination during attacks.

CISA Known Exploited Vulnerabilities catalog grows

CISA added CVE-2023-52163 to the Known Exploited Vulnerabilities catalog on December 22. The vulnerability is a missing authorization flaw in DigiEver DS-2105 Pro network video recorders that allows attackers to bypass authentication and gain administrative access. Federal agencies must remediate by January 12, 2026. The vulnerability has been exploited in the wild against municipal government surveillance systems, according to CISA.

Earlier December additions to the KEV catalog included several critical vulnerabilities requiring immediate attention:

CVE-2025-20393 is an improper input validation vulnerability in Cisco IOS, IOS XE, and NX-OS that was exploited by Chinese APT actor UAT-9686. The vulnerability allows remote attackers to cause denial of service or potentially execute arbitrary code. Cisco released patches in November, but CISA added the vulnerability to KEV in December after confirming active exploitation against federal networks.

CVE-2025-40602 is a missing authorization vulnerability in SonicWall SMA1000 series appliances. Unauthenticated attackers can bypass authentication to access administrative functions. SonicWall has not yet released a patch, instead providing mitigation guidance to restrict administrative interface access to trusted networks only.

CVE-2025-59374 involves embedded malicious code in ASUS Live Update utility. The supply chain compromise allowed attackers to distribute trojanized updates to ASUS laptop users. ASUS released a clean version in November and is working with law enforcement to investigate how the compromise occurred.

CVE-2025-55182, known as React2Shell, is a critical pre-authentication remote code execution vulnerability affecting React Server Components. The vulnerability has a CVSS score of 10.0, the maximum severity. Amazon detected China-linked groups including UNC5174 exploiting React2Shell within hours of public disclosure. Over 28,964 IP addresses globally were found vulnerable. The React team released patches in December for all affected versions.

The React2Shell vulnerability is particularly concerning for government applications because React is widely used in modern web applications, the vulnerability allows complete system compromise with no authentication required, exploitation has been fully automated by threat actors, and vulnerable systems are trivially identifiable through automated scanning. Federal agencies and contractors must verify that all React-based applications have been patched and that detection coverage exists for indicators of compromise associated with React2Shell exploitation.

BRICKSTORM malware update shows persistent China focus on virtualization

CISA, NSA, and the Canadian Centre for Cyber Security released an updated malware analysis report on December 19 for BRICKSTORM, a backdoor attributed to People’s Republic of China state-sponsored actors. The campaign targets VMware vSphere and Windows systems, maintaining long-term persistence and enabling credential theft and potential sabotage.

The updated analysis includes additional indicators of compromise, expanded detection signatures for EDR and SIEM platforms, and new information about BRICKSTORM’s command and control infrastructure. The malware specifically targets virtualization management platforms because compromising a hypervisor provides access to all virtual machines running on that infrastructure. A single BRICKSTORM infection can enable access to dozens or hundreds of production systems depending on the environment’s scale.

For CIOs, CISOs, and infrastructure leaders, BRICKSTORM represents a fundamental shift in threat modeling. Nation-state adversaries are not just targeting application vulnerabilities or end-user devices. They are moving up the stack to compromise the platforms that manage virtualization, storage, and compute resources. Organizations must ensure comprehensive logging is enabled for virtualization infrastructure, management consoles are not accessible from production networks, security operations teams have visibility into hypervisor and infrastructure logs, and detection signatures for BRICKSTORM and similar malware are deployed.

The BRICKSTORM advisory comes with specific recommendations around logging, network segmentation, and detection signatures. Organizations should treat these as minimum baselines, not aspirational guidance. If virtualization infrastructure does not have comprehensive logging enabled, if management consoles are accessible from production networks, or if security operations teams do not have visibility into hypervisor and infrastructure logs, the organization is operating blind to one of the most consequential attack surfaces in the environment.

Sources:

• CISA, “Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure,” December 9, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-343a

• Cyber Press, “CISA Flags Actively Exploited Digiever Authorization Flaw in KEV Catalog,” December 2025, https://cyberpress.org/cisa-flags-kev-catalog/

• CISA, “Known Exploited Vulnerabilities Catalog,” December 2025, https://www.cisa.gov/known-exploited-vulnerabilities-catalog

• CISA, “CISA Adds Three Known Exploited Vulnerabilities to Catalog,” December 17, 2025, https://www.cisa.gov/news-events/alerts/2025/12/17/cisa-adds-three-known-exploited-vulnerabilities-catalog

• Security Affairs, “U.S. CISA adds a Meta React Server Components flaw to its Known Exploited Vulnerabilities catalog,” December 2025, https://securityaffairs.com/185427/security/u-s-cisa-adds-a-meta-react-server-components-flaw-to-its-known-exploited-vulnerabilities-catalog.html

• The Hacker News, “Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation,” December 2025, https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html

• CISA, “CISA and Partners Release Update to Malware Analysis Report BRICKSTORM Backdoor,” December 19, 2025, https://www.cisa.gov/news-events/alerts/2025/12/19/cisa-and-partners-release-update-malware-analysis-report-brickstorm-backdoor

4: Commercial Cloud and AI Infrastructure Surge Despite Physical Constraints

Graphic Courtesy of Google Gemini Nano Banana Pro

Commercial cloud providers made unprecedented commitments to government AI infrastructure this week, totaling over $50 billion in announced investments. These announcements occurred against a backdrop of persistent power constraints, community opposition to data center development, and regulatory uncertainty about grid connections. The disconnect between commercial ambition and physical reality creates both opportunity and risk for government technology leaders planning multi-year cloud and AI strategies.

AWS commits $50 billion to government AI infrastructure

Amazon Web Services announced December 18 it will invest up to $50 billion to expand AI and supercomputing infrastructure for U.S. government customers. The investment will add nearly 1.3 gigawatts of compute capacity across AWS Top Secret, AWS Secret, and AWS GovCloud Regions. Construction breaks ground in 2026, with first facilities expected operational in late 2027.

AWS’s second Secret Cloud Region, designated Secret-West, is now operational, providing government customers with geographic redundancy for workloads at the Secret classification level. The region offers the full range of AWS services including compute, storage, databases, analytics, and machine learning at the same pricing and performance as commercial AWS regions. This matters for agencies that have hesitated to move classified workloads to cloud due to concerns about single points of failure or geographic concentration.

The $50 billion commitment represents AWS’s largest government-focused infrastructure investment to date and positions the company to compete aggressively for the next generation of federal cloud contracts. It also reflects AWS’s assessment that government demand for AI compute capacity will grow exponentially over the next five years as agencies move from pilot projects to production deployment at scale.

For federal CIOs and acquisition officials, the AWS announcement creates leverage in cloud negotiations. When a vendor commits $50 billion to government infrastructure, they are signaling they will be flexible on contract terms, pricing, and technical requirements to secure large commitments. Agencies should use this dynamic to push for better economic terms, expanded service offerings in classified regions, and contractual commitments around service levels and data sovereignty.

Google Cloud selected for GenAI.mil platform

Google Cloud was selected by the Chief Digital and Artificial Intelligence Office to power the GenAI.mil platform with Gemini for Government. The platform serves 3 million Department of War civilian and military personnel and operates at Impact Level 5 authorization, allowing it to handle controlled unclassified information and some classified data. GSA’s OneGov agreement offers agencies Gemini access for $0.47 per agency, dramatically reducing cost barriers to AI adoption.

The GenAI.mil selection demonstrates Google Cloud’s growing penetration into defense markets despite its historical reluctance to support some defense contracts. The company has invested heavily in government-specific infrastructure and compliance capabilities, earning FedRAMP High authorization and Impact Level 5 DoD Provisional Authorization. Google Cloud now operates three Department of War regions and is expanding with additional Secret and Top Secret capabilities.

The platform approach allows the Department of War to offer multiple commercial LLMs through a single interface with consistent security controls. Beyond Google’s Gemini, the platform includes OpenAI, Anthropic, Meta, and xAI models. Users can select the most appropriate model for their task rather than being locked into a single vendor. This multi-model strategy reflects recognition that different LLMs have different strengths and that betting entirely on one vendor creates strategic risk.

Microsoft Azure expands government presence

Microsoft Azure announced December expansion plans for government clouds. Three Availability Zones are coming to the US Government Arizona region in early 2026, providing customers with in-region redundancy and disaster recovery options. The East US 3 region in Atlanta is scheduled to come online in early 2027, expanding Microsoft’s government footprint to six regions.

Azure Local with next-generation NVIDIA RTX PRO 6000 Blackwell Server Edition GPUs is now generally available for on-premises AI workloads. This matters for agencies with data sovereignty requirements, airgapped environments, or edge computing needs that prevent full cloud migration. Azure Local allows agencies to run Azure services on-premises while maintaining integration with cloud-based management and security tools.

Microsoft has also strengthened sovereign cloud capabilities with new services designed for government customers requiring data residency, operational resilience, and enhanced security. The company’s Trusted Cloud for Sovereignty initiative provides governments with architectural guidance, reference implementations, and tooling to maintain control over data location and access while still leveraging cloud capabilities.

Department of Energy Genesis Mission gains major partnerships

The Department of Energy’s Genesis Mission, announced earlier in 2025, gained significant partnerships in December. NVIDIA and Oracle will build Solstice, DOE’s largest AI supercomputer, with 100,000 NVIDIA Blackwell GPUs at Argonne National Laboratory. The system is designed to support climate modeling, materials science, fusion energy research, and other computationally intensive scientific applications that require AI acceleration.

AWS, Google Cloud, Microsoft, and other cloud providers have committed supporting infrastructure for Genesis Mission workloads that can run on commercial cloud platforms. This hybrid approach allows DOE to maintain on-premises supercomputing for workloads requiring extreme performance or data sensitivity while leveraging cloud infrastructure for distributed computing, data analysis, and collaboration with external research partners.

The Genesis Mission partnerships demonstrate a maturation in how government approaches large-scale computing. Rather than building everything internally or outsourcing everything to commercial providers, agencies are adopting hybrid strategies that match workload characteristics to infrastructure capabilities. Highly specialized, performance-critical workloads run on purpose-built government infrastructure. More general workloads that can tolerate some latency and don’t require custom hardware run on commercial cloud platforms where they can leverage economies of scale and rapid innovation.

Power constraints remain fundamental bottleneck

Data center power demand increased 22 percent in 2025, requiring 61.8 gigawatts across the United States. Demand is expected to nearly triple by 2030, reaching 134.4 gigawatts, according to S&P Global analysis. Grid connection queues in hotspots like Virginia have stretched to seven years. Utilities in some regions are declining new data center interconnection requests entirely due to lack of available capacity.

FERC’s December 18 ruling directing PJM Interconnection to establish transparent rules for data center-power plant colocation may accelerate some projects. The ruling creates new regulatory tracks potentially allowing large power users to pay only for transmission services used rather than current cost allocation methods that spread infrastructure costs across all ratepayers. This could significantly reduce the upfront capital required for data center developers to secure power.

However, the ruling also faces opposition. Consumer advocates argue it could shift costs to residential and small business customers. Environmental groups worry it could lock in fossil fuel generation by making it easier for data centers to pair directly with natural gas or coal plants. The Energy Department is conducting a 90-day study of AI infrastructure power needs and grid impacts, due in March 2026, which will inform future policy.

For federal agencies planning cloud migrations or AI deployments, power constraints have practical implications. Hyperscalers are prioritizing government and large enterprise customers for scarce power capacity. Agencies with significant cloud commitments will receive better access to new capacity than agencies with small or unpredictable workloads. This dynamic should influence contract strategy. Agencies should consider consolidating workloads with fewer providers to improve their prioritization for new capacity rather than spreading workloads across many providers for diversification.

Community opposition blocks billions in data center projects

Community resistance blocked or delayed $98 billion in data center projects in Q2 2025 alone, according to Data Center Watch analysis. Some 188 active opposition groups across 24 states now organize against developments, with 66 percent of protested projects either blocked entirely or significantly delayed. This represents a dramatic acceleration from 2023 and 2024, when community opposition was sporadic and rarely successful.

Notable victories for opposition groups include AWS withdrawing a 7.2 million square foot proposal in Louisa County, Virginia, in July after sustained community organizing; a court voiding Prince William Digital Gateway rezoning in August, halting a multi-billion dollar QTS project; and Chandler, Arizona’s city council unanimously rejecting a data center project in mid-December despite intensive lobbying that included former Senator Kyrsten Sinema.

Opposition groups cite water consumption, electricity costs, farmland loss, noise from cooling systems, and lack of local economic benefits as primary concerns. In northeastern Pennsylvania, residents describe organizing against data centers as “a full-time job,” with over 200 residents packing public hearings in Archbald in September. Local officials in multiple jurisdictions have responded by imposing moratoria on new data center approvals while studying impacts and revising zoning requirements.

The opposition is bipartisan and spans urban, suburban, and rural communities. Prince William County, Virginia, is politically divided and saw opposition from both progressive environmental groups and conservative property rights advocates. Chandler, Arizona, leans Republican and opposed the data center primarily on economic development grounds, questioning whether the project would deliver promised jobs and tax revenue. Northeastern Pennsylvania is working-class and politically diverse, with opposition driven by quality-of-life concerns that cross partisan lines.

For government agencies, the community opposition trend means hyperscaler roadmaps should be treated as aspirational rather than committed. Announced data center projects may not materialize on promised timelines or in promised locations. Agencies should build scenarios where expected capacity comes online late or not at all, maintain workload portability so applications can move between regions if needed, and develop relationships with multiple providers rather than depending entirely on one whose expansion plans may encounter community resistance.

Sources:

• Amazon, “Amazon to invest up to $50 billion to expand AI and supercomputing infrastructure for US government agencies,” December 2025, https://www.aboutamazon.com/news/company-news/amazon-ai-investment-us-federal-agencies

• Google Cloud, “Chief Digital and Artificial Intelligence Office Selects Google Cloud’s AI to Power GenAI.mil,” December 9, 2025, https://www.googlecloudpresscorner.com/2025-12-09-Chief-Digital-and-Artificial-Intelligence-Office-Selects-Google-Clouds-AI-to-Power-GenAI-mil

• GSA, “GSA, Google Announce Transformative ‘Gemini for Government’ OneGov Agreement,” August 21, 2025, https://www.gsa.gov/about-us/newsroom/news-releases/gsa-google-announce-gemini-onegov-agreement-08212025

• Microsoft Azure, “Future-Ready Cloud: Microsoft’s U.S. Infrastructure Investments,” December 2025, https://azure.microsoft.com/en-us/blog/microsofts-commitment-to-supporting-cloud-infrastructure-demand-in-the-united-states/

• Microsoft Azure, “New options for AI-powered innovation, resiliency, and control with Microsoft Azure,” December 2025, https://azure.microsoft.com/en-us/blog/new-options-for-ai-powered-innovation-resiliency-and-control-with-microsoft-azure/

• Department of Energy, “Energy Department Announces New Partnership with NVIDIA and Oracle to Build Largest DOE AI Supercomputer,” December 2025, https://www.energy.gov/articles/energy-department-announces-new-partnership-nvidia-and-oracle-build-largest-doe-ai

• Engineering News-Record, “Power Sector Debates New Federal Rules for Data Center ‘Large Load’ Links to Grid,” December 2025, https://www.enr.com/articles/62219-power-sector-debates-new-federal-rules-for-data-center-large-load-links-to-grid

• S&P Global, “Data center grid-power demand to rise 22% in 2025, nearly triple by 2030,” October 2025, https://www.spglobal.com/energy/en/news-research/latest-news/electric-power/101425-data-center-grid-power-demand-to-rise-22-in-2025-nearly-triple-by-2030

• FERC, “FERC Directs Nation’s Largest Grid Operator to Create New Rules to Embrace Innovation and Protect Consumers,” December 18, 2025, https://www.ferc.gov/news-events/news/ferc-directs-nations-largest-grid-operator-create-new-rules-embrace-innovation-and

• U.S. News, “Feds Pave the Way for Big Tech to Plug Data Centers Right Into Power Plants,” December 18, 2025, https://www.usnews.com/news/business/articles/2025-12-18/feds-pave-the-way-for-big-tech-to-plug-data-centers-right-into-power-plants-in-scramble-for-energy

• Data Center Watch, “Data Center Watch Report Q2 2025 UPDATE,” 2025, https://www.datacenterwatch.org/q22025

• TechCrunch, “The year data centers went from backend to center stage,” December 24, 2025, https://techcrunch.com/2025/12/24/the-year-data-centers-went-from-backend-to-center-stage/

• Data Center Frontier, “When Communities Push Back: Navigating Data Center Opposition,” December 2025, https://www.datacenterfrontier.com/site-selection/article/55307719/when-communities-push-back-navigating-data-center-opposition

• SlashGear, “Communities Across America Push Back On AI Data Centers,” December 2025, https://www.slashgear.com/2060153/growing-protests-ai-data-centers-america/

• NBC News, “Study shows state and local opposition to new data centers is gaining steam,” December 2025, https://www.nbcnews.com/politics/economics/state-local-opposition-new-data-centers-gaining-steam-rcna243838

5: Acquisition Reform and Compliance Requirements Reshape Federal Procurement

Graphic Courtesy of Google Gemini Nano Banana Pro

The last quarter of 2025 delivered the most significant changes to federal acquisition in over four decades. The Revolutionary FAR Overhaul went live November 3, eliminating over 1,600 burdensome requirements and raising key thresholds. GSA’s OASIS+ Phase II expands January 12, adding five new service domains. CMMC Phase 1 became mandatory November 10, creating compliance obligations for nearly 340,000 entities in the defense industrial base. Meanwhile, OMB’s “Unbiased AI Principles” memorandum adds new evaluation criteria for all federal AI procurements.

Revolutionary FAR Overhaul fundamentally changes acquisition landscape

The Revolutionary FAR Overhaul represents the culmination of multi-year efforts by the Federal Acquisition Regulatory Council to modernize procurement rules. Over 1,600 requirements identified as burdensome, outdated, or redundant were eliminated. Key threshold adjustments effective October 1, 2025 include:

The micro-purchase threshold increased from $10,000 to $15,000, allowing contracting officers to make small purchases more quickly with less documentation. The simplified acquisition threshold rose from $250,000 to $350,000, expanding the range of procurements that can use streamlined procedures. The commercial products and services ceiling increased from $7.5 million to $9.5 million, treating more acquisitions as commercial rather than requiring unique government specifications. The cost and pricing data threshold increased from $2 million to $2.5 million, reducing the number of contracts requiring certified cost or pricing data.

The changes reflect decades of feedback from industry and government acquisition professionals that overly prescriptive rules increase costs, slow delivery, and drive companies away from government contracting. The FAR Overhaul maintains necessary oversight and accountability while eliminating requirements that add cost without commensurate benefit.

Early implementation data from GSA shows increased competition for contracts between $250,000 and $350,000, as more companies are willing to bid on simplified acquisition procedures than formal full-and-open competitions. Average procurement timelines for contracts in this range have decreased by approximately 25 percent. These benefits should compound as acquisition workforce becomes more familiar with the new thresholds and procedures.

For contractors and government buyers, the FAR Overhaul creates opportunities but also requires updated training and revised internal procedures. Companies should review their proposal processes to ensure they’re taking advantage of simplified procedures where eligible. Government contracting officers need training on the new thresholds and requirements to avoid continuing to apply old rules out of habit.

OASIS+ Phase II dramatically expands scope

GSA’s OASIS+ Phase II expands January 12, 2026, adding five new service domains: Business Administration, Financial Services, Human Capital, Marketing and Public Relations, and Social Services. This brings total domains to 13 across all six OASIS+ solicitations. The expansion opens opportunities for thousands of additional contractors and allows agencies to use OASIS+ for service categories previously requiring other contract vehicles.

Phase I OASIS+ domains included Complex Integration and IT, Environmental Health & Safety, Homeland Security & Law Enforcement, Facilities, Intelligence, Logistics, Research & Development, and Technical & Engineering. Phase II domains were always planned but delayed to allow GSA to fully implement and stabilize Phase I operations. With over $10 billion in task orders awarded under Phase I OASIS+ in its first year, GSA determined the infrastructure could handle expansion.

The Business Administration domain covers strategy and planning, acquisition support, human resources, finance, and program management. Financial Services includes tax, audit, accounting, and financial advisory services. Human Capital covers workforce planning, training, organizational development, and change management. Marketing and Public Relations includes strategic communications, media relations, digital marketing, and brand management. Social Services covers child welfare, aging services, disability services, and community development.

For contractors, Phase II represents a major opportunity to compete for OASIS+ contract slots in domains where they have capabilities. For agencies, Phase II expands OASIS+ utility as a go-to vehicle for professional services across a broader range of categories. GSA has indicated it will continue expanding domains over time, with Healthcare, Legal Services, and Scientific Services under consideration for future phases.

CMMC compliance becomes mandatory with limited assessment capacity

Cybersecurity Maturity Model Certification Phase 1 became active November 10, 2025, with full implementation required by November 10, 2028. Nearly 340,000 entities are expected to be impacted. Of these, 68 percent are small businesses. Phase 1 requires annual self-assessments and affirmations for Level 1 and Level 2 Self. Results must be reported in the Supplier Performance Risk System. False Claims Act liability applies to misrepresentations in self-assessments.

CMMC Level 1 requires implementation of 17 basic cybersecurity practices aligned with Federal Acquisition Regulation 52.204-21. Level 2 requires implementation of all 110 security requirements in NIST SP 800-171, covering 14 security domains. Level 2 Advanced adds 24 additional practices for organizations handling particularly sensitive controlled unclassified information. Level 3, for contractors handling classified information, requires full NIST SP 800-172 implementation.

Assessment capacity remains a significant concern. Approximately 70 firms are authorized to provide Level 2 assessments as CMMC Third-Party Assessment Organizations. Nearly 80,000 firms will need Level 2 certification over the three-year implementation period. Simple math suggests assessment capacity is insufficient unless C3PAOs dramatically increase their assessor workforce or unless DoD adjusts implementation timelines.

DoD has indicated it will prioritize assessments based on contract value and sensitivity of information handled. Prime contractors on major weapon system programs will face earlier compliance requirements than subcontractors on low-value service contracts. This creates a tiered implementation where the highest-risk portions of the supply chain receive scrutiny first, buying time for assessment capacity to grow.

For defense contractors, CMMC compliance is not optional. Contracts requiring Federal Contract Information or Controlled Unclassified Information handling will include CMMC requirements in solicitations starting in early 2026. Companies that delay compliance will lose access to major portions of the defense market. The prudent approach is to begin Level 1 or Level 2 self-assessment immediately, identify gaps, develop remediation plans, and schedule C3PAO assessment as early as possible to avoid capacity bottlenecks.

FedRAMP 20x advances toward automation-driven authorization

FedRAMP selected three cloud services for Cohort 1 of the 20x Phase 2 pilot on December 10: Confluent Cloud for Government, Meridian LMS, and Paramify Cloud. Phase 1 resulted in 26 cloud service providers submitting packages with 13 authorizations granted. The results demonstrate that automation-driven security assurance can work at scale but requires significant upfront investment in tooling and process change by both FedRAMP and cloud service providers.

The transformation FedRAMP 20x represents is fundamental. Traditional FedRAMP authorization requires hundreds or thousands of pages of documentation describing security controls, their implementation, and evidence of effectiveness. The process is document-driven, manually intensive, and slow. Authorizations take 12-18 months on average. Cloud service providers must maintain documentation and update it whenever infrastructure or controls change, creating ongoing burden.

FedRAMP 20x shifts to data-driven security assurance with machine-readable evidence and continuous monitoring. Instead of documenting that a control exists, cloud service providers generate real-time evidence showing the control is operating effectively. Automated tools continuously assess control effectiveness and alert when drift occurs. Authorization decisions are based on live data rather than point-in-time assessments.

The pilot has surfaced challenges. Generating machine-readable evidence requires significant tooling investment. Existing security tools often don’t export data in formats FedRAMP can consume. Cloud service providers must build integration layers to bridge their tools and FedRAMP’s data requirements. Smaller cloud service providers have found the technical lift daunting compared to document-based FedRAMP.

Cohort 2 proposals will be reviewed January 5-9, 2026, selecting up to seven additional participants. Traditional FedRAMP Rev 5 baselines remain the sole active path to authorization during the pilot period. FedRAMP has indicated that once 20x proves itself at scale, it will become the standard authorization approach with traditional document-driven process phased out over 2-3 years.

For cloud service providers pursuing FedRAMP authorization, the choice is whether to invest in 20x capabilities now or pursue traditional Rev 5 authorization with knowledge that it may require costly re-authorization under 20x in 2-3 years. For agencies, FedRAMP 20x represents an opportunity to accelerate cloud adoption once the program matures, but near-term FedRAMP authorizations will continue to use traditional processes.

OMB’s Unbiased AI Principles add evaluation complexity

OMB Memorandum M-26-04, issued December 11, requires all federal large language model procurements to immediately include “truth-seeking” and “ideological neutrality” as material contract terms. Agencies must update their full procurement policies by March 11, 2026. The memorandum derives from the July 23, 2025 Executive Order “Preventing Woke AI in the Federal Government.”

The practical challenge for procurement officials is that “truth-seeking” and “ideological neutrality” are not well-defined technical specifications. The memorandum provides general guidance that models should provide accurate information, avoid ideological bias, and be transparent about limitations. It requires vendors to disclose training data characteristics, known limitations, and feedback mechanisms for reporting problematic outputs. However, it does not specify how agencies should evaluate whether an LLM meets these requirements or what evidence agencies should require from vendors.

This ambiguity creates risk for both agencies and vendors. Agencies that apply the requirements inconsistently or superficially may face criticism that they’re not taking the Executive Order seriously. Vendors that provide generic responses without substantive evidence may have proposals deemed non-responsive. The Office of Federal Procurement Policy is developing additional guidance but has not yet published it, leaving agencies to interpret M-26-04 requirements on their own.

GSA’s OneGov agreements provide a compliance path by including standardized language that participating vendors have agreed to. Agencies using OneGov agreements can rely on GSA’s evaluation of vendor responses rather than conducting independent assessments. For agencies pursuing LLM procurements outside OneGov, the safest approach is to require detailed vendor disclosures including training data descriptions, bias testing results, acceptable use policy terms, and model card documentation, then conduct technical evaluations to verify claims rather than accepting vendor representations at face value.

Sources:

• Federal News Network, “Leveraging the Revolutionary FAR Overhaul,” December 2025, https://federalnewsnetwork.com/commentary/2025/12/leveraging-the-revolutionary-far-overhaul-rfo/

• White House, “The Office of Federal Procurement Policy and the Small Business Administration Reinforce Small Business Participation in Federal Contracting,” September 2025, https://www.whitehouse.gov/briefings-statements/2025/09/the-office-of-federal-procurement-policy-and-the-small-business-administration-reinforce-small-business-participation-in-federal-contracting/

• U.S. Department of Energy, “Federal Acquisition Circular (FAC) 2025-06 and Associated Changes to Revolutionary FAR Overhaul Model Deviation Texts,” December 2025, https://www.energy.gov/management/pf-2026-05-federal-acquisition-circular-fac-2025-06-and-associated-changes-revolutionary

• GovCon Wire, “GSA Launches OASIS+ Contract Program’s Phase II,” December 2025, https://www.govconwire.com/articles/oasis-plus-phase-2-service-domains

• GSA, “OASIS+,” December 2025, https://www.gsa.gov/buy-through-us/products-and-services/professional-services/buy-services/oasis-plus

• Cohen Seglias, “Final CMMC Rule Takes Effect on November 10, 2025,” November 2025, https://www.cohenseglias.com/news-article/final-cmmc-rule-takes-effect-on-november-10-2025/

• Federal News Network, “CMMC compliance reckoning for defense contractors arrives,” December 2025, https://federalnewsnetwork.com/commentary/2025/12/cmmc-compliance-reckoning-for-defense-contractors-arrives/

• FedScoop, “Federal CIO ‘fully committed’ to GSA 20x as it moves into phase two,” December 2025, https://fedscoop.com/federal-cio-fully-committed-gsa-20x-as-moves-to-phase-two/

• Carahsoft, “FedRAMP 20x: Modernizing Cloud Security Authorization,” December 2025, https://www.carahsoft.com/blog/regscale-fedramp-20x-modernizing-cloud-security-authorization-through-automation-and-continuous-assurance-blog-2025

• Executive Gov, “FedRAMP Kicks Off 20x Phase 2 Pilot With Cohort 1 Selection,” December 2025, https://www.executivegov.com/articles/fedramp-20x-phase-2-cohort1-2026-plans

• FedRAMP, “FedRAMP in 2025,” March 24, 2025, https://www.fedramp.gov/2025-03-24-FedRAMP-in-2025/

6: Budget and Legislative Activity Shape 2026 Technology Landscape

Graphic Courtesy of Google Gemini Nano Banana Pro

The government is currently operating under a Continuing Resolution expiring January 30, 2026, following the 43-day shutdown from October 1 through November 12, 2025. Nine of 12 appropriations bills remain unfinished. House Appropriations Chair Tom Cole and Senate Appropriations Chair Susan Collins announced a bicameral agreement on December 20, but Chairman Cole stated allocations will be “below the funding level projected in the continuing resolution,” signaling continued fiscal pressure.

Both Senate Minority Leader Schumer and President Trump expressed little appetite for another shutdown in January. However, IT investments remain in limbo until late January at minimum. The CR includes provisions barring agencies from initiating reductions-in-force through January 30, providing temporary workforce stability that may not extend into February.

FY 2026 NDAA signed with extensive technology provisions

President Trump signed the $900+ billion FY 2026 National Defense Authorization Act on December 18, containing extensive technology provisions affecting both defense and civilian agencies. The legislation includes the COINS Act, codifying restrictions on U.S. investments in semiconductors, AI, quantum computing, and hypersonics in countries of concern, primarily China. Treasury Department receives expanded authority to review and block such investments, with civil penalties up to $368,136 per violation and criminal penalties including imprisonment.

The BIOSECURE Act prohibits federal agencies from contracting with designated Chinese biotech firms including BGI, MGI, Complete Genomics, WuXi AppTec, and WuXi Biologics. The legislation includes a five-year transition period allowing existing contracts to continue while agencies identify alternative suppliers. For life sciences research agencies and defense medical programs, this requires significant supply chain restructuring over the transition period.

AI security requirements direct the Department of War to establish an AI steering committee by April 2026, develop an AI and machine learning cybersecurity governance policy within 180 days, and implement physical and cybersecurity procurement requirements for AI systems. The legislation requires consideration of supply chain risks, data security, and adversary manipulation risks in all AI acquisition decisions.

Notably absent from the final NDAA were federal preemption of state AI laws and SBIR/STTR reauthorization. Both provisions were included in earlier versions but removed during conference negotiations. The absence of SBIR/STTR reauthorization means the programs are currently operating under temporary extension and face another expiration deadline in March 2026.

SAMOSA Act targets wasteful software spending

The House passed the SAMOSA Act (Strengthening Agency Management and Oversight of Software Assets) on December 16 by a vote of 387-24. The legislation requires agencies to create comprehensive software inventories identifying all licensed software, usage data, costs, and redundancies. OMB estimates agencies waste approximately $5 billion annually on duplicate software licenses, unused subscriptions, and software that doesn’t meet agency needs.

The legislation directs OMB to establish standards for software asset management within 180 days. Agencies must implement compliant software asset management programs within one year of OMB issuing standards. GAO will conduct annual reviews of agency compliance and report savings achieved through better software management.

Software asset management is unsexy but consequential. Many agencies have no systematic tracking of what software they own, how many licenses they’ve purchased, how many are actively used, or where opportunities exist for consolidation. Software vendors have little incentive to help agencies optimize their spending, often using complex licensing models that make it difficult for agencies to understand what they’re paying for.

The SAMOSA Act provides mandate and resources for agencies to build software asset management capabilities. Organizations that implement effective software asset management typically realize 15-30 percent cost savings through identification of unused licenses, consolidation of duplicate tools, and negotiation of better pricing based on actual usage data.

AI workforce legislation advances

Multiple AI workforce bills advanced in December, reflecting congressional recognition that technology policy requires human capital strategy. The AI Talent Act, introduced December 10-11, creates specialized AI and technology talent teams within agencies. The bill establishes hiring authorities allowing agencies to recruit technical experts at higher salaries and with streamlined onboarding.

The AI Workforce PREPARE Act, introduced December 3-4, creates an AI Workforce Research Hub within the Department of Labor to study how AI is affecting employment patterns, wages, and skill requirements across sectors. The legislation updates the Worker Adjustment and Retraining Notification Act to require advance notice when AI adoption will result in layoffs. Employers must provide 60 days notice and include information about retraining opportunities and assistance available to affected workers.

While neither bill has passed, both reflect emerging consensus that AI’s workforce impacts require policy response beyond letting markets adjust. The next Congress will likely continue developing workforce AI policy, with focus areas including reskilling programs, unemployment insurance eligibility for AI-displaced workers, and requirements for employers to assess workforce impacts before large-scale AI deployment.

VA prepares for EHR restart amid skepticism

The Department of Veterans Affairs is months away from restarting Oracle Health EHR deployments after a pause since April 2023. The department plans 13 site deployments in 2026, starting with four Michigan sites in April. The project’s lifecycle cost has grown to approximately $37 billion, making it one of the most expensive federal IT initiatives in history.

Senate Democrats sent a letter in mid-December expressing concerns about the aggressive rollout timeline. The letter cites GAO findings that only 13 percent of VA staff believed the modernized system made VA as efficient as possible, while 58 percent believed it increased patient safety risks. The department still needs to address 12 priority GAO recommendations around testing, data migration, training, and change management.

Simultaneously, VA announced its largest healthcare system reorganization in 30 years, reducing Veterans Integrated Service Networks from 18 to 5. The reorganization consolidates regional leadership and administrative functions, reducing management layers between healthcare facilities and VA central office. The change adds organizational complexity to the already challenging EHR technical deployment.

For federal IT leaders, the VA EHR situation illustrates several cautionary lessons. First, large enterprise system deployments require stable organizational structures. Pursuing major technical transformation while reorganizing creates compounded change that overwhelms organizations. Second, user confidence matters. When 58 percent of end users believe a system increases safety risks, leadership statements that the system is ready ring hollow. Third, cost escalation on this scale signals fundamental project management challenges that won’t resolve without difficult decisions about scope, schedule, or approach.

SSA demonstrates IT investment can deliver results

On a more positive note, the Social Security Administration Office of Inspector General released an audit on December 22 confirming that SSA’s publicly reported telephone metrics were accurate and overall performance improved dramatically in FY 2025. Wait times dropped from 30 minutes in January 2025 to 7 minutes in September 2025, while the agency served 65 percent more callers. The audit confirmed technology enhancements and strategic staffing decisions drove improvements.

SSA invested in cloud-based call center infrastructure, AI-powered call routing that matches callers with agents based on need and agent expertise, and expanded callback options allowing callers to hold their place in queue without staying on the line. The agency also temporarily reassigned back-office staff to phone duty during peak periods and extended call center hours.

The SSA success demonstrates that IT investments in citizen-facing services can yield dramatic results even amid workforce reductions and budget constraints. The key factors were focus on a specific measurable outcome, investment in appropriate technology, willingness to change business processes to leverage technology, and leadership commitment to improving service.

Sources:

• Steptoe, “The Topline: Steptoe Appropriations Newsletter,” December 19, 2025, https://www.steptoe.com/en/news-publications/the-topline-steptoe-appropriations-newsletter-december-19-2025.html

• White House, “Congressional Bill S. 1071 Signed into Law,” December 2025, https://www.whitehouse.gov/briefings-statements/2025/12/congressional-bill-s-1071-signed-into-law/

• Holland & Knight, “FY 2026 National Defense Authorization Act: A Comprehensive Analysis,” December 2025, https://www.hklaw.com/en/insights/publications/2025/12/fy-2026-national-defense-authorization-act

• Fenwick, “NDAA Expands US Trade, Technology, and Security Regulations in 2026,” December 2025, https://www.fenwick.com/insights/publications/ndaa-expands-us-trade-technology-and-security-regulations-in-2026

• Akin Gump, “Congress Moves Forward with AI Measures in Key Defense Legislation,” December 2025, https://www.akingump.com/en/insights/alerts/congress-moves-forward-with-ai-measures-in-key-defense-legislation

• Crowell & Moring, “The FY 2026 National Defense Authorization Act,” December 2025, https://www.crowell.com/en/insights/client-alerts/the-fy-2026-national-defense-authorization-act

• The Hill, “NDAA drops AI provisions, addresses China chip exports,” December 2025, https://thehill.com/policy/technology/5639209-ndaa-ai-preemption-chip-exports/

• Nextgov, “House passes measure to help reduce federal software spending,” December 2025, https://www.nextgov.com/acquisition/2025/12/house-passes-measure-help-reduce-federal-software-spending/410217/

• Nextgov, “AI’s impact on US workforce receives renewed legislative scrutiny,” December 2025, https://www.nextgov.com/artificial-intelligence/2025/12/ais-impact-us-workforce-receives-renewed-legislative-scrutiny/409953/

• Federal News Network, “VA in 2026 looks to get EHR rollout back on track, embark on health care reorganization,” December 2025, https://federalnewsnetwork.com/veterans-affairs/2025/12/va-in-2026-looks-to-get-ehr-rollout-back-on-track-embark-on-health-care-reorganization/

• Nextgov, “Lawmakers question VA health record’s costs and batched deployments,” December 2025, https://www.nextgov.com/modernization/2025/12/lawmakers-question-va-health-records-costs-and-batched-deployments/410188/

• FedScoop, “Senate Democrats sound alarm over VA’s resumption of EHR rollout,” December 2025, https://fedscoop.com/electronic-health-record-modernization-senate-democrats-veterans-affairs-ehr-rollout/

• Military Times, “VA to launch largest reorganization of health care system in 30 years,” December 17, 2025, https://www.militarytimes.com/veterans/2025/12/17/va-to-launch-largest-reorganization-of-health-care-system-in-30-years/

• Social Security Administration, “Inspector General Report Confirms Significant Customer Service Improvements at Social Security,” December 22, 2025, https://www.ssa.gov/news/en/press/releases/2025-12-22.html

The Week Ahead

Graphic Courtesy of Google Gemini Nano Banana Pro

The January 30 CR expiration will dominate the first month of 2026. Congressional leaders have indicated they will pursue a short-term extension rather than full-year appropriations, likely through March or April. This provides agencies minimal budget certainty and forces continued operation under restrictive CR terms that prohibit new starts, limit hiring, and restrict reprogramming flexibility.

The December 29 deadline for agency AI policies marks a beginning, not an ending. Agencies will spend the first quarter of 2026 operationalizing those policies, training acquisition workforce on new requirements, updating contract templates, and working with vendors to clarify expectations. Expect confusion, inconsistent interpretation, and multiple rounds of OMB clarification as agencies implement policies across diverse missions and procurement contexts.

The DOJ AI Litigation Task Force, due January 10, will set the tone for federal-state AI conflicts in 2026. If DOJ files aggressive challenges to multiple state laws simultaneously, expect prolonged litigation that creates regulatory uncertainty for years. If DOJ takes a more measured approach targeting specific provisions rather than entire state frameworks, resolution may come faster through negotiation or narrow judicial rulings.

OASIS+ Phase II reopening January 12 will generate significant proposal activity. Contractors should prepare now rather than waiting for the solicitation. GSA has published draft requirements and evaluation criteria. Companies should assess their capabilities against Phase II domains, identify teaming partners if needed, and begin assembling technical and past performance documentation.

The Medicare WISeR Model launching January 1 will be closely watched by healthcare stakeholders, policy analysts, and other federal programs considering AI-powered decision systems. Early results will likely take 6-12 months to materialize, but anecdotal reports of implementation challenges, denial patterns, and provider reactions will emerge much sooner. Healthcare CIOs should monitor WISeR developments as a preview of expectations for clinical AI governance.

FedRAMP 20x Cohort 2 selection in early January will indicate whether automation-driven security authorization can scale beyond initial pilot participants. If FedRAMP struggles to find qualified participants or if technical challenges prevent Cohort 2 from advancing, that will signal the program needs more time to mature. If Cohort 2 proceeds smoothly, expect FedRAMP to accelerate the transition toward 20x as the primary authorization approach.

Data center power constraints will likely trigger more community opposition campaigns in early 2026 as developers seek permits and utilities seek rate increases to fund infrastructure upgrades. CIOs planning cloud migrations should engage with hyperscalers now about capacity availability timelines rather than assuming announced buildouts will materialize on schedule.

The broader pattern across all these developments is uncertainty layered on uncertainty. Budget uncertainty from the CR. Policy uncertainty from unresolved federal-state AI conflicts. Workforce uncertainty from continued reorganizations and reductions. Procurement uncertainty from new requirements and processes. Infrastructure uncertainty from power constraints and community opposition. Technology leaders who build flexibility into their strategies, maintain relationships with multiple vendors, and avoid large bets on single outcomes will navigate 2026 better than those who assume continuity and predictability.

Closing Perspective

December 22-28, 2025 will be remembered not for any single announcement but for the pattern that emerged when viewed as a whole. The federal government is attempting a fundamental transformation of how it acquires, deploys, and governs technology, while simultaneously reducing workforce, operating under continuing resolutions, and navigating unprecedented commercial investment in government-focused AI infrastructure.

The December 29 AI policy deadline, the expired TMF authorization, the 85 percent CIO turnover, the $50 billion in commercial AI commitments, the persistent Salt Typhoon presence in telecom networks, and the community opposition blocking data center developments are not separate stories. They are interconnected symptoms of a technology environment in profound transition.

The organizations that will succeed in this environment are not the ones with the most ambitious roadmaps or the largest budgets. They are the ones that recognize constraints as the defining feature of the landscape and build adaptive strategies around them. They maintain compliance with current state AI requirements while preparing for potential federal preemption. They diversify infrastructure across providers and regions rather than betting on single hyperscalers whose expansion plans may encounter delays. They invest in workforce development and retention even while political leadership emphasizes efficiency and headcount reduction. They treat cybersecurity as an operational discipline requiring constant vigilance rather than a compliance checkbox.

The week ahead marks an inflection point. The decisions made in response to December’s developments on AI governance, modernization funding, workforce capacity, security posture, and acquisition strategy will shape federal IT operations throughout 2026 and beyond. The promise of AI-enabled government operations remains transformative. The path to delivering on that promise runs through constraints that cannot be wished away or solved with capital alone. Those who navigate the constraints with strategic clarity and operational discipline will emerge stronger. Those who ignore the constraints will find themselves overtaken by events.

Subscriber Access and Group Memberships

This newsletter is provided exclusively for the subscribing member’s personal use. We understand that many readers work in organizations where multiple colleagues would benefit from The Exchange Weekly Newsletter’s analysis. Group memberships are available for teams, divisions, and organizations that want to share access across multiple readers. Group rates start at five subscribers and scale based on organization size, offering significant per-person savings compared to individual subscriptions.

If your team regularly discusses or references content from The Exchange, or if you find yourself forwarding issues to colleagues, a group membership ensures everyone has legitimate access while supporting the research and analysis that makes this newsletter valuable. Contact us at info@metorasolutions.com to discuss group membership options tailored to your organization’s needs.

Unauthorized distribution, forwarding, or sharing violates our terms of service and intellectual property rights. We appreciate your respect for the work that goes into each issue.

This update was assembled using a mix of human editorial judgment, public records, and reputable national and sector-specific news sources, with help from artificial intelligence tools to summarize and organize information. All information is drawn from publicly available sources listed above. Every effort is made to keep details accurate as of publication time, but readers should always confirm time-sensitive items such as policy changes, budget figures, and timelines with official documents and briefings.

All original content, formatting, and presentation are copyright 2025 Metora Solutions LLC, all rights reserved. For more information about our work and other projects, drop us a note at info@metorasolutions.com