October is Cybersecurity Awareness Month. 2025 has been a year sprinkled with updates to security needs across federal agencies, with new rules and enforcement attempting to reshape how IT vendors and partners engage with the government. Here’s the most prominent Need to Know topics and insights across the space, starting with CMMC.

CMMC 2.0

The Department of Defense is set to begin enforcing the Cybersecurity Maturity Model Certification (CMMC) regulations on November 10, 2025.

The Department of Veterans Affairs’ (VA) Office of Inspector General (OIG) released a report on July 1, 2025 announcing it found VA procured IT systems which failed to comply with legally-required accessibility standards. Specifically, of the 30 “bedrock and critical” IT systems audited by OIG as part of its report, the inspector general found only four systems that complied with Section 508 of the Rehabilitation Act.

Since the Department of Veterans Affairs (VA) launched its most recent attempt to modernize its electronic health record (EHR) system in 2020, the initiative has been plagued with numerous setbacks and budget overruns. Given the issues faced, lawmakers recently introduced a new discussion draft of legislation that would increase oversight of the VA’s efforts.