By Irina Denisenko. First published by NextGov/FCW.
For years, agencies have been encouraged to prioritize commercial off-the-shelf (COTS) solutions, yet entrenched procurement practices have continued to favor costly, time-intensive custom builds. The new mandate makes clear that this status quo is no longer acceptable.
Directing agencies to increase the use of commercial products and services (and to justify when they do not) signals a broader effort to align federal technology strategy with the speed, scale and innovation of the private sector.
Turning this policy into measurable outcomes will require more than intent; it will require practical and structural changes in how government evaluates, acquires and deploys technology.
Here are five recommendations to help translate this mandate into real progress:
1. Default to commercial first, with clear justification for exceptions
A true shift to commercial-first must begin at the earliest stages of acquisition planning. Agencies should start every requirement with a structured market analysis to identify existing solutions that meet mission needs and treat that assessment as foundational, not procedural.
When bespoke builds are proposed, the justification should be rigorous. Agencies must demonstrate not only that no viable commercial option exists, but that customization delivers clear advantages in cost, performance or mission outcomes. This flips the current dynamic, where custom development is too often the default. Embedding this discipline early will reduce redundant development, accelerate deployment and better align spending with proven, scalable technologies.
2. Standardize security and compliance baselines across agencies
Inconsistent interpretations of security requirements remain a major barrier to adoption. Even within shared frameworks, agencies often apply standards differently, thus leading to duplication, delays and uncertainty. Establishing a common baseline, paired with enforceable reciprocity, would streamline adoption significantly. If a solution is authorized under a recognized federal standard, that approval should be portable across agencies with minimal modification.
Standardization does not weaken security, but strengthens it by creating clearer expectations, enabling deeper scrutiny and eliminating redundant reviews that add cost without improving outcomes.
3. Move from point-in-time approvals to continuous validation
Traditional certification models rely on point-in-time assessments that quickly become outdated. Systems are approved based on a snapshot, even as software and threats evolve continuously.
A more effective model is continuous validation using automation, real-time monitoring and ongoing control assessments to maintain a current view of risk. This allows agencies to move faster while improving oversight. By aligning authorization with modern software practices, agencies can deploy updates more quickly, respond to threats in real time and maintain stronger assurance over time.
4. Create reusable “authorization pathways” for proven technologies
Today, even widely used technologies often undergo redundant authorization processes in each agency. This slows adoption and discourages innovative providers from engaging with government. Reusable authorization pathways would allow previously assessed technologies to move more efficiently across agencies with similar risk profiles. This could include shared assessment artifacts, pre-approved solution categories or government-wide authorization packages. Treating prior assessments as reusable assets would reduce time-to-deployment while maintaining confidence in security and create a more predictable pathway for commercial providers.
5. Incentivize acquisition teams based on outcomes
Procurement systems often reward adherence to process over delivery of results. While compliance is essential, overemphasis on process can discourage speed, innovation and smart risk-taking. Agencies should evolve their process for how success is measured by focusing on time-to-deployment, total cost of ownership, mission impact and user adoption. Aligning incentives with outcomes will encourage teams to pursue more efficient, effective solutions. Empowered with the right metrics and support, acquisition professionals are far more likely to embrace commercial technologies and deliver meaningful results.
Without structural change, this will be another well-intentioned directive. With it, it could mark the beginning of a fundamentally more modern, effective federal technology ecosystem.
Irina Denisenko is the CEO of Knox Systems, a cybersecurity pioneer delivering FedRAMP as a Service to help SaaS companies enter and scale in the government market. With deep expertise in technology, government and enterprise, Irina brings a track record of building trusted, scalable systems at the intersection of innovation and compliance.
