DEI Rollbacks and Cybersecurity Vendor Procurement

Executive Summary

Supplier diversity targets reshaped cybersecurity procurement for more than a decade. Rolling them back is producing measurable consolidation toward incumbent vendors, with concentration risk that security leaders should be planning for now rather than after the next major outage.

Cybersecurity procurement has historically included supplier diversity considerations alongside technical and price evaluation. Federal agencies operated set aside programs for small disadvantaged businesses, women owned small businesses, service disabled veteran owned small businesses, and HUBZone firms. Large enterprises in regulated industries often maintained voluntary supplier diversity targets that allocated a defined share of spending to certified diverse vendors. The 2025 and 2026 rollbacks have changed both sides of that equation.

What the Rollback Touched and What It Did Not

It is important to be precise about what changed. Several federal set aside programs are statutory, established by Congress, and not affected by executive policy shifts. The 8(a) Business Development Program, the women owned small business program, and the service disabled veteran owned small business program continue to operate. Their requirements have not been rescinded.

What did change is the broader contracting environment. Diversity reporting requirements for prime contractors were rescinded. The Office of Federal Contract Compliance Programs reduced enforcement of related compliance obligations. Several agencies pulled back from voluntary supplier diversity targets that exceeded statutory minimums. In the enterprise sector, a number of Fortune 500 firms publicly ended supplier diversity programs in response to legal and political pressure.

The Effect on Small Cyber Firms

Minority owned and women owned cybersecurity firms reported supplier diversity targets as a meaningful share of their pipeline. Surveys conducted in late 2025 indicated that firms relying on enterprise supplier diversity programs for more than twenty percent of revenue saw average pipeline contraction of fifteen to thirty percent within two quarters of the policy changes.

The federal set aside programs continue, but the broader environment matters. Prime contractors that previously sought small diverse subcontractors to meet aspirational goals are now less motivated to do so. Many small cyber firms operated as subcontractors under primes, and the subcontract flow has slowed.

The firms most affected are not the largest minority owned cyber companies. Those firms have established past performance, federal certifications, and direct contracting vehicles. The firms most affected are mid sized companies that were growing into the prime contractor space and depended on subcontract revenue while they built that capability. Their growth path has narrowed.

The Effect on Procurement Outcomes

For procurement officers and chief information security officers, the change has operational consequences beyond the vendor diversity numbers. Small specialized cyber firms often provide capabilities that large primes cannot match efficiently, particularly in incident response, niche threat intelligence, and emerging technology areas. A procurement environment that consolidates spending toward a smaller number of large vendors reduces specialization and increases concentration risk.

Concentration risk is not abstract. Several large cybersecurity vendors have themselves been the subject of significant breaches in recent years. When a substantial share of federal and enterprise security spending flows to a small group of providers, the failure of any one of them creates cascading risk across the customer base.

Practical Guidance for Buyers

Continue to evaluate small and specialized vendors for capabilities the major providers do not offer well. The set aside programs remain in force at the federal level, and using them is not only permitted but encouraged by statute. Document technical and operational reasons for vendor selection so that procurement decisions are defensible regardless of which way policy moves.

Build vendor portfolios that balance scale and specialization. A program that depends entirely on three large providers has different risk than one that combines those providers with a curated set of smaller firms that bring depth in specific areas.

Practical Guidance for Small Cyber Firms

Diversify the buyer base. Firms that relied heavily on a small number of enterprise supplier diversity programs have learned that those programs can be ended quickly. Federal set aside vehicles, state and local government work, and direct commercial relationships built on technical capability are more durable.

Invest in the certifications that remain in force. Small business administration certifications, GSA schedules, and security clearances for staff are durable assets that survive policy shifts.

Compete on capability. The political environment will continue to shift. The firms that build distinctive technical capabilities and document their outcomes will win business regardless of which procurement framework is in vogue.

The Bigger Picture

Cybersecurity is a market that rewards specialization and rapid adaptation. Policy environments that consolidate spending and reduce the diversity of the supplier base work against the structural strengths of the field. The procurement decisions made in 2026 and 2027 will determine which firms survive to defend critical systems in the decade that follows. Buyers and sellers both have an interest in keeping that base broad, specialized, and resilient.

Sources and Citations

1. Federal Acquisition Regulation (FAR) updates following Executive Order 14173, 2025.
2. Small Business Administration, Small Business Procurement Scorecards, 2023 and 2024.
3. National Minority Supplier Development Council, annual economic impact reports.
4. Hackett Group and Spend Matters research on supplier diversity program changes, 2024 and 2025.
5. Federal Trade Commission and Department of Justice, joint guidance on competition and procurement concentration, 2023 and 2024.