What does OMB's 2026 memo require agency CIOs to report about IT contracts?

According to GSA guidelines, contractors must expect agency CIOs to collect consolidated monthly datasets that capture contract-level pricing, utilization, subcontractor chains, security authorization status (FedRAMP/CMMC), and cloud vs. on-prem use. Per FAR reporting and acquisition transparency objectives, agency CIOs will push top-down reporting to OMB to close gaps in shadow IT and duplicative buys. The memo M-26-10, issued by OMB in March 2026, requires a standardized dataset and a monthly reporting cadence with the first submission expected by April 30, 2026; the GSA and CIO Council will publish schema and validation rules on CIO.gov and GSA’s IT data transparency pages. The requirement affects all civilian and defense agencies for IT contracts above micro-purchase thresholds and specifically directs CIOs to include task orders, Blanket Purchase Agreements (BPAs), and IDIQ utilization. Contractors should anticipate fields for obligated amounts, billed vs. consumed services, license counts, subcontractor names and DUNS/UEI, FedRAMP authorization level, and key performance indicators. The combined intent is to enable OMB to identify duplication, reduce shadow IT, and enforce centralized strategies across agencies.

According to GSA guidelines, contractors must prepare to deliver machine-readable invoices and utilization logs that map directly to contract line items and task orders. The GSA’s IT data transparency guidance emphasizes data normalization and authoritative identifiers—UEI/DUNS, NAICS codes, and contract line item numbers (CLINs)—so agencies can ingest vendor-supplied data without manual rework. Contractors should align billing systems and subcontractor reporting flows so monthly feeds include obligated value, invoiced amount, consumed units (users/licenses/compute hours), and any price adjustments. Per the CIO.gov reporting handbook, agencies will validate vendor feeds against obligation and payment records to flag discrepancies. Vendors that fail to provide structured feeds risk audit findings and delayed payments if agencies cannot reconcile reported utilization to invoiced charges. The GSA also recommends tagging deliverables with security authorization metadata (FedRAMP or CMMC level) and cloud service identifiers to meet OMB’s transparency schema.

Per FAR 19.502, small businesses can and should ensure their data flows are compatible with prime contractor reporting, because primes will be required to include subcontractor tiers and socio-economic data in monthly submissions to OMB. The FAR’s small-business subcontracting provisions already require tracking and reporting of dollars to socio-economic categories; under M-26-10 that requirement is extended into the OMB reporting schema so primes must pass through accurate subcontractor spend, NAICS, and certification status. The GSA and SBA coordination means primes will ask subs for UEI, size status, and certified HUBZone/WOSB/SDVOSB/8(a) flags in machine-readable form. This creates an operational requirement for small businesses to export certified status fields and invoice-level utilization metrics at least 10 business days before agency month-close to allow reconciliation and validation.

The SBA reports that 78% of small federal contractors currently lack automated feeds for utilization and subcontractor-tier reporting, indicating a readiness gap agencies expect to close under OMB’s new directive. Per OMB M-26-10, CIOs must identify and remediate agents of shadow IT and untracked subscriptions by consolidating contract and procurement feeds. The GSA will provide an interim data dictionary and example JSON schema to help agencies and vendors map fields; agencies will then apply business rules to reconcile invoices, obligations, and actual consumption. The SBA and GSA collaboration also includes templates for socio-economic pass-through reporting, so primes can capture subcontractor spend percentages, which feeds into OMB’s cross-agency dashboards to measure compliance and small-business participation.

Under OMB M-25-21, agencies will continue to require comprehensive risk and privacy assessments for AI and cloud procurements, and M-26-10 builds on that baseline by adding mandatory contract-level reporting to monitor procurement exposure. The memo directs CIOs to include security posture metadata, not just procurement dollars—so FedRAMP authorization level, CMMC level for defense-related contracts, and any Authority to Operate (ATO) dates must be part of the monthly submission. The GSA and the CIO Council will host technical working groups to align agency data ingestion platforms with the OMB schema; vendors should attend those sessions to ensure their APIs, SFTP feeds, or EDI exports meet validation rules. Agencies will also map reported utilization to risk registers used under OMB Circular A-123 and to FedRAMP tenancy records to support cross-agency risk reduction strategies.

DoD's CMMC framework requires documented cybersecurity practices for defense contractors, and M-26-10 explicitly asks CIOs to report CMMC level where applicable on monthly submissions. The intent is to make authorization and compliance posture visible alongside spend and utilization so OMB can prioritize remediation. Per the GSA’s IT data transparency portal, contractors that support defense or dual-use work must include CMMC attestation IDs and renewal dates in their monthly feeds. That creates an integration point between acquisition, security, and finance teams: contractors must correlate invoicing and usage with the underlying cybersecurity certifications, and agencies will verify certification status during ingest. For primes, this means collecting and passing through subs’ CMMC IDs and documentation to satisfy OMB’s combined transparency and risk oversight objectives.

According to GSA guidelines, best practices include building automated export pipelines, embedding UEI/CLIN tags in invoicing systems, and including FedRAMP authorization metadata. Vendors should treat the OMB feed as part of their billing deliverable rather than an optional add-on and assign a data steward responsible for monthly validation. Per FAR subcontracting clauses, primes must ensure pass-through reporting for socio-economic and subcontractor-tier spend; this requires contractual flow-down language obligating subs to deliver machine-readable socio-economic status and utilization metrics. Under OMB M-25-21 and M-26-10, agencies will also expect records that support audit trails for Circular A-123 compliance, so vendors should retain raw telemetry and billing logs for at least three years. For cloud providers, aligning with FedRAMP tenancy records and providing API-accessible license counts will reduce agency reconciliation time and exposure.