The federal government takes major cybersecurity vulnerabilities seriously.  That’s one bottom line take-away all contractors and observers can learn from the Cybersecurity and Infrastructure Security Agency’s (CISA) emergency directive mandating that all federal civilian agencies take immediate steps – by today – to patch critical vulnerabilities associated with various VMware solutions.  Contractors should resist the impulse to default to the “there but for the Grace of God Go I” response.  There are lessons here for all companies doing business with the federal government.  First, prime contractors should take this incident as a reminder that they need to manage their subs and teammates properly.  VMware’s problems aren’t just its own.  They include the primes through which they sell.  Making sure that your prime contractor business has proper protections and performance-related remedies is essential.  As a prime, it is your company that is ultimately accountable for performance issues.  Second, there is such a thing as bad publicity.  VMware will have to spend a lot of money not only to resolve the security issues but to bolster its reputation in the federal market, all only two months before federal busy season starts.  We’ve said before that your company spent a lot of time building a positive reputation.  Investing in security and compliance helps protect your company’s reputation as a reliable and safe federal partner.  Third, the government will take steps to protect itself, regardless of what the potential damage to a company’s reputation may be.  Yes, government and industry work together on a wide variety of federal missions.  Contractors should not forget, however, that the government is the senior partner that ultimately holds the high card in the relationship.  This means that companies need to ensure performance, anticipate problems, and have clear mitigation strategies developed in advance so that they can resolve issues quickly.  While contractors may be reluctant to bring up concerns or potential trouble areas, it is vitally important to remember, just like Richard Nixon, that it’s not the crime, but the cover-up that can cause real trouble.  While VMware is busy patching this weekend, all contractors should take a look at their own performance, and that of their subs, on critical contracts to ensure that they’re not the next ones in line for an emergency directive.