Oracle wins OPM’s massive governmentwide HR modernization contract

The Office of Personnel Management on Wednesday awarded its anticipated contract to modernize and consolidate federal human resources functions to Oracle, capping a process that’s been over a year in the making. The nearly $400 million award puts Oracle in charge of a process to bring over 100 HR systems under one single platform that the agency is calling its Core Human Capital Management system. OPM says it believes the project will make significant reductions in the overall cost of HR platforms to taxpayers. “Historically, federal agencies have relied on fragmented, aging HR systems that are costly to maintain and difficult to scale,” OPM Director Scott Kupor said in a written statement included in a press release. He called the award “a foundational investment in the future of federal workforce management.” A final award comes over a year after an early effort to award such a contract failed to move forward. In May 2025, the Office of Personnel Management awarded a sole-source contract to Workday to facilitate the Trump administration’s HR modernization efforts, arguing it was the only vendor that could do the job. But OPM abruptly canceled that award, and later launched open competition for such a contract.

The Cybersecurity and Infrastructure Security Agency on Wednesday ordered federal agencies to prioritize vulnerabilities based on four criteria, as part of a push to “patch smarter, not harder.” Federal agencies should emphasize patches for vulnerabilities that affect a publicly exposed asset, allow an attacker to fully automate exploitation, give attackers the ability to take over control of a system or relate to evidence of active, real-world exploitation, CISA declared. CISA acting director Nick Andersen previewed the binding operational directive (BOD) Tuesday, framing it as a rethinking of vulnerability management more broadly. Andersen said in a statement: “This Directive provides clear definitions, timelines and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation.” BOD 26-04 sets forth timelines for how quickly agencies must fix a vulnerability based on how many of the four criteria it meets. If it meets all four, for example, agencies need to fix it within three days and carry out a “forensic triage” to assess whether their systems were compromised.

The Daily Scoop Podcast is available every Monday-Friday afternoon.

If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast  on Apple Podcasts, Soundcloud, Spotify and YouTube.