Agreed. The government doesn’t mandate disclosure of cybersecurity incidents in contract bidding. If a company has weak security and has data regularly stolen, they can bid on new contracts and obtain them without having to disclose their various incidents. Not good.
I guess is they have to abide by the so called orange book standards. Or has that gone the way of the dodo bird?