CMMC & Cybersecurity Intelligence Brief – 06

CMMC Phase 1 enforcement is now four months into operation, and the gaps that matter most in 2026 are coming into sharp focus. At the top of the list: what it means to be “certified” — and what that status does not cover. The three-year certification cycle created by 32 CFR Part 170 locks a contractor’s compliance standard to the requirements in effect at the time of assessment, not the requirements in force when annual affirmations are submitted. New mandates — NIST SP 800-171 Rev 3 transition, NDAA AI/ML security requirements, and evolving DFARS obligations — are arriving through regulatory channels that operate independently of the certification cycle. That gap has legal dimensions too: a January 2026 alert from Holland & Knight warns that annual CMMC affirmations now function as formal legal representations, with False Claims Act exposure that renews each year. On the operational side, the most common cause of assessment failure has nothing to do with technical controls — it is a misconfigured CUI boundary that places compliant systems out of scope while leaving non-compliant systems unexamined. The Verizon 2025 Data Breach Investigations Report delivers a stark message for the DIB specifically: small and mid-sized defense contractors are the primary target of ransomware and credential-theft campaigns, with stolen credentials driving 22% of all confirmed breaches. And a growing body of data shows that CMMC compliance costs — ranging from $50,000 to over $200,000 for Level 2 — are beginning to restructure which companies can afford to compete for DoD work at all.

In This Issue

Development 01  |  Policy Movement / Regulatory Risk

The CMMC Lifecycle Gap — Being Certified Is Not the Same as Staying Compliant

A structural gap in the CMMC certification framework has received limited industry attention, but its implications are significant for every contractor currently certified or pursuing certification. Under 32 CFR 170.17, a CMMC Level 2 certification assessment is valid for three years from the CMMC Status Date. The annual affirmation required under 32 CFR 170.22 ties to the CMMC Status Level achieved at assessment — meaning a contractor certified in 2025 against NIST SP 800-171 Rev 2 is technically affirming compliance with Rev 2 requirements during the subsequent three years, not with whatever requirements are in force at the time of affirmation.

New requirements arriving during a certification cycle — including the anticipated Rev 3 transition, AI/ML security mandates from NDAA FY2026 Section 1513, and potential DFARS additions — do not automatically fold into a mid-cycle affirmation under current regulatory language. The regulatory text in 32 CFR 170.17 and 170.22 is silent on how mid-cycle standard changes are handled. Analysis from Cape Endeavors confirms that NDAA AI/ML and supply chain mandates operate through separate DFARS rulemaking channels that can reach contractors regardless of their CMMC certification status.

This is not a safe harbor to exploit — it is a gap to close proactively. The Department of Justice’s Civil Cyber-Fraud Initiative has demonstrated intent to scrutinize the spirit of compliance. A contractor that treats new requirements as deferred until the next reassessment is assuming that regulators, contracting officers, and potential whistleblowers will accept the same interpretation. The better posture: treat certification as a floor, not a ceiling.

Development 02  |  Enforcement Trend / Assessment Readiness

CUI Boundary Scoping Errors Are the Leading Cause of CMMC Assessment Failure

As C3PAO assessments move from policy concept to live commercial event, the data on why organizations fail is becoming clearer — and the leading cause is not missing technical controls. It is incorrect scoping of the CUI environment. Analysis published by Corp Information Technologies confirms that most CMMC audit failures trace back to a poorly defined CUI boundary, before a single technical control is evaluated.

The DoD CMMC Level 2 Scoping Guide — a publicly available DoD CIO resource — defines the full asset taxonomy assessors use: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. Misassigning assets to any of these categories has compounding effects. Over-scoping inflates the number of controls an organization must implement and demonstrate, dramatically increasing cost and complexity. Under-scoping — the more dangerous error — leaves systems that process or transmit CUI outside the assessed boundary, creating automatic findings when assessors discover the gap.

Common under-scoping errors include: mobile devices where employees view CUI via email; overlooked printers and multifunction devices; cloud storage synchronization paths where CUI may be replicated inadvertently; and personal home office systems used for remote access. As of 2026, assessors expect documented cross-functional scoping involvement — IT, security, legal, and contracting staff must all be reflected in the methodology, and the SSP must include a network diagram of the CUI boundary and a data-flow diagram showing all transmission paths.

Development 03  |  Threat Intelligence / Emerging Threat

Verizon DBIR 2025 — Small Defense Contractors Are the Ransomware Industry’s Primary Target

The Verizon 2025 Data Breach Investigations Report — covering over 22,000 security incidents and more than 12,000 confirmed breaches — delivers a finding every small DIB contractor should treat as operationally significant. Cybersecurity firm Adapt Forward, which specializes in defense sector threat intelligence, analyzed the 2025 DBIR through a DIB lens and found that 88% of ransomware-related breaches in small and mid-sized organizations occurred in firms critical to the national security supply chain.

The attack pathway is consistent: stolen credentials. The DBIR identifies credential theft as the primary initial access vector in 22% of all confirmed breaches, with exploited vulnerabilities accounting for another 20%. Third-party involvement in breaches doubled year-over-year — from 15% to 30% of all confirmed breaches — a finding that directly indicts the security posture of the subcontractor and MSP ecosystems small DIB contractors rely on. Of particular concern for distributed and hybrid workforces: 46% of corporate credentials were compromised through unmanaged personal devices not under corporate endpoint management.

The CMMC control family most directly implicated is Access Control (AC), which covers user account provisioning, least privilege, remote access restrictions, and session controls. The DBIR data makes the compliance argument redundant: these are not abstract regulatory checkboxes. They are the specific control categories being bypassed by the actors currently targeting defense contractors at industrial scale.

Development 04  |  Market Shift / Industry Trend

CMMC Compliance Costs Are Restructuring Who Can Compete for DoD Work

The financial reality of CMMC Level 2 compliance is beginning to produce visible market effects that extend beyond individual contractor decisions. Analysis published by Accorian in early 2026 documents how small and mid-sized defense contractors are being reshaped by compliance economics: for many firms, CMMC is not a compliance cost — it is a market entry question.

The cost data is consistent across multiple published analyses. Level 1 compliance typically runs $3,000 to $6,000 in time and basic tooling. Level 2 compliance scales dramatically: estimates consistently range from $50,000 to $200,000+ depending on environment complexity, current control coverage, and remediation scope. Outside consultant engagements, which most small firms require, typically run $250 to $400 per hour according to Kiteworks’ published compliance cost analysis. C3PAO assessments themselves — now mandatory for prioritized contracts — carry additional fees before any remediation costs are factored in.

The DoD final rule estimated that more than 337,000 contractors and subcontractors are affected, of which approximately 230,000 are small entities. At Level 2 compliance costs, the economics create a structural filter: firms with stable DoD revenue and existing compliance infrastructure can absorb the investment. Firms holding low-margin subcontracts or diversified across government and commercial markets face a calculus where compliance costs approach or exceed projected DoD contract revenue — and some are choosing to exit. The market effect — consolidation, strategic DIB exit, and reduced small-business competition — has cybersecurity policy implications DoD has not yet formally addressed.

Development 05  |  Legal / Enforcement Trend

The CMMC Affirmation Trap — Annual Self-Certifications Now Carry Prosecution-Grade Legal Weight

A January 2026 client alert from Holland & Knight — “CMMC Affirmation Trap: FCA Exposure for Defense Contractors and Acquirers” — identifies a legal exposure that became live on November 10, 2025: every annual CMMC affirmation submitted under 32 CFR 170 now constitutes a formal legal representation subject to False Claims Act enforcement.

The enforcement track record is well-established. In March 2025, MORSE Corporation settled with the Department of Justice for $4.6 million after submitting an SPRS score of 104 that internal analysis showed only approximately 22% of NIST controls had been implemented. In 2025 as a whole, DoJ announced seven cybersecurity-related FCA settlements spanning defense, technology services, higher education, and healthcare — establishing that the Civil Cyber-Fraud Initiative has scaled from a signal into a functioning enforcement program.

What changed with Phase 1 enforcement: prior to November 2025, SPRS self-assessment submissions existed in a gray enforcement zone. Post-November 2025, every affirmation submitted under 32 CFR 170 carries the explicit legal weight of a contract performance claim. The H&K alert specifically addresses risk for acquirers — organizations purchasing defense contractors without cybersecurity due diligence may be assuming pre-existing FCA liability. Any contractor contemplating M&A activity, major subcontract awards, or submission of a new SPRS score should treat this alert as required reading.

CONDUCT A MID-CYCLE REQUIREMENTS REVIEW AGAINST YOUR CERTIFICATION BASELINE

Identify the specific NIST SP 800-171 revision and DFARS clauses your certification reflects, then map the gap to requirements arriving before your next assessment date. Focus on Rev 3 transition controls, NDAA AI/ML security requirements, and contract-specific cyber overlays added since certification. Document this review — it serves as both a compliance management tool and evidence of good-faith effort in the event of an FCA inquiry.

VALIDATE YOUR CUI BOUNDARY WITH FRESH EYES BEFORE YOUR NEXT ASSESSMENT CYCLE

Commission a scoping review — ideally from a party not involved in the original SSP development — to walk every asset category against the DoD Level 2 Scoping Guide. Pay particular attention to mobile devices, remote access endpoints, cloud synchronization paths, and third-party connections touching CUI systems. Document every in-scope and out-of-scope determination with its justification.

RUN YOUR SPRS SCORE AGAINST CURRENT CONTROL EVIDENCE BEFORE YOUR NEXT AFFIRMATION

Each control score should be traceable to specific policy, configuration, or procedure documentation. If any score cannot be supported by current evidence, remediate before submitting the next affirmation. The MORSE Corp settlement illustrates the consequence of submitting a score that internal analysis cannot support — a $4.6 million outcome that began with a single inaccurate SPRS submission.

TREAT IDENTITY AND ACCESS CONTROLS AS YOUR HIGHEST-PRIORITY REMEDIATION CATEGORY

The Verizon DBIR data is explicit: credential theft is how attackers enter, and unmanaged personal devices are how credentials are compromised at scale. Implement multi-factor authentication broadly, enforce least-privilege account provisioning, and establish a managed device policy for any system accessing CUI — including contractor home office equipment under bring-your-own policies.

BRIEF LEADERSHIP ON FCA AFFIRMATION RISK BEFORE THE NEXT CONTRACT CYCLE

Legal exposure for CMMC misrepresentations is now structural, not exceptional. Executives signing or authorizing affirmation submissions should understand that these documents carry the same legal weight as cost or performance representations in government contracts. Organizations engaged in M&A activity should add CMMC affirmation accuracy to cybersecurity due diligence checklists.

Annual Affirmation Evidence Package

Before each annual CMMC affirmation, assemble a structured evidence file mapping each of the 110 NIST SP 800-171 Rev 2 control objectives to a specific policy, configuration record, or procedure — with dates current as of the affirmation date. If a control cannot be evidenced, reflect that accurately in the score. This file is your primary FCA defense and your primary assessment readiness artifact.

CUI Flow-Tracing Exercise

Walk a single CUI document from its point of receipt through every system it touches — including email, storage, printing, remote access, and any cloud sync or collaboration tools. Every system it touches is in scope. Every system in scope must be under SSP coverage. Run this exercise annually with cross-functional participation to surface the scoping gaps that catch organizations in assessment.

Credential Hygiene Inventory

Audit every account with administrative rights, verify multi-factor authentication is enforced for each, and confirm that inactive or departed-employee accounts have been disabled. The Verizon DBIR credential theft finding is directly addressed by the CMMC AC.1.001 through AC.2.006 control requirements. Close these gaps in SPRS-documented sequence.

Lifecycle Gap Calendar

Create a side-by-side calendar showing your certification date, your three-year reassessment window, and projected arrival dates of new requirements (Rev 3 transition: estimated 2H 2026–early 2027; AI/ML framework: expected June 2026; Section 866 harmonization: rulemaking expected before mid-2026). Use this to phase gap remediation across your cycle rather than treating it as a single end-of-cycle event.

Accelerator Tool — CMMC Level 2 Scoping Guide (DoD CIO)

The DoD-published Level 2 Scoping Guide defines the five asset categories, the criteria for each, and the documentation requirements assessors expect. Use it as the authoritative checklist for every scoping review — it is the definitive reference for validating CUI boundary decisions before assessment. Available at no cost from: dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf

NIST SP 800-171 Rev 3 Transition Pressure Will Accelerate in Q2 2026. DoD has defined ODP values for Rev 3 and the transition window (2H 2026–early 2027) is closing faster than many contractors have planned for. Organizations conducting SSP refreshes or infrastructure modernization have a closing window to incorporate Rev 3 controls at lower remediation cost than a future compressed sprint will allow.

AI/ML Security Requirements Will Arrive Faster Than CMMC Did. The NDAA FY2026 Section 1513 mandate for a DoD AI/ML cybersecurity framework carries a June 16, 2026 status update deadline to Congress. Unlike CMMC — which took years from inception to enforcement — AI/ML requirements are being built directly into an existing DFARS and CMMC enforcement infrastructure. Contractors with AI-assisted tools deployed in DoD-related work should treat June 2026 as a planning milestone.

FCA Enforcement Against Subcontractors Will Expand. The 2025 DoJ Civil Cyber-Fraud Initiative produced the first FCA enforcement action against a subcontractor — a structural shift from earlier actions focused on prime contractors. As CMMC affirmations proliferate down supply chains, the enforcement surface expands with them. Subcontractors that have assumed prime contractor oversight protects them from direct FCA exposure are now operating under a different legal regime.

CMMC Assessment Capacity Constraints Will Intensify Through Q3 2026. With Phase 2 mandatory C3PAO assessments beginning November 2026, the window for scheduling a Level 2 assessment before the deadline is approximately seven months. C3PAO scheduling backlogs have not materially eased, and demand will accelerate as the November deadline approaches. Organizations that have not initiated C3PAO engagement should treat this as urgent.

DIB Market Consolidation Will Trigger Policy Attention. As affordability data becomes visible — small contractors exiting, mid-market firms unable to absorb compliance investment — expect congressional and DoD acquisition policy interest in affordability mechanisms, tiered compliance pathways, or shared services models. Organizations engaged in industry associations should begin framing this issue for upcoming DFARS comment periods.

Governing regulation defining certification levels, assessment types, and affirmation requirements. Sections 170.17 and 170.22 are directly relevant to certification lifecycle gap planning and FCA exposure analysis.

The authoritative DoD document defining CUI asset categories, scoping methodology, and assessor expectations for boundary documentation. Use this as the definitive checklist for every scoping review.

The governing control set for all current CMMC Level 2 assessments, SPRS scoring, and DFARS 252.204-7021 compliance. Remains mandatory per DoD class deviation through the Rev 3 transition.

Official source for all CMMC policy, assessment guides, FAQs, scoping guides, and phase implementation information.

Where all CMMC self-assessment scores and affirmations are filed. Verify your current score is accurate and supported by retained evidence before each affirmation submission.

Directory of DIBCAC-accredited C3PAOs actively scheduling Level 2 assessments. With Phase 2 mandatory assessments beginning November 2026, early engagement is critical to securing assessment slots before capacity tightens further.

Prioritized subset of cybersecurity practices mapped to common CMMC assessment failure points, including credential management and access control. Useful as a remediation sequencing tool to address highest-risk gaps first.

Subscribe to email notifications for DoD DFARS rulemaking activity to track Section 866 harmonization progress, AI/ML security framework implementation, and any Rev 3 transition rulemaking. A 5-minute setup that delivers early visibility on all CMMC-adjacent regulatory movement.

The complete 2025 Data Breach Investigations Report, available for download. Contains full statistical analysis behind the DIB threat findings and provides direct mapping to CMMC control families relevant for prioritized remediation.

Holland & Knight, January 2026 — The most direct current analysis of FCA exposure created by the November 2025 CMMC enforcement launch, including implications for M&A transactions and acquirer due diligence.

Adapt Forward, 2025 — DIB-focused analysis of the Verizon DBIR, with specific findings on ransomware targeting and credential compromise in the national security supply chain.

Accorian, 2026 — Market analysis of compliance cost impact on DIB composition, including documentation of how smaller firms are evaluating exit from DoD work against compliance investment requirements.

Skadden, April 2025 — Case summary documenting one of the first FCA settlements tied directly to CMMC certification representations, establishing the enforcement precedent now cited in legal risk assessments.

Cape Endeavors, January 2026 — Analysis of how NDAA AI/ML and supply chain mandates interact with CMMC certification timelines, confirming these requirements operate through separate DFARS channels outside the three-year certification cycle.