CMMC & Cybersecurity Intelligence Brief – 08

This week’s developments expose a fragmenting federal cybersecurity compliance landscape that demands contractor attention across multiple fronts simultaneously. GSA’s release of a CUI protection framework built on NIST SP 800-171 Revision 3—while DoD’s CMMC program still operates on Revision 2—creates an immediate dual-compliance burden for contractors serving both agencies. The FY 2026 NDAA’s DeepSeek and “covered AI” prohibition forces contractors to audit their AI tool usage within 30 days, with subcontractor flow-down requirements adding supply chain complexity. Meanwhile, DOGE-driven workforce reductions at DISA and Cyber Command are straining the government’s cybersecurity oversight capacity at exactly the moment CMMC enforcement is accelerating. CMMC Level 2 requirements are now appearing in active DoD solicitations—making certification no longer theoretical—and DoJ cyber-fraud settlements surged 233% in 2025, establishing precedents that raise the stakes for every contractor self-assessment.

In This Issue

Development 01  |  Policy Update / Regulatory Divergence

GSA Releases CUI Protection Framework Requiring NIST SP 800-171 Rev 3—Diverging from CMMC’s Rev 2 Baseline

The General Services Administration published Revision 1 of its IT Security Procedural Guide CIO-IT Security-21-112, “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process,” on January 5, 2026. This guide mandates NIST SP 800-171 Revision 3 as the compliance baseline for contractors handling CUI on GSA contracts—making GSA the first federal agency to operationalize Rev 3 requirements.

The divergence from CMMC is immediate and consequential. CMMC currently requires Rev 2, and DoD’s Rev 3 transition is not expected until late 2026 or early 2027. GSA’s framework identifies nine “showstopper” security requirements that block authorization if not fully implemented, imposes one-hour cyber incident reporting (versus DFARS’s 72-hour window), and uses FedRAMP assessors rather than C3PAOs—meaning existing CMMC certification cannot be directly reused for GSA authorization.

Industry reaction has been pointed: Trey Hodgkins noted that “all the current infrastructure is around revision two, not around revision three,” while Eric Crusius cautioned that if GSA “moves too fast on it, I think they will lose a lot of contractors.” GSA has stated it does not plan to align with CMMC. The guide applies immediately to new contracts at the contracting officer’s discretion, with no phased rollout.

Development 02  |  Policy Update / AI Security

FY 2026 NDAA Prohibits Contractor Use of DeepSeek and “Covered AI”—30-Day Implementation with Subcontractor Flow-Down

Section 1532 of the FY 2026 NDAA imposes an immediate prohibition on DoD contractors using AI developed by DeepSeek, High Flyer (DeepSeek’s parent), or any entity in which High Flyer holds a 20%+ stake. The prohibition took effect within 30 days of enactment, requiring exclusion and removal of covered AI from DoD systems and prohibiting its use in defense contract performance.

“Covered AI” extends beyond DeepSeek to encompass AI from any company domiciled in China, Russia, North Korea, or Iran subject to unmitigated foreign ownership, or any entity on the Commerce Department’s Consolidated Screening List. Contractors must audit not only direct AI tool usage but also AI capabilities embedded in commercial software platforms where the underlying model’s provenance may not be transparent.

The subcontractor flow-down requirement means prime contractors bear responsibility for ensuring all tiers comply. Separately, Section 1513 directs DoD to develop a department-wide AI/ML cybersecurity framework within 180 days for incorporation into DFARS and CMMC—signaling AI security requirements will become a permanent feature of contractor compliance.

Development 03  |  Enforcement Risk / Institutional Capacity

DOGE Workforce Reductions Strain DoD Cybersecurity Oversight Capacity at Critical CMMC Enforcement Juncture

DOGE-driven workforce reductions are degrading the Defense Department’s cybersecurity oversight capacity at exactly the moment CMMC enforcement is scaling up. A December 2025 DISA contracting memo revealed that DISA’s J6 directorate—responsible for maintaining secure channels connecting the Pentagon to global military assets including nuclear capabilities—was “unexpectedly and significantly impacted” by personnel departures, creating “extreme risk for loss of service” across DoD systems.

DISA expects a 10% reduction in its civilian workforce. Cyber Command has lost 5-8% of its personnel. The Pentagon faces an overall shortage of approximately 25,000 cyber professionals. A critical cloud-computing contract at DISA expired entirely because the responsible officer departed with no replacement available.

For contractors, this creates a paradox: mandatory assessment requirements are expanding while the government’s capacity to administer and oversee those assessments may be contracting. Workforce reductions could slow C3PAO accreditation processing, reduce government capacity to investigate assessment quality complaints, and weaken the enforcement infrastructure that gives CMMC its contractual teeth.

Development 04  |  Enforcement Trend / Contract Eligibility

CMMC Level 2 Requirements Now Appearing in Active DoD Solicitations—Certification Is No Longer Theoretical

CMMC requirements have moved from policy documents to live procurement actions. Multiple DoD solicitations on sam.gov now explicitly require CMMC Level 2 certification, spanning Army, Navy, and Air Force. Examples include an Army ERCIP Lake City presolicitation (Feb 26) requiring Level 2 (Self), an Oregon Air National Guard Special Tactics Complex solicitation (Feb 25) requiring Level 2 (C3PAO), and a Navy Cylindrical Antenna Phase B solicitation (Feb 6) anticipating Level 2 requirements.

The appearance of Level 2 requirements during Phase 1—months before Phase 2’s November 10, 2026 mandatory enforcement—signals that contracting officers are not waiting for the phased rollout. Organizations that assumed they had until November are discovering competitive opportunities already gating on CMMC status.

Roughly 1,000 companies have received certification or are in the assessment pipeline, against an estimated 80,000 contractors that will ultimately need Level 2. This creates significant competitive advantage for early movers. Capture teams must treat CMMC status as a bid/no-bid criterion with the same weight as past performance or technical capability.

Development 05  |  Enforcement Trend / Legal Risk

DoJ Civil Cyber-Fraud Settlements Surge 233% in 2025—Raytheon Successor Liability Precedent Expands Enforcement Reach

The DoJ’s Civil Cyber-Fraud Initiative produced $51.8 million in aggregate settlements across nine cybersecurity-related cases in 2025—a 233% increase over $15.6 million across four settlements in 2024. This surge establishes cybersecurity compliance enforcement as a mature, accelerating DoJ priority with direct implications for every contractor making SPRS self-assessments and CMMC annual affirmations.

Key precedents: MORSE Corp ($4.6M, March 2025)—the first FCA case based on failure to update an SPRS score after learning actual compliance was only 22% of required controls (score: -142). Raytheon/RTX/Nightwing ($8.5M, May 2025)—introduced successor liability, naming an acquiring entity responsible for pre-acquisition cybersecurity failures, despite acquiring the business unit three years after the violation period.

A December 2025 criminal indictment of a contractor senior manager for misrepresenting cloud platform security represents potential escalation from civil to criminal enforcement. Voluntary self-disclosure reduced damages multipliers (Aero Turbine: ~1.5x vs. typical 2x), demonstrating that cooperation tangibly reduces exposure.

ASSESS GSA EXPOSURE

If you hold contracts with both DoD and GSA, obtain GSA’s CIO-IT Security-21-112 Rev 1 and identify where your current Rev 2 compliance posture falls short of Rev 3 requirements. Prioritize the nine showstopper controls and the one-hour incident reporting obligation.

AUDIT AI TOOL USAGE

Conduct an immediate audit of AI tools across your organization and supply chain to identify any covered AI under NDAA Section 1532. Include direct subscriptions, embedded AI features in commercial software, and subcontractor AI tool usage. Remove or replace any covered AI and document compliance.

SCREEN YOUR PIPELINE

Screen your active capture pipeline for solicitations already requiring CMMC Level 2. Verify your certification status or assessment timeline supports pursuit of those opportunities. Organizations without certification should not assume they have until November 2026.

VALIDATE SPRS SCORES

Review your SPRS self-assessment score against actual implementation status. The MORSE Corp settlement ($4.6M) establishes FCA liability for scores that don’t reflect actual security posture. If a gap exists, update the score immediately and document the basis for the revision.

INTEGRATE CYBER DUE DILIGENCE INTO M&A

For organizations involved in mergers, acquisitions, or divestitures, the Raytheon/Nightwing successor liability precedent means acquiring entities inherit cybersecurity compliance liabilities. Transaction due diligence must include SPRS scores, SSPs, incident response history, and any pending investigations.

Dual-Compliance Gap Analyzer

Create a mapping document identifying differences between NIST Rev 2 (CMMC) and Rev 3 (GSA) requirements. Focus on the nine GSA showstopper controls and assess whether to maintain dual tracks or invest in meeting Rev 3 universally—which also accelerates your future DoD transition.

AI Tool Provenance Audit Checklist

Send all technology vendors a three-question questionnaire: (1) Does your product use AI/ML? (2) What is the provenance of the AI models? (3) Are any components from covered nations or entities on the Consolidated Screening List? Document responses as compliance evidence.

SPRS Score Validation Protocol

Establish a quarterly validation process where your security team independently verifies that each control marked as “implemented” is actually operational and documented. Cross-reference against your SSP and POA&M to identify drift between posted scores and actual posture.

Accelerator Tool — CMMC Solicitation Monitor

A tracking dashboard monitoring sam.gov for solicitations containing CMMC Level 2 requirements. Alerts capture teams to new opportunities and tracks certification status against pursuit timelines. Use PreVeil’s contract tracker or build automated alerts using sam.gov’s API. Available at: preveil.com/blog/list-of-cmmc-contracts

Regulatory Harmonization vs. Agency Divergence. The tension between NDAA Section 866’s June 1 harmonization mandate and GSA’s independent Rev 3 framework will come to a head in Q2 2026. Watch for DoD’s response—whether it accelerates Rev 3 transition, forces GSA to modify, or allows agencies to continue on different standards.

AI Security Requirements Will Formalize by June 2026. DoD’s 180-day AI/ML cybersecurity framework deadline will produce draft guidance embedding AI security into DFARS and CMMC. The DeepSeek prohibition is just the first concrete restriction—expect affirmative security requirements for AI tools used in contract performance.

DoJ Enforcement Will Accelerate Through Phase 2. The 233% settlement surge and first criminal indictment signal continued escalation. CMMC annual affirmations create a new annual FCA trigger. Expect DoJ to pursue both large primes and small contractors as more organizations make formal compliance representations.

CMMC Oversight Capacity Gap Will Persist Through 2027. Government workforce reductions versus enforcement expansion will create sustained tension. Monitor for DoD workforce supplementation strategies or policy adjustments acknowledging capacity constraints for contractors who have secured assessment slots but face C3PAO availability delays.

Phase 2 Solicitation Acceleration. Level 2 requirements appearing before Phase 2’s official start date suggests contracting officers will increase CMMC clause insertion throughout 2026. By Q3, Level 2 may be routine rather than exceptional in DoD CUI solicitations. Plan for certification as a baseline portfolio requirement.

The official GSA procedural guide establishing Rev 3 requirements. Essential for organizations with dual DoD/GSA contract portfolios.

The NIST standard GSA now requires and DoD will eventually transition to. Review Rev 2 to Rev 3 changes to understand the compliance gap.

Seven new CVEs added March 3-5, 2026, including CVE-2026-22719 (VMware Aria Operations, CVSS 8.1). Required reference for SI-2 compliance.

Analysis of NDAA Sections 1521 and 1532 covering the AI/ML cybersecurity framework mandate and DeepSeek prohibition.

All nine 2025 cybersecurity FCA settlements with case details, damages calculations, and enforcement trend analysis.

Federal News Network, March 2026 — Industry reaction to GSA’s CUI framework including concerns about regulatory fragmentation and the dual-compliance burden facing contractors.

National Defense Magazine, January 2026 — How CMMC implementation is creating new categories of FCA exposure for defense contractors of all sizes.

The Intercept, January 2026 — DISA internal memo documenting “extreme risk for loss of service” from workforce reductions and specific capability degradation.

VisioneerIT, 2026 — Continuously updated tracker of active solicitations containing CMMC requirements for capture team pipeline screening.

Fluet Law, 2026 — Case-by-case breakdown of the Civil Cyber-Fraud Initiative’s 2025 results with damages calculations and guidance for reducing FCA exposure.