CMMC & Cybersecurity Intelligence Brief – 08

This week’s developments reveal a federal cybersecurity compliance landscape expanding well beyond DoD’s borders—and a CMMC ecosystem under structural stress from both oversight failures and capacity constraints. The FAR Council’s proposed CUI rule, still advancing through finalization, would extend NIST SP 800-171 compliance requirements to every federal contractor handling CUI across all civilian agencies—a regulatory expansion that dwarfs CMMC in scope. A DoD Inspector General audit has exposed critical flaws in the C3PAO authorization process, finding that the Cyber AB authorized assessment organizations without verifying assessor credentials or signed agreements, while a March 2026 GAO report warns that DoD has not assessed the external risks—including ecosystem capacity and small business attrition—that could undermine the program’s goals. The C3PAO capacity crisis is deepening: only 0.38% of contractors requiring Level 2 certification have passed their assessment to date, with 688 certified assessors and 97 authorized C3PAOs serving an estimated 80,000 contractors, and wait times projected to reach 24 to 30 months by late 2026. CISA’s addition of the Ivanti Endpoint Manager authentication bypass (CVE-2026-1603) to the KEV catalog—enabling theft of domain administrator credentials without authentication—demands immediate patching attention. And identity and access management failures continue to emerge as the most common CMMC assessment deficiency, with shared accounts, missing MFA, and undocumented access controls accounting for a disproportionate share of assessment findings.

In This Issue

Development 01  |  Policy Update / Regulatory Expansion

FAR CUI Rule Would Extend CMMC-Like Requirements to Every Federal Agency—Comment Period Closed, Finalization Pending

The FAR Council published a proposed rule on January 15, 2025 (90 FR 4278) that would establish government-wide requirements for protecting Controlled Unclassified Information across all federal contracts—not just defense. If finalized, the FAR CUI Rule would require every contractor handling CUI for any federal agency—including DOE, NASA, DHS, GSA, and dozens of others—to implement NIST SP 800-171 Revision 2 security controls, report cybersecurity incidents within eight hours of discovery, and submit to agency-directed validation actions including facility access and system inspections similar to those under DFARS 252.204-7020.

The proposed rule’s scope is staggering. While CMMC targets approximately 80,000 defense contractors, the FAR CUI Rule would affect the entire federal contracting base handling CUI across all civilian agencies—a population that significantly exceeds the defense industrial base. The eight-hour incident reporting requirement represents a dramatic tightening from the current 72-hour window under DFARS 252.204-7012, and would create the most aggressive federal contractor reporting obligation outside of classified systems. Contractors found in violation would face contract remedies, potential suspension or debarment, and the same False Claims Act exposure that has driven DoJ’s Civil Cyber-Fraud Initiative settlements.

The public comment period closed on March 17, 2025, and the rule is advancing through the finalization process. However, the Trump Administration’s January 20, 2025 regulatory freeze order introduces timeline uncertainty. Industry analysts project finalization in late 2025 or early 2026, with no phased rollout: once effective, all new contracts involving CUI would require compliance immediately.

GSA has not waited for the FAR rule. On January 5, 2026, GSA published CIO-IT Security-21-112 Revision 1, independently requiring NIST SP 800-171 Revision 3 compliance for its contractors—going further than even the proposed FAR rule by mandating the newer Rev 3 standard, imposing a one-hour incident reporting window, and identifying nine “showstopper” security requirements that block authorization if unmet. For multi-agency contractors, the compliance landscape is fragmenting into multiple overlapping frameworks with different NIST baselines, different reporting timelines, and different assessment methodologies.

Development 02  |  Enforcement Risk / Program Integrity

DoD Inspector General and GAO Expose Structural Flaws in CMMC Assessment Authorization—Cyber AB Credentialing Gaps and Unassessed Program Risks

A DoD Inspector General audit released January 10, 2025, found that the Department of Defense “did not effectively implement the procedures designed to ensure that C3PAOs meet all eligibility requirements before being authorized” to conduct CMMC Level 2 assessments. The audit examined 11 C3PAOs and found compliance with only 10 of 12 authorization requirements—with failures concentrated in the most consequential credentialing areas. Specifically, the Cyber AB authorized two C3PAOs without maintaining signed agreements, four without verifying quality control lead certification, and all 11 without adequately confirming that both a certified assessor and certified quality control lead were assigned to assessment teams.

Inspector General Robert P. Storch characterized the findings in national security terms: “Without an effective third-party organization authorization process, there is a ripple effect of risks.” The DoD OIG issued 10 recommendations, including directives that the DoD CIO and CMMC Program Management Office establish quality assurance mechanisms ensuring all 12 requirements are verified before C3PAO authorization. While DoD accepted several recommendations, open recommendations remain—signaling continued oversight.

The audit revealed that the Cyber AB’s deadline for obtaining ISO 17011 accreditation was extended to “December 2026 at the earliest”—meaning the accreditation body overseeing C3PAOs may not itself meet international accreditation standards until after Phase 2 enforcement begins in November 2026, raising fundamental questions about the credibility chain underlying contractor certifications.

In March 2026, a GAO report on defense contractor cybersecurity found that while DoD has largely met the elements of a “comprehensive strategy” for CMMC, it has not systematically assessed and documented external factors that could affect program goals. GAO specifically identified “CMMC ecosystem capacity” and “program demand” as key external risk factors, warning that CMMC costs and requirements may drive existing DIB companies—particularly small businesses—to stop doing business with DoD.

Development 03  |  Capacity Shift / Contract Eligibility Risk

C3PAO Capacity Crisis Deepens—Only 0.38% of Contractors Certified, Wait Times Projected to Reach 24–30 Months by Late 2026

The structural imbalance between CMMC assessment demand and C3PAO supply is accelerating into a full-scale capacity crisis as Phase 2’s November 10, 2026 enforcement date approaches. Current industry data reveals the scale of the mismatch: only 0.38% of the estimated contractors requiring Level 2 C3PAO certification have passed their assessment to date—approximately 452 certifications—while the Cyber AB reported 97 authorized C3PAOs and 688 Certified CMMC Assessors as of January 2026. Estimates indicate 2,000 to 3,000 assessors will be needed to meet certification demand across an estimated 80,000 defense contractors requiring Level 2 certification.

Assessment scheduling has already become a business-critical bottleneck. C3PAO schedules are filling rapidly, with current wait times extending 9 to 12 months for many providers. Industry projections suggest that by late 2026, wait times could reach 24 to 30 months—meaning contractors who have not already secured assessment relationships face a rapidly closing window. Assessment costs, which DoD estimates at $105,000 to $118,000 for Level 2, are projected to rise as demand outstrips supply, with some analysts forecasting fees could double to $150,000 or more by late 2026.

ISI Defense reports that only 0.38% of the estimated contractors requiring Level 2 C3PAO certification have passed their assessment to date—approximately 452 certifications as of late 2025—and projects full Level 2 compliance no earlier than November 2029 at the current rate. Only about 10% of Level 2 companies are currently scheduled for assessment, with wait times already at 9 to 12 months and projected to reach 24 to 30 months by late 2026. The Cyber AB reported 97 authorized C3PAOs and 688 Certified CMMC Assessors as of January 2026, with roughly 1,000 companies either certified or actively in the assessment pipeline—a fraction of the 80,000 requiring certification.

The industry is responding with new partnership models: on January 20, 2026, CyberSheath announced a partnership with ControlCase, an authorized C3PAO, specifically to address the assessment bottleneck. However, organic capacity growth cannot resolve the fundamental supply-demand imbalance: the pipeline of new certified assessors requires training, examination, and supervised assessment experience that cannot be compressed below 6 to 12 months. Organizations that secured C3PAO relationships early hold a concrete competitive advantage that cannot be replicated by competitors who delayed. The DoD has not announced any accommodation for contractors who are assessment-ready but unable to obtain C3PAO scheduling before Phase 2 deadlines.

Development 04  |  Threat Intelligence / Vulnerability Management

CISA Adds Ivanti Endpoint Manager Authentication Bypass to KEV Catalog—Active Exploitation Enables Credential Vault Theft Without Authentication

CISA added CVE-2026-1603, an authentication bypass vulnerability in Ivanti Endpoint Manager (EPM), to its Known Exploited Vulnerabilities catalog on March 9, 2026, based on evidence of active exploitation in the wild. The vulnerability, which carries a CVSS score of 8.6, allows a remote, unauthenticated attacker to bypass authentication entirely and access the EPM Credential Vault—enabling theft of domain administrator password hashes and service account credentials without requiring any valid login credentials.

The technical root cause is a malformed header concatenation flaw within a specific EPM API endpoint that was never subjected to the same authentication controls governing the rest of the application. Classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), the vulnerability creates an unguarded access path that completely bypasses normal authentication. Successful exploitation grants direct access to the most sensitive credential store in the enterprise management platform, enabling immediate lateral movement across the target network with elevated privileges.

The threat is compounded by a companion vulnerability, CVE-2026-1602, a SQL injection flaw that allows reading arbitrary records from the EPM database. When chained together, these vulnerabilities give an attacker both credential theft and database access—a combination that can compromise an entire enterprise environment from a single entry point. The Shadowserver threat monitoring platform tracks over 700 internet-facing Ivanti EPM instances, the majority in North America.

For defense contractors, this vulnerability carries particular significance. NIST SP 800-171 control SI-2 (Flaw Remediation) requires timely patching of known vulnerabilities, and CISA’s KEV listing creates a concrete, dated benchmark: CISA’s remediation deadline is March 23, 2026. Organizations that have not patched by this date face both security exposure and a documented compliance gap. Ivanti released the fix in EPM 2024 SU5; organizations unable to patch immediately should block external access to EPM management ports 80 and 443 and enforce strict IP allowlisting as interim mitigations.

Development 05  |  Assessment Trend / Compliance Readiness

Identity and Access Management Emerges as the Top CMMC Assessment Failure Domain—Shared Accounts, Missing MFA, and Undocumented Access Controls Drive Deficiencies

Data from early CMMC assessments and readiness evaluations consistently identifies identity and access management (IAM) as the most common area of deficiency across defense contractors pursuing Level 2 certification. Multiple assessment organizations report that access control failures—particularly shared accounts, inadequate multi-factor authentication, overly broad privilege assignments, and insufficient audit logging—account for a disproportionate share of assessment findings and represent the single most frequent barrier to certification.

The pattern is particularly acute in manufacturing environments, where operational realities collide with CMMC’s “individual accountability” requirement. Multiple operators sharing a single computer terminal with a generic login—a common practice on manufacturing floors—constitutes an automatic assessment failure, because CMMC requires every person who touches a system containing CUI to have a unique, tracked identity. Manufacturers and small contractors entering CMMC assessments typically carry 40 to 70 control deficiencies in gap assessments, with access control, logging, documentation, and network segmentation representing the largest clusters.

GSA’s newly published showstopper requirements reinforce the criticality of IAM: multi-factor authentication for all users accessing CUI and encryption of CUI at rest and in transit are among the nine controls that block authorization entirely if unmet—no POA&M pathway is available for these requirements.

The evidence gap compounds the technical gap. Many organizations report that security controls are practiced informally but lack the policy documentation and operational logs needed to demonstrate compliance. Verbal assurances have zero evidentiary value in a formal assessment—assessors require written policies, configured system settings, and retrievable audit logs. Level 2 assessments may require 300 to 500 unique evidence artifacts, and IAM-related artifacts constitute a significant portion of that evidence burden.

PATCH IVANTI EPM IMMEDIATELY

Organizations running Ivanti Endpoint Manager should verify whether they are running version 2024 SU5 or later. If not, upgrade immediately—the CISA KEV remediation deadline is March 23, 2026, and active exploitation has been confirmed. If patching cannot be completed immediately, block external access to EPM management ports 80 and 443 and enforce strict IP allowlisting. Document patching status as compliance evidence under NIST SP 800-171 SI-2.

ASSESS MULTI-AGENCY CUI EXPOSURE

Organizations with contracts across multiple federal agencies should obtain and review the proposed FAR CUI Rule (90 FR 4278) to understand how government-wide CUI requirements would affect their current compliance posture. Identify which non-DoD contracts involve CUI handling and assess whether your existing CMMC-aligned security controls would satisfy the proposed FAR requirements, particularly the eight-hour incident reporting obligation.

CONDUCT IAM AUDIT ACROSS CUI BOUNDARY

Identify and eliminate all shared or generic accounts, verify that MFA is deployed for every user accessing CUI systems, review privilege assignments to ensure least-privilege access, and confirm that audit logs can attribute every system action to a specific individual. For manufacturing environments, pay particular attention to shop floor terminals and shared workstations. Document all findings and remediation actions as assessment evidence.

VET YOUR C3PAO AGAINST IG FINDINGS

Review the DoD IG’s C3PAO audit findings and assess whether your selected or engaged C3PAO has addressed the credentialing gaps identified. Ask prospective assessment organizations about their quality control lead certifications, signed agreements with the Cyber AB, and assessment team composition. Organizations in the process of selecting a C3PAO should factor the IG findings into their due diligence.

SECURE C3PAO ASSESSMENT SLOTS NOW

If you have not yet engaged a C3PAO for your Level 2 assessment, treat this as an urgent action. Current wait times of 3 to 6 months are projected to extend to 18+ months by Q3 2026. Contact multiple C3PAOs immediately to secure assessment slots, even if your remediation work is still in progress—many C3PAOs will schedule 6 to 12 months in advance.

DEVELOP MULTI-AGENCY COMPLIANCE STRATEGY

Map your contract portfolio by agency and CUI involvement, identify where requirements diverge (NIST Rev 2 vs. Rev 3, incident reporting timelines, assessment methodologies), and determine whether maintaining separate compliance tracks or investing in the highest common denominator is more cost-effective. For most multi-agency contractors, building to NIST SP 800-171 Rev 3 standards now will reduce long-term compliance burden.

IAM Remediation Sprint

Run a focused 30-day IAM remediation sprint before addressing other control families. Three actions: (1) inventory every account with access to CUI systems and eliminate all shared or generic accounts, (2) deploy MFA on every CUI system access point with no exceptions, and (3) configure audit logs to attribute every action to a specific individual with timestamps. These three actions alone address the most frequently cited assessment deficiencies.

Multi-Agency CUI Mapping Exercise

Create a simple matrix listing every active contract, the contracting agency, whether CUI is involved, and the applicable compliance framework (CMMC/DFARS, GSA CIO-IT Security-21-112, or the forthcoming FAR CUI Rule). This exercise identifies your actual multi-agency exposure and helps prioritize where to invest compliance resources.

C3PAO Due Diligence Checklist

Before engaging or continuing with a C3PAO, ask five questions informed by the DoD IG audit: (1) Is your C3PAO Agreement and Code of Professional Conduct current and signed? (2) Is your quality control lead CMMC-certified? (3) Will both a certified assessor and certified quality control lead be assigned to my assessment? (4) How many Level 2 assessments has your organization completed? (5) What is your current scheduling availability?

Accelerator Tool — CISA KEV Compliance Scanner

A vulnerability management workflow that cross-references your asset inventory against CISA’s Known Exploited Vulnerabilities catalog on a weekly basis. The scanner identifies any KEV-listed vulnerabilities present in your CUI boundary, calculates days remaining until CISA remediation deadlines, and generates SI-2-compliant documentation. Build this using commercial vulnerability scanners (Qualys, Tenable, Rapid7) configured to filter against the CISA KEV feed, or use CISA’s free KEV API for automated alerting.

FAR CUI Rule Finalization Timeline. The proposed rule’s comment period closed in March 2025, and finalization is projected for late 2025 or 2026—though the regulatory freeze order introduces uncertainty. Watch for OIRA action on the final rule. Once finalized, the rule takes effect immediately with no phase-in, meaning contractors who wait for the final rule before preparing will face a compliance cliff.

Cyber AB Accreditation and C3PAO Quality. The ISO 17011 accreditation deadline extension to December 2026 creates a window where CMMC Phase 2 enforcement could begin before the accreditation body itself meets international standards. Watch for DoD policy guidance addressing this gap—potential responses include conditional enforcement, extended Phase 1 self-assessment acceptance, or accelerated Cyber AB accreditation efforts.

C3PAO Capacity Equilibrium. The current supply-demand imbalance will not resolve in 2026. New assessor certification pipelines take 6 to 12 months, and demand will accelerate as Phase 2 approaches. Watch for DoD accommodation mechanisms—such as interim certification pathways for assessment-ready contractors who cannot schedule C3PAO assessments due to capacity rather than readiness.

Enterprise Management Platform Targeting. The Ivanti EPM exploitation follows a pattern of threat actors targeting enterprise management and identity infrastructure—platforms that provide centralized credential access and broad network visibility. Expect continued threat actor focus on endpoint management, identity providers, and privileged access management platforms throughout 2026. Treat these platforms as Tier 1 patch priority assets.

IAM as Assessment Gating Factor. As C3PAO assessment volume increases through 2026, identity and access management will likely emerge as the most common reason assessments result in conditional or failed outcomes. Organizations that resolve IAM deficiencies before their scheduled assessment significantly improve first-pass success probability. C3PAOs consistently identify IAM as the area where the gap between self-assessment and actual compliance is widest.

The full text of the proposed government-wide CUI rule. Essential reading for any contractor handling CUI on non-DoD federal contracts.

The full IG audit report documenting C3PAO authorization deficiencies. Useful for C3PAO selection due diligence.

CVE-2026-1603 (Ivanti EPM authentication bypass) added March 9, 2026, with a March 23, 2026 remediation deadline. Required reference for SI-2 compliance.

The NIST standard that GSA now requires and the FAR CUI Rule’s successor revision. Review changes from Rev 2 to understand the trajectory of federal CUI protection requirements.

Official security advisory and patch information for CVE-2026-1603 and CVE-2026-1602. Source for the remediation patch addressing the authentication bypass vulnerability.

Greenberg Traurig, January 2025 — Comprehensive legal analysis of the proposed FAR CUI Rule’s key provisions, including the eight-hour incident reporting requirement and subcontractor flow-down obligations.

Wiley, 2025 — Legal analysis of the DoD IG audit findings with practical implications for contractors selecting C3PAOs and managing assessment quality risks.

Cape Endeavors, 2026 — Expert insights on the most common assessment failures and practical guidance for avoiding them, with specific focus on documentation gaps and access control deficiencies.

Federal News Network, March 2026 — Coverage of the GAO report identifying ecosystem capacity and small business attrition as unassessed external risks to the CMMC program’s success.

Imprivata, 2026 — Practical analysis of how manufacturing environments create unique CMMC compliance challenges, with specific guidance on addressing shared accounts and shop floor access control.