|
Executive Summary
| |
This week marks a convergence of compliance infrastructure changes and operational urgency. The February 2026 regulatory overhaul quietly eliminated DFARS 252.204-7019 and renumbered 252.204-7020, removing the standalone basic self-assessment pathway and consolidating all CUI compliance through DFARS 252.204-7021. On the threat front, two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have been under mass automated exploitation since January, with a federal agency patch deadline that expired this week and attack methods that can compromise mobile device management infrastructure central to CMMC control enforcement. Phase 2 mandatory C3PAO assessments are seven months away; with booking windows running three to six months, April is the last viable entry point for certification before November 10. Contracting officers are already inserting C3PAO-assessed Level 2 requirements into Phase 1 solicitations. And the June 16 NDAA Section 1513 AI/ML framework deadline approaches without published contractor standards.
|
Top Developments
|
Development 01 | Threat
Ivanti EPMM Zero-Days Under Mass Exploitation: Mobile Device Management Is a CMMC Control Surface
|
|
Federal agencies and defense contractors deploying Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron) are facing an actively exploited threat to one of their most frequently overlooked CMMC control surfaces. CISA added CVE-2026-1340 to the Known Exploited Vulnerabilities catalog on April 8, 2026, ordering Federal Civilian Executive Branch agencies to patch by April 11. CVE-2026-1340 carries a CVSS score of 9.8 and allows an unauthenticated remote attacker to execute arbitrary operating system commands via crafted HTTP GET requests to EPMM service endpoints. It is paired with CVE-2026-1281, a related code injection flaw disclosed January 29, 2026 and exploited as a zero-day prior to disclosure. Unit 42 at Palo Alto Networks documented widespread and largely automated exploitation of both CVEs.
The CMMC relevance extends beyond a patch-management obligation. EPMM is the management server for the mobile device fleet: it enforces FIPS-validated cryptographic policies, certificate management, remote wipe capability, and data-at-rest controls for phones and tablets that access CUI. A compromised EPMM server allows an attacker to read or modify device security policies across the entire managed fleet, access personally identifiable information for all enrolled devices (names, email, phone numbers, GPS data), and disable the very technical controls CMMC requires those devices to enforce. Contractors running versions prior to the fixed release (v12.8, released March 18, 2026) and those without network segmentation between EPMM and CUI-handling systems remain exposed to an active, at-scale attack chain.
Source: CISA KEV Catalog, April 8, 2026, confirmed active exploitation and ordered federal remediation by April 11; Rapid7 Engineering Team Report, January 30, 2026, confirmed zero-day exploitation prior to disclosure for CVE-2026-1281; Unit 42 (Palo Alto Networks), confirmed widespread automated exploitation across both CVEs beginning in February 2026.
|
|
Development 02 | Policy
DFARS 7019 and 7020 Are Gone: The February Regulatory Restructuring That Changes How Assessment Requirements Work
|
|
As of February 1, 2026, DFARS 252.204-7019 no longer exists. Under the Department of Defense’s “Revolutionary FAR Overhaul” (RFO), 38 DFARS class deviations took effect simultaneously, among them the deletion of DFARS 252.204-7019 and the renumbering of DFARS 252.204-7020 to DFARS 252.240-7997 under a new DFARS Part 240. The standalone requirement to conduct a “Basic” NIST SP 800-171 self-assessment and upload the resulting score to SPRS has been removed as a discrete compliance requirement.
The operational consequences are significant and frequently misunderstood. DFARS 252.204-7012 (incident reporting) and DFARS 252.204-7021 (CMMC certification) remain fully in effect. What has changed is the mechanism: the new clause 252.240-7997 defines only Medium and High assessments, both government-performed. The practical effect is that the “self-score and upload” model is gone; CMMC certification under DFARS 7021 is now the sole compliance vehicle for contractors handling CUI. Contractors without a CMMC Level 2 certification no longer have a parallel self-attestation option for basic NIST 800-171 compliance under DFARS.
Source: SME Inc. analysis (2026), confirmed DFARS 252.204-7019 deleted and 252.204-7020 renumbered as of February 1, 2026; Summit 7 Systems analysis (February 2026), confirmed 38 simultaneous DFARS class deviations and elimination of Basic self-assessment; Corp-InfoTech analysis (2026), confirmed SPRS basic score upload obligation removed.
|
|
Development 03 | Capacity
Seven Months to Phase 2: The Booking Window Math Makes April the Last Viable C3PAO Entry Point
|
|
Phase 2 of CMMC enforcement begins November 10, 2026 — seven months from now — mandating third-party C3PAO assessments for contractors handling CUI at Level 2. As of the Cyber AB’s December 2025 town hall, 93 authorized C3PAOs and 635 Certified CMMC Assessors serve an estimated 80,000-plus contractors needing Level 2 certification. C3PAO assessment engagements, factoring in pre-assessment documentation review, scheduling, the assessment itself, and any POA&M remediation before final certification, typically run three to six months from initial engagement to certification issuance.
The deadline arithmetic is unforgiving. A contractor initiating C3PAO outreach in April 2026 faces a July-to-October assessment window, providing a realistic chance of certification before November 10. A contractor waiting until May faces a July-to-November window, landing certifications at or past the Phase 2 activation date for an increasing share of solicitations. Contractors beginning in June or later have no realistic path to Phase 2 certification before the deadline under current assessor capacity. The capacity ceiling across 93 C3PAOs means the queue fills before demand is met. Early movers gain assessor availability and time to resolve findings. That advantage closes this month.
Source: Cyber AB December 2025 Town Hall, confirmed 93 authorized C3PAOs and 635 Certified CMMC Assessors; PreVeil CMMC contract tracker (2026), confirmed Phase 2 November 10, 2026 date; Secureframe, Accorian, Compass MSP (2026), confirmed 3-6 month C3PAO lead times and 80,000+ contractor demand figure.
|
|
Development 04 | Regulatory
NDAA Section 1513 AI/ML Security Framework: June 16 Congressional Deadline Arrives Without Published Standards
|
|
Section 1513 of the FY 2026 NDAA, signed December 18, 2025, directs DoD to develop and implement a security framework for AI and ML technologies acquired by or for DoD, and to incorporate that framework into DFARS and CMMC. The June 16, 2026 deadline, now nine weeks away, requires DoD to deliver a status update to Congress including implementation timelines and milestones. Section 1533, in parallel, requires the Secretary of Defense to establish a cross-functional AI model assessment team by June 2026. No framework has been published.
Contractors currently developing, deploying, storing, or hosting AI or ML capabilities for DoD have no CMMC-specific compliance roadmap for those systems. The framework will address workforce security risks, supply chain risks, adversarial tampering, and security monitoring drawing on the NIST SP 800 series. The June 16 report is not itself a compliance deadline, but it marks the starting gun: once the status report establishes implementation timelines, contractor preparation windows compress rapidly into rule-making. Organizations integrating AI tools into DoD workflows should begin documenting the scope and data handling of those systems now, before framework requirements arrive and demand immediate compliance evidence.
Source: Crowell & Moring LLP client alert (January 2026), confirmed NDAA Section 1513 framework mandate, June 16 status deadline, and DFARS/CMMC incorporation requirement; King & Spalding NDAA analysis (December 2025), confirmed Section 1513 workforce, supply chain, and security monitoring scope; WilmerHale NDAA cybersecurity analysis (December 2025), confirmed Section 1533 cross-functional team and June 2026 establishment date.
|
|
Development 05 | Enforcement
C3PAO-Assessed Level 2 Now Appearing in Phase 1 Solicitations: Enforcement Is Front-Running the Phase 2 Date
|
|
Phase 1 of CMMC enforcement (November 10, 2025 through November 9, 2026) was designed as a transition period in which CMMC requirements would appear in selected solicitations. The market reality is different: contracting officers are inserting C3PAO-assessed Level 2 requirements into active solicitations right now, not self-assessed Level 2, but full third-party certification. PreVeil’s March 2026 CMMC contract tracker documents multiple DoD solicitations explicitly requiring C3PAO-assessed Level 2 certification as a prerequisite for award, including an information monitoring and protection services contract requiring third-party C3PAO certification during Phase 1.
This has two direct implications. First, contractors who believe they have until November 10 to begin C3PAO certification are already losing bid opportunities on contracts that require certification today. Second, the pattern signals that Phase 2 compliance is not arriving as a clean switch-over; it has been arriving unevenly for months in higher-sensitivity procurements. The effective compliance deadline for any given contract is the solicitation date. For a growing share of sensitive DoD contracts, that date has already passed.
Source: PreVeil CMMC Contracts & Solicitations Tracker (March 2026), confirmed multiple active DoD solicitations explicitly requiring C3PAO-assessed Level 2 during Phase 1; VisioneerIT CMMC solicitation analysis (2026), confirmed C3PAO-assessed Level 2 appearing in Phase 1 contracts across multiple military services.
|
Impact Analysis
This week’s developments describe a compliance environment where the rules are changing faster than most contractors’ internal processes can absorb them.
The DFARS restructuring is the least visible but most operationally consequential change. Contractors whose compliance programs were built around the 7019 self-assessment and SPRS upload model are now operating against a framework that no longer exists. For organizations that have not yet engaged a C3PAO, the elimination of the Basic assessment pathway removes the interim compliance bridge. The path is now singular: CMMC certification under DFARS 7021.
The Phase 2 deadline math and Phase 1 enforcement front-running compound each other directly. A contractor that sees C3PAO-assessed Level 2 required in a March 2026 solicitation and responds by scheduling a Q3 assessment may still miss that bid and the next one while waiting. The competitive displacement is happening now, not in November.
The Ivanti EPMM exploitation targets control-layer infrastructure outside the typical CMMC readiness discussion. MDM platforms manage mobile endpoints increasingly used by contractors to access CUI. A compromised MDM server compromises the technical controls those devices must enforce — simultaneously failing multiple CMMC control families. Contractors that have not inventoried EPMM deployments or validated patch status should treat this as an immediate remediation priority.
The AI framework uncertainty creates planning risk for a widening contractor population. Organizations adopting AI tools for proposal, analysis, and operations functions are building compliance exposure that cannot yet be fully scoped. The time to prepare documentation of existing AI deployments is before requirements are published, not after.
Recommended Actions
| |
Patch Ivanti EPMM Immediately
Any Ivanti EPMM deployment should be validated against version 12.8 (released March 18, 2026). A compromised MDM server represents simultaneous failure of multiple CMMC technical controls. If patching is not immediately possible, implement network segmentation between EPMM and CUI-handling systems and apply Ivanti’s published workarounds as interim measures.
|
| |
Update Compliance Documentation to the Post-RFO Framework
If your compliance program references DFARS 252.204-7019, 252.204-7020, or SPRS basic self-assessment obligations under those clauses, those references need to be updated. The compliance path now runs through DFARS 252.204-7021 exclusively. Confirm with legal and compliance counsel that your contract review and proposal processes reflect the February 2026 changes.
|
| |
Engage a C3PAO This Month
Contractors needing Level 2 certification before Phase 2 who have not yet opened C3PAO conversations face serious risk of missing the November 10 deadline. Contact multiple authorized C3PAOs, compare availability and sector experience, and execute an engagement agreement before your preferred assessment window fills. A May start is not equivalent to an April start given 3-6 month lead times.
|
| |
Inventory AI and ML Tool Deployments
Before the NDAA Section 1513 framework is published, identify every AI or ML capability used in DoD work: what it does, what data it accesses, where it is hosted, and who in your supply chain provides it. This scoping work will be required once the framework arrives; completing it now provides lead time for remediation before requirements are codified.
|
| |
Review Active Solicitations for C3PAO Level 2 Requirements
Audit active and planned solicitations in your target market for C3PAO-assessed Level 2 requirements. If opportunities exist today requiring third-party certification, your assessment timeline needs to accelerate to match the solicitation timeline, not the Phase 2 date.
|
Practical Accelerators
|
SSP Evidence Drill Tracker
|
|
The Ivanti EPMM exploitation exposes a gap in how many contractors treat mobile endpoints in their CMMC evidence programs. Evidence for access control, identification and authentication, and media protection controls must extend to mobile devices. The SSP Evidence Drill Tracker runs structured evidence drills across all 110 CMMC controls, surfacing gaps in your evidence library before a formal assessment.
Visit the store →
|
|
CMMC Documentation Templates — Tier 3: Complete Pack
|
|
With DFARS 7019 gone, all CUI compliance runs through CMMC 7021 and the C3PAO-assessed standard. The Tier 3 Complete Pack provides templates, procedures, and 111 control guides with evidence checklists and C3PAO assessment objectives — the full documentation package for a Level 2 C3PAO assessment under the current regulatory framework.
Visit the store →
|
|
C3PAO Due Diligence Questionnaire
|
|
With the Phase 2 booking window closing this month, selecting the right C3PAO under time pressure is a high-stakes decision. Price, methodology, scheduling availability, and sector experience vary significantly across the 93 authorized C3PAOs. The C3PAO Due Diligence Questionnaire gives you the questions experienced compliance leads use before signing.
Visit the store →
|
|
IAM Assessment Readiness Workbook
|
|
C3PAO-assessed Level 2 appearing in Phase 1 solicitations requires certification at award, not in progress. IAM remains the leading assessment failure domain. The IAM Assessment Readiness Workbook maps every identity and access management control to your evidence before an assessor asks for it, across Access Control (3.1), Identification and Authentication (3.5), and Personnel Security (3.9) families.
Visit the store →
|
Forecast & Emerging Issues
● C3PAO booking windows will tighten through Q3 2026. As contractors absorb the Phase 2 deadline math, demand for C3PAO engagements will concentrate in May through August. Assessment capacity does not scale rapidly — expanding from 93 to significantly more C3PAOs requires Cyber AB authorization with its own pipeline. Organizations with Q3 start dates should build aggressive POA&M and remediation timelines into planning.
● DFARS Part 240 will receive increased contractor scrutiny. The February 2026 restructuring created a new DFARS Part 240 and renumbered several cybersecurity clauses. As contractors update compliance programs and contract review processes, the new clause numbering scheme will generate legal and compliance questions. Expect guidance documents clarifying the pre-RFO and post-RFO landscape to circulate widely through Q2 2026.
● The NDAA Section 1513 AI framework will accelerate into rule-making after June 16. Once DoD delivers the Section 1513 status report to Congress, the implementation clock for AI contractor requirements begins. Contractors with significant AI deployments should anticipate DFARS rule-making referencing the AI security framework within 12-18 months of the June 16 report.
● Ivanti vulnerability patterns signal broader MDM targeting. Two separate Ivanti product lines have been added to the CISA KEV within six weeks — EPM in March and EPMM in April. This pattern suggests adversaries are systematically targeting endpoint management infrastructure as a high-leverage attack surface that controls device policies at scale across federal and DIB networks.
● Phase 1 solicitation patterns will inform Phase 2 scoping. Contracting officers inserting C3PAO-assessed Level 2 into Phase 1 solicitations are creating precedent for which contract categories face immediate Phase 2 enforcement after November 10. Contractors in IT services, systems integration, and intelligence-adjacent work should expect the broadest early application.
Tools & Resources
The following authoritative resources support this week’s developments and provide direct access to the regulatory and technical foundations cited.
| |
CISA Known Exploited Vulnerabilities Catalog
The authoritative source for CVEs under active exploitation. BOD 22-01 requires federal agencies to remediate KEV-listed vulnerabilities by stated deadlines. DIB contractors should treat the KEV as a priority patching queue for CUI-handling systems and infrastructure.
|
| |
Ivanti EPMM Security Advisory
Ivanti’s official security advisory for CVE-2026-1281 and CVE-2026-1340, including affected versions, patch availability (v12.8), and workaround guidance for organizations unable to patch immediately.
|
| |
DFARS 252.204-7021 on Acquisition.gov
The current, authoritative text of the CMMC contractor compliance clause that now serves as the primary compliance vehicle following the elimination of DFARS 7019. Reference this when updating compliance documentation and contract review processes.
|
| |
Cyber AB CMMC Marketplace
The official list of authorized C3PAOs and Registered Practitioners, searchable by location and capability. The primary reference for contractor C3PAO selection under the current 93-organization ecosystem.
|
Additional Recommended Reading
Rapid7 ETR: Critical Ivanti EPMM Zero-Day Exploited in the Wild
Rapid7’s technical analysis of CVE-2026-1281 and CVE-2026-1340, including exploitation mechanics, attack surface description, and detection guidance. Essential reading for security teams responsible for Ivanti EPMM deployments.
Summit 7: Why the RFO Ended DFARS 7019 and 7020
Summit 7’s detailed analysis of the February 2026 DFARS Revolutionary FAR Overhaul, explaining what was deleted, what was renumbered, and what the changes mean for contractor compliance programs.
Crowell & Moring: CMMC for AI? Defense Policy Law Imposes AI Security Framework
The firm’s January 2026 analysis of NDAA Section 1513, explaining the framework mandate, scope of covered entities, June 16 reporting deadline, and what contractors should do before the framework is published.
PreVeil: CMMC Contracts and Solicitations Tracker 2026
A running list of active DoD solicitations and contracts including CMMC requirements, updated regularly. Useful for tracking enforcement patterns and understanding which contracts require C3PAO-assessed Level 2 during Phase 1.
SME Inc.: DFARS 7019 Eliminated — What the End of SPRS Basic Assessments Means for CMMC
Practical compliance analysis of the DFARS 7019 deletion and its downstream implications for SPRS reporting obligations, contractor self-assessment programs, and the transition to CMMC 7021 as the sole compliance pathway.
|
