Your CMMC Command Center Where intelligence meets implementation

This week's brief addresses three compliance domains that are generating the most assessment failures and two regulatory deadlines that will reshape contractor obligations before year-end. FIPS 140-2 validated cryptographic modules will be moved to the NIST Historical List on September 21, 2026, directly affecting the number one "other than satisfied" DIBCAC finding. Defense manufacturers face unique OT scoping challenges as legacy CNC controllers running unsupported operating systems bring production floors into CMMC assessment boundaries. Meanwhile, expert assessors report that 30 to 50 percent of contractors are failing Phase 1 not because of missing technology, but because documentation describes an ideal state rather than actual practice. On the regulatory front, the NDAA Section 866 deadline for DoD-wide cybersecurity requirement harmonization arrives June 1, and the NIST SP 800-171 Rev 3 class deviation continues to hold Rev 2 as the governing standard with no announced end date, even as DoD has published organization-defined parameters signaling the eventual transition.

In This Issue

Development 01  |  Regulatory / Standards Transition

FIPS 140-2 Sunset Creates Six-Month Compliance Cliff for Defense Contractors

On September 21, 2026, NIST's Cryptographic Module Validation Program (CMVP) will move all FIPS 140-2 validated modules to the Historical List. After that date, federal agencies will no longer accept FIPS 140-2 validated modules for the protection of controlled unclassified information. Only FIPS 140-3 validated modules will satisfy the requirement going forward. The CMVP stopped accepting new FIPS 140-2 submissions on April 1, 2022, meaning the transition has been underway for four years, yet many defense contractors have not completed their migration.

This is not an abstract compliance concern. DIBCAC's assessment data confirms that NIST SP 800-171 control 3.13.11 (employing FIPS-validated cryptography to protect CUI confidentiality) is the single most failed requirement across all assessments. Out of 117 DIBCAC High assessments conducted, 3.13.11 topped the list of "other than satisfied" controls. Common failure modes include organizations that have acquired FIPS-capable technology but never configured it to run in FIPS mode, teams that verify algorithm validation but not module-level validation, and environments where vague references to "AES encryption" substitute for documented CMVP certificate numbers.

The scoring impact is significant. Non-compliance with FIPS-validated cryptography results in a 3-to-5-point deduction from the maximum SPRS score of 110. For contractors operating near the conditional certification threshold of 88, this single control can determine pass or fail.

With the September 21 deadline six months away, contractors must inventory every cryptographic module in their CUI boundary, verify CMVP certificate numbers against the NIST validated modules database, and initiate vendor engagement for any modules still running FIPS 140-2 only.

Development 02  |  Assessment / Sector-Specific Challenge

Manufacturing Floor Compliance Collides with Legacy OT Realities

The CMMC Final Rule has formally brought operational technology into the assessment boundary for defense manufacturers. Under the CMMC 2.0 Scoping Guide, OT and industrial control systems (ICS) are designated as "specialized assets." When a CNC machine's program file contains CUI, that machine is in scope for assessment. This creates a direct collision between cybersecurity requirements designed for modern IT environments and production floors running controllers on Windows XP, Windows 7, or in some cases Windows 95.

Industry data confirms the scale: 100 percent of manufacturing contractors have at least one machine running an unsupported operating system. The most common assessment failures include flat networks where OT and IT share a common network (putting the entire environment in scope), engineering repositories with broad permissions, vendor remote access lacking monitoring or session controls, and logging deficiencies that remain a top cause of Level 2 findings.

The scoping guide provides a path forward. Manufacturers will not automatically fail because they operate legacy CNC equipment. Instead, assessors expect a disciplined, risk-based approach: documented network segmentation that isolates legacy equipment into separate, non-routable VLANs; evidence that machines without direct CUI contact have been scoped out; and clear documentation of CUI data flow through the production environment.

The average manufacturer requires 6 to 12 months to reach audit readiness. Firms targeting contracts in 2027 need their remediation roadmap active now.

Development 03  |  Assessment / Enforcement Trend

Assessment Readiness Gap Widens as Documentation Fails to Match Practice

Expert assessors are reporting specific patterns in early CMMC assessment failures that reveal a systemic disconnect between what contractors document and what they actually practice. In a recent analysis featuring Cape Endeavors CEO Terry McGraw and Kratos Defense & Security Solutions Director of Cybersecurity Services Cole French, real-world Level 2 assessment data shows that documentation and evidence quality, not tools or cloud service providers, caused the most failures. FIPS cryptography configuration, cloud environment settings, and procurement process alignment with security requirements remain frequent blind spots.

Assessment data indicates that 30 to 50 percent of companies going through Phase 1 are not passing. The primary failure mode is documentation that describes an ideal state instead of actual implemented practice. When assessors review a System Security Plan that claims MFA is enforced on all privileged accounts but find shared admin credentials in active use, that is a compliance failure, not a documentation gap.

The shift from self-attestation to independent validation under CMMC Phase 1 has fundamentally changed what "compliance" means. Under self-assessment, a contractor's documentation was essentially unverified. Under C3PAO assessment, every claim in the SSP must be supported by objective evidence: screenshots, log exports, configuration files, policy acknowledgment records, and access review documentation.

Procurement misalignment is an emerging risk. When a contractor's procurement process does not include security requirements in vendor selection criteria, the gap surfaces during assessment as a systemic control weakness rather than a single-point finding.

Development 04  |  Regulatory / Legislative

NDAA Section 866 Harmonization Deadline Arrives June 1, Forcing DoD-Wide Cybersecurity Consolidation

The FY 2026 National Defense Authorization Act, signed into law on December 18, 2025, includes Section 866, which directs the Secretary of Defense to harmonize cybersecurity requirements applicable to the defense industrial base by June 1, 2026. The provision requires coordination between the DoD CIO, the CIO of each military department, and representatives from the military department service acquisition executives.

Section 866 mandates three specific structural outcomes: establish processes to identify and eliminate duplicative and inconsistent requirements (including requirements unique to single contracts); create a structure for evaluating whether future proposed cybersecurity requirements duplicate existing requirements; and establish a mechanism for ensuring stakeholder visibility into cybersecurity requirements across DoD.

By December 31, 2026, and annually thereafter for three years, the DoD CIO must submit a report to the congressional defense committees describing harmonization efforts and status.

For contractors, Section 866 signals that Congress has recognized the compliance burden created by layered, inconsistent requirements across military departments and is mandating consolidation. Organizations managing contract portfolios with inconsistent cyber requirements should document those inconsistencies now to leverage any harmonization relief that emerges.

Development 05  |  Regulatory / Standards Transition

NIST SP 800-171 Rev 3 Class Deviation Holds, but ODP Publication Signals the Planning Window Is Open

The DoD's class deviation (2024-O0013), issued in May 2024, continues to govern: DFARS 252.204-7012 compliance remains locked to NIST SP 800-171 Revision 2. The class deviation has no announced end date, and Rev 2 will remain the operative standard until the deviation is "rescinded." CMMC Phase 2, scheduled to begin November 10, 2026, will roll out Level 2 C3PAO assessment requirements aligned to Rev 2, not Rev 3.

However, the DoD's April 15, 2025 publication of organization-defined parameter (ODP) values for Rev 3 is a clear signal that the transition is being actively prepared. The ODP document establishes recommended or default values for nearly all configurable parameters, ensuring consistent protection across the DIB when the transition occurs. The earliest realistic date for a formal Rev 3 requirement is H2 2027, with an expected 12-to-18-month transition period.

The gap between Rev 2 and Rev 3 is substantive. Rev 3 reorganized the control structure, introduced new control families including Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR), and consolidated or rewrote several controls.

The strategic guidance: certify to Rev 2 now, because that is what assessment and contract eligibility require. But begin familiarizing your compliance team with Rev 3's structure and the published ODP values so that when the transition DFARS rule is proposed, your organization can assess the gap quickly rather than starting from scratch.

CONDUCT A FIPS CRYPTOGRAPHIC MODULE INVENTORY

Map every cryptographic module within your CUI boundary. Document the CMVP certificate number, FIPS validation standard (140-2 or 140-3), and certificate expiration date. Flag any module that is FIPS 140-2 only and initiate vendor engagement for 140-3 validated replacements. Prioritize modules protecting data in transit.

MAP CUI DATA FLOW THROUGH MANUFACTURING ENVIRONMENTS

If your organization operates CNC machines, production controllers, or other OT systems, document precisely where CUI enters, transits, and exits the production floor. Identify which machines process CUI-containing program files and which can be demonstrated as out of scope through network segmentation.

AUDIT YOUR SSP AGAINST ACTUAL PRACTICE

Select five controls from your System Security Plan and attempt to produce the objective evidence an assessor would request: screenshots, log exports, configuration files, access review records. If you cannot produce evidence for a documented control, the control is not implemented for assessment purposes regardless of what the SSP states.

BEGIN REV 3 FAMILIARIZATION IN PARALLEL

Download the DoD's published ODP values and the NIST SP 800-171 Rev 3 document. Assign a compliance team member to produce a gap analysis between your current Rev 2 implementations and Rev 3 requirements. This is a planning exercise that will compress your transition timeline when formal rulemaking is announced.

MONITOR SECTION 866 IMPLEMENTATION SIGNALS

Track DoD CIO communications and DFARS Federal Register notices through June 1. If your contracts span multiple military departments with department-specific cybersecurity requirements, document these discrepancies now so your organization is positioned to leverage any harmonization relief that emerges.

Use the NIST CMVP Database to Verify Your Cryptography

The CMVP maintains a searchable database of all validated modules at csrc.nist.gov. For each encryption product in your environment, search by vendor name and confirm the module appears on the Active list (not Historical) and the validation is to FIPS 140-3. Document the certificate number in your SSP. This exercise takes 2-4 hours for a typical small contractor and eliminates the number one DIBCAC finding.

Network Segmentation Documentation for Manufacturers

Create a one-page network diagram showing three zones: (1) CUI Processing (IT systems with full CMMC controls), (2) Segmented OT (legacy machines isolated via VLAN with no CUI access), and (3) Out of Scope. For each zone boundary, document the segmentation method and the evidence that proves the boundary is enforced. Assessors expect documented isolation, not equipment upgrades.

The Five-Control Evidence Drill

Before your assessment, pick five controls at random from your SSP each week and attempt to produce the evidence an assessor would request within 30 minutes. If you cannot, that control has an evidence gap. Repeated weekly for 10 weeks, this drill surfaces your documentation-to-practice gaps before an assessor does.

Accelerator Tool: NIST CMVP Validated Modules Database

Search, filter, and verify every cryptographic module in your CUI boundary against the authoritative federal database. Free, public, and updated continuously. Available at: csrc.nist.gov/projects/cryptographic-module-validation-program

FIPS 140-3 Procurement Bottleneck (Q2-Q3 2026). As the September 21 deadline approaches, demand for FIPS 140-3 validated products will spike. Organizations that delay procurement may face extended lead times for validated modules, particularly for specialized or niche encryption products.

Section 866 Harmonization and Phase 2 Collision (H2 2026). The June 1 harmonization deadline and the November 10 Phase 2 enforcement date create a window where contractors may receive conflicting signals from contracting offices. Monitor DoD CIO implementation communications for signals of coordinated rollout.

Rev 3 Rulemaking Initiation (H2 2027 or Later). The publication of ODP values removed a key precondition for formal rulemaking. The next signal to watch is a proposed DFARS rule amending the NIST SP 800-171 version reference. When this appears in the Federal Register, the 12-to-18-month transition clock will begin.

Manufacturing Sector Assessment Surge (2026-2027). As Phase 2 makes Level 2 certification mandatory for CUI-handling contracts, the manufacturing sector will generate a disproportionate share of complex assessments due to OT scoping requirements. C3PAOs with manufacturing assessment experience will command premium scheduling and pricing.

Authoritative database for verifying FIPS 140-2 and 140-3 module validation status. Search by vendor, module name, or certificate number. Essential for the September 2026 transition.

Official NIST page documenting the transition timeline, submission requirements, and the September 21, 2026 sunset date for FIPS 140-2 acceptance.

Defines asset categories including "specialized assets" (OT/ICS), providing the authoritative basis for how manufacturers should scope their assessment boundaries.

The published ODP values that will govern Rev 3 implementation. Reference document for gap analysis planning.

Defines the harmonization mandate, June 1 deadline, and annual reporting requirements for DoD-wide cybersecurity requirement consolidation.

Cape Endeavors, 2026 — Cape Endeavors CEO Terry McGraw and Kratos' Cole French discuss real Level 2 assessment findings, including the documentation-vs-practice gap and procurement misalignment risks.

ISI Defense, 2026 — Comprehensive guide to OT scoping, legacy system handling, and the specialized asset classification framework for manufacturing environments.

112Cyber, 2026 — Detailed analysis of DIBCAC's top 10 "other than satisfied" controls, with practical remediation guidance starting with FIPS-validated cryptography.

Greenberg Traurig, Feb 2026 — Comprehensive analysis of Section 866 and other NDAA provisions affecting defense contractors.

Peerless, 2026 — Clear explanation of the class deviation, Rev 2 vs Rev 3 timeline, and why contractors should certify to Rev 2 now while planning for Rev 3.