The FY 2026 NDAA and CMMC Level 2: What the Law Says and What It Signals for Defense Contractors

Jan 26
4 min read

On December 18, 2025, the Fiscal Year 2026 National Defense Authorization Act (FY 2026 NDAA) (P.L. 119-60) was signed into law.^[1] While the Act addresses a broad range of national defense priorities, several provisions are directly relevant to cybersecurity obligations across the Defense Industrial Base (DIB).

Most notably, the FY 2026 NDAA explicitly references the Cybersecurity Maturity Model Certification (CMMC) framework and reinforces Congress’s expectation that Department of War cybersecurity requirements for contractors continue to build upon existing frameworks. Although the statute does not reference specific CMMC levels, its language aligns with the regulatory structure under which CMMC Level 2 is currently implemented through Department of War rule-making and DFARS clauses.

Congressional Recognition of the CMMC Framework

The FY 2026 NDAA directs the Department of War to develop and refine cybersecurity frameworks applicable to contractors and provides that such frameworks must:

“be implemented as an extension or augmentation of existing cybersecurity frameworks developed by the Department of War, such as the Cybersecurity Maturity Model Certification framework.”^[1]

This statutory language is significant. By explicitly naming CMMC, Congress confirms its role within the Department’s cybersecurity architecture. By further directing that future frameworks be extensions or augmentations of existing ones, the Act positions CMMC as a foundational reference point rather than a temporary or discretionary initiative.

The statute does not differentiate between CMMC levels, nor does it prescribe how CMMC should be applied. Instead, it affirms the continued use of the CMMC framework as a basis for contractor cybersecurity requirements.

Risk-Based Cybersecurity Requirements and National Security Impact

The FY 2026 NDAA further requires that cybersecurity frameworks developed by the Department be risk-based:

“The framework…shall be risk-based, with higher security levels corresponding proportionally to the national security or foreign policy risks posed by the covered technology being stolen or tampered with.”^[1]

This emphasis on proportionality reflects long-standing Department of War cybersecurity policy. It reinforces the principle that cybersecurity obligations should scale based on the sensitivity of the information involved and the potential national security impact of its compromise.

While the NDAA does not define how these risk-based security levels are to be implemented, existing Department of War regulations and standards—including DFARS clauses and NIST guidance—provide the mechanisms through which this approach is operationalized.^[2][5][6] Within that regulatory context, CMMC Level 2 represents the current implementation tier associated with the protection of Controlled Unclassified Information (CUI).

Governance, Continuous Monitoring, and Incident Response

The Act also requires that cybersecurity frameworks encompass operational maturity, directing inclusion of:

“Security posture management practices, including governance of security measures, continuous monitoring, and incident reporting procedures.”^[1]

This language reinforces the expectation that contractor cybersecurity programs demonstrate sustained effectiveness over time. Governance, monitoring, and incident response are treated as integral elements of cybersecurity posture rather than one-time compliance activities.

These concepts align with the practices described in NIST Special Publication 800-171, which serves as the technical foundation for protecting CUI in nonfederal systems and is incorporated into the Department’s current CMMC implementation.^[2]

Cybersecurity Failures as Contractor Performance Risk

One of the more consequential provisions of the FY 2026 NDAA addresses contractor performance reporting. The Act directs updates to the Defense Federal Acquisition Regulation Supplement (DFARS) to require reporting of:

“Significant cybersecurity breaches or failures—failure to meet cybersecurity requirements or significant breaches caused by contractor negligence.”^[1]

This provision formally elevates cybersecurity failures to matters of contractor performance. Cybersecurity deficiencies are no longer treated solely as technical or compliance issues; they are explicitly framed as performance risks that may affect future contract awards.

These reporting requirements align with DFARS Subpart 242.15 and the Contractor Performance Assessment Reporting System (CPARS), which are used by the Department of War to evaluate contractor performance during source selection.^[3][4]

Subcontractor Flow-Down Obligations

The Act also requires reporting of:

“Failure to flow down required clauses to subcontractors.”^[1]

This reinforces the long-standing obligation of prime contractors to ensure that required contractual clauses—including those related to cybersecurity—are appropriately flowed down throughout the supply chain.

Existing DFARS clauses governing the safeguarding of Covered Defense Information and cybersecurity requirements provide the contractual basis for these obligations.^[5][6] Within the current regulatory framework, these clauses support the application of CMMC requirements, including those associated with CMMC Level 2, to subcontractors that handle CUI.

What the FY 2026 NDAA Signals for CMMC Level 2

Taken together, the FY 2026 NDAA sends several clear signals to defense contractors:

Congress explicitly recognizes the CMMC framework as foundational^[1]
Cybersecurity requirements are expected to scale with national security risk^[1]
Operational maturity—including governance and monitoring—is a core expectation^[1][2]
Cybersecurity failures may have direct performance consequences^[1][3]
Subcontractor compliance is a prime contractor responsibility^[1][5]

Although the statute does not reference CMMC Level 2 by name, these provisions reinforce the statutory and regulatory environment in which CMMC Level 2 is currently applied through Department of War rules and DFARS clauses.

The CMMC Phase-In Timeline (2025–2028)

Conclusion

The FY 2026 NDAA does not mandate a specific CMMC level, nor does it redefine existing certification structures. What it does is more fundamental: it affirms the Cybersecurity Maturity Model Certification framework as a central reference point for Department of War contractor cybersecurity requirements and directs that future frameworks build upon it rather than replace it.^[1]

For defense contractors, this statutory recognition underscores the importance of aligning cybersecurity programs with existing Department of War regulations and standards. Within that framework, CMMC Level 2 represents the prevailing implementation tier for protecting Controlled Unclassified Information and managing cybersecurity risk across the Defense Industrial Base.

References

Fiscal Year 2026 National Defense Authorization Act, Pub. L. No. 119-60 (Dec. 18, 2025).https://www.congress.gov/119/bills/s2296/BILLS-119s2296es.pdf
NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
DFARS Subpart 242.15 – Contractor Performance Information.https://www.acquisition.gov/dfars/subpart-242.15
Contractor Performance Assessment Reporting System (CPARS).https://www.cpars.gov/
DFARS 252.204-7012 – Safeguarding Covered Defense Information.https://www.acquisition.gov/dfars/252.204-7012
DFARS 252.204-7021 – Cybersecurity Maturity Model Certification Requirement.https://www.acquisition.gov/dfars/252.204-7021