CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 19, 2026

Senate NDAA proposes CMMC grant program - Federal News Network

Federal News Network Archived Jun 19, 2026 ✓ Full text saved

Senate NDAA proposes CMMC grant program Federal News Network

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERSECURITY Senate NDAA proposes CMMC grant program The Senate Armed Services Committee's bill also includes provisions on insider threat reporting for AI companies and new post-quantum cryptography deadlines. Justin Doubleday@jdoubledayWFED June 17, 2026 6:20 pm           The Senate Armed Services Committee has advanced legislation that would set up a grant program for small businesses and nontraditional contractors to cover the costs of Cybersecurity Maturity Model Certification (CMMC) compliance. The CMMC grant program is included in the full text of the committee’s fiscal 2027 defense authorization bill, released Tuesday. The committee released the text Tuesday after approving the bill in a June 10 closed-door mark up. If passed into law, the provision would require the Defense Department to establish the CMMC grant program by July 1, 2027. DoD is ramping up CMMC “Level Two” requirements starting this November. Those requirements are expected to apply to tens of thousands of companies. They generally require contractors that are expected to handle sensitive controlled unclassified information (CUI) to have their data security practices evaluated by a CMMC Third-party Assessment Organization (C3PAO).         Join us July 21 – 23 for Federal News Network's Space & Satellite Exchange where government and industry leaders will discuss advancing connectivity, resilience and mission reach. Register today! The grant program in the Senate defense bill would be available to small businesses and new entrants to offset the costs of a C3PAO assessment. The maximum amount per grant would be $100,000. The bill would cap the total funding allotted for the CMMC grant program at $50 million. It would also require the program to prioritize organizations that have not previously held a DoD contract or subcontract. The bill would also require that the grant only be used to offset direct costs associated with a CMMC Level Two third-party assessment. The Senate bill’s language seeks to address persistent concerns around whether CMMC compliance could force small businesses to leave the defense industrial base or dissuade new companies from seeking defense contracts. In the final CMMC program rule issued in 2024, DoD estimated that the Level Two certification costs for a small business would be a little more than $101,000. Those cost estimates don’t include the cost of building a cybersecurity program, as the Pentagon notes CMMC merely evaluates cyber requirements that have been on the books since 2016. Instead, the estimates reflect the expected costs of preparing for a CMMC assessment – such as working with an external service provider – and then conducting the assessment, including paying a C3PAO.         Sign up for our daily newsletter so you never miss a beat on all things federal While Pentagon officials have said the cybersecurity evaluations are necessary to ensure defense contractors can protect sensitive data, DoD has also sought to address some of the concerns raised by small business advocates about the burdens of the cyber compliance regime. Last year, DoD’s Office of Small Business Programs conducted a pulse survey to gauge CMMC readiness, concerns and challenges. The Army has also launched a cloud-based, secure environment that small businesses can use to store data and meet the cyber requirements evaluated by CMMC. Earlier this year, the Army awarded contracts to eight companies worth a collective $49 million to provide services under the Next-Generation Commercial Operations in Defended Enclaves, or NCODE, program. Insider threat reporting for AI companies The Senate bill would also establish insider threat reporting requirements for major artificial intelligence companies that do business with the Pentagon. The insider threat reporting rules would be aimed at protecting DoD “systems, missions, personnel, operations, and supply chains from counterintelligence, security, and other national security risks.” The provision comes as the Pentagon works with major AI model manufacturers to integrate the technology across its operations. At the same time, the Trump administration recently prohibited any foreign access to Anthropic’s latest frontier model over national security concerns. The decision forced Anthropic to block all access to the tool. The Senate bill’s provision would bring major AI companies into the same fold as classified defense contractors, which are required to maintain insider threat programs and provide training to their employees. Post-quantum deadline The Senate bill also establishes deadlines for when DoD should adopt post-quantum cryptography algorithms approved by the National Institute of Standards and Technology. The bill would set a deadline of Dec. 31, 2030, for key establishment, which is used  for establishing confidential communication using encryption among two or more parties, according to the Cybersecurity and Infrastructure Security Agency. The deadline for adopting PQC for digital signatures would be one year later under the Senate bill, on Dec. 31, 2031. CISA says digital signatures are “often essential for authenticating the parties participating in a communication and for establishing the authenticity of data, products, and services.”         Read more: Cybersecurity The deadlines would not apply to cryptographic keys generated and distributed by the National Security Agency for protecting classified and sensitive national security information. Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.           Justin Doubleday Justin Doubleday covers cybersecurity, homeland security and the intelligence community for Federal News Network. Follow @jdoubledayWFED Sign up for breaking news. Related Stories Protected: Cloud Exchange 2026: Ping Identity’s Kelvin Brewer on identity as foundation of secure AI adoption in government CLOUD COMPUTING Read more Protected: Cloud Exchange 2026: Google Public Sector’s Cameron Groves on how AI agents are reshaping government workflows CLOUD COMPUTING Read more Protected: Cloud Exchange 2026: Red Hat’s Michael Epley on building resilient AI architectures CLOUD COMPUTING Read more Related Topics ALL NEWS ARTIFICIAL INTELLIGENCE CONTRACTING CYBERSECURITY CYBERSECURITY MATURITY MODEL CERTIFICATION INSIDER THREAT POST QUANTUM CRYPTOGRAPHY TECHNOLOGY Around the Web UPCOMING EVENTS Federal Executive Forum Healthcare IT Strategies in Government Progress and Best Practices 2026 Modernizing federal cyber defense in the AI era Defense reimagined: Cybersecurity in the age of intelligent adversaries Securing the states, a CISO series: North Carolina edition From open source to operational security: Integrating OSINT into cyber defense for global missions More TOP STORIES Transparency coming to OTAs, value of VARs REPORTER'S NOTEBOOK Fired DOJ immigration judges granted rare full-court appellate hearing LITIGATION The public’s opinion of civil servants continues to climb WORKFORCE Senate NDAA rejects White House's tiered military pay raise, proposes 3.6% increase CONGRESS DoD’s $9.7B award for Microsoft products derailed by protest CONTRACTS/AWARDS Senate NDAA proposes CMMC grant program CYBERSECURITY
    💬 Team Notes
    Article Info
    Source
    Federal News Network
    Category
    ◇ Industry News & Leadership
    Published
    Jun 19, 2026
    Archived
    Jun 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗