Senate NDAA proposes CMMC grant program - Federal News Network
Federal News Network
Archived Jun 19, 2026
✓ Full text saved
Senate NDAA proposes CMMC grant program Federal News Network
Full text archived locally
CYBERSECURITY
Senate NDAA proposes CMMC grant program
The Senate Armed Services Committee's bill also includes provisions on insider threat reporting for AI companies and new post-quantum cryptography deadlines.
Justin Doubleday@jdoubledayWFED
June 17, 2026 6:20 pm
The Senate Armed Services Committee has advanced legislation that would set up a grant program for small businesses and nontraditional contractors to cover the costs of Cybersecurity Maturity Model Certification (CMMC) compliance.
The CMMC grant program is included in the full text of the committee’s fiscal 2027 defense authorization bill, released Tuesday. The committee released the text Tuesday after approving the bill in a June 10 closed-door mark up.
If passed into law, the provision would require the Defense Department to establish the CMMC grant program by July 1, 2027.
DoD is ramping up CMMC “Level Two” requirements starting this November. Those requirements are expected to apply to tens of thousands of companies. They generally require contractors that are expected to handle sensitive controlled unclassified information (CUI) to have their data security practices evaluated by a CMMC Third-party Assessment Organization (C3PAO).
Join us July 21 – 23 for Federal News Network's Space & Satellite Exchange where government and industry leaders will discuss advancing connectivity, resilience and mission reach. Register today!
The grant program in the Senate defense bill would be available to small businesses and new entrants to offset the costs of a C3PAO assessment.
The maximum amount per grant would be $100,000. The bill would cap the total funding allotted for the CMMC grant program at $50 million. It would also require the program to prioritize organizations that have not previously held a DoD contract or subcontract.
The bill would also require that the grant only be used to offset direct costs associated with a CMMC Level Two third-party assessment.
The Senate bill’s language seeks to address persistent concerns around whether CMMC compliance could force small businesses to leave the defense industrial base or dissuade new companies from seeking defense contracts.
In the final CMMC program rule issued in 2024, DoD estimated that the Level Two certification costs for a small business would be a little more than $101,000.
Those cost estimates don’t include the cost of building a cybersecurity program, as the Pentagon notes CMMC merely evaluates cyber requirements that have been on the books since 2016.
Instead, the estimates reflect the expected costs of preparing for a CMMC assessment – such as working with an external service provider – and then conducting the assessment, including paying a C3PAO.
Sign up for our daily newsletter so you never miss a beat on all things federal
While Pentagon officials have said the cybersecurity evaluations are necessary to ensure defense contractors can protect sensitive data, DoD has also sought to address some of the concerns raised by small business advocates about the burdens of the cyber compliance regime.
Last year, DoD’s Office of Small Business Programs conducted a pulse survey to gauge CMMC readiness, concerns and challenges.
The Army has also launched a cloud-based, secure environment that small businesses can use to store data and meet the cyber requirements evaluated by CMMC. Earlier this year, the Army awarded contracts to eight companies worth a collective $49 million to provide services under the Next-Generation Commercial Operations in Defended Enclaves, or NCODE, program.
Insider threat reporting for AI companies
The Senate bill would also establish insider threat reporting requirements for major artificial intelligence companies that do business with the Pentagon. The insider threat reporting rules would be aimed at protecting DoD “systems, missions, personnel, operations, and supply chains from counterintelligence, security, and other national security risks.”
The provision comes as the Pentagon works with major AI model manufacturers to integrate the technology across its operations. At the same time, the Trump administration recently prohibited any foreign access to Anthropic’s latest frontier model over national security concerns. The decision forced Anthropic to block all access to the tool.
The Senate bill’s provision would bring major AI companies into the same fold as classified defense contractors, which are required to maintain insider threat programs and provide training to their employees.
Post-quantum deadline
The Senate bill also establishes deadlines for when DoD should adopt post-quantum cryptography algorithms approved by the National Institute of Standards and Technology.
The bill would set a deadline of Dec. 31, 2030, for key establishment, which is used for establishing confidential communication using encryption among two or more parties, according to the Cybersecurity and Infrastructure Security Agency.
The deadline for adopting PQC for digital signatures would be one year later under the Senate bill, on Dec. 31, 2031. CISA says digital signatures are “often essential for authenticating the parties participating in a communication and for establishing the authenticity of data, products, and services.”
Read more: Cybersecurity
The deadlines would not apply to cryptographic keys generated and distributed by the National Security Agency for protecting classified and sensitive national security information.
Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Justin Doubleday
Justin Doubleday covers cybersecurity, homeland security and the intelligence community for Federal News Network.
Follow @jdoubledayWFED
Sign up for breaking news.
Related Stories
Protected: Cloud Exchange 2026: Ping Identity’s Kelvin Brewer on identity as foundation of secure AI adoption in government
CLOUD COMPUTING
Read more
Protected: Cloud Exchange 2026: Google Public Sector’s Cameron Groves on how AI agents are reshaping government workflows
CLOUD COMPUTING
Read more
Protected: Cloud Exchange 2026: Red Hat’s Michael Epley on building resilient AI architectures
CLOUD COMPUTING
Read more
Related Topics
ALL NEWS ARTIFICIAL INTELLIGENCE CONTRACTING CYBERSECURITY CYBERSECURITY MATURITY MODEL CERTIFICATION INSIDER THREAT POST QUANTUM CRYPTOGRAPHY TECHNOLOGY
Around the Web
UPCOMING EVENTS
Federal Executive Forum Healthcare IT Strategies in Government Progress and Best Practices 2026
Modernizing federal cyber defense in the AI era
Defense reimagined: Cybersecurity in the age of intelligent adversaries
Securing the states, a CISO series: North Carolina edition
From open source to operational security: Integrating OSINT into cyber defense for global missions
More
TOP STORIES
Transparency coming to OTAs, value of VARs
REPORTER'S NOTEBOOK
Fired DOJ immigration judges granted rare full-court appellate hearing
LITIGATION
The public’s opinion of civil servants continues to climb
WORKFORCE
Senate NDAA rejects White House's tiered military pay raise, proposes 3.6% increase
CONGRESS
DoD’s $9.7B award for Microsoft products derailed by protest
CONTRACTS/AWARDS
Senate NDAA proposes CMMC grant program
CYBERSECURITY