NDAA 2026 may bring relief for defense contractors seeking CMMC compliance

The U.S. Congress annually publishes the National Defense Authorization Act (NDAA). The NDAA authorizes funding levels and provides authorities for the U.S. military and other critical defense priorities, ensuring our forces have the training, equipment, and resources needed to complete their missions.

Based on the current versions (House & Senate) of the current bill for Fiscal Year 2026 NDAA, it may contain help for the small defense contractors who need to invest in Cybersecurity Maturity Model Certification (CMMC).

The NDAA currently outlines three ways to help Defense Industrial Base (DIB) contractors.

Mandated small business cybersecurity support strategy

The current NDAA 119-39 directs the Department of Defense (DOD) to deliver a comprehensive strategy focused on supporting contractors in implementing CMMC by January 31, 2026. The strategy is intended to support implementation of CMMC, balancing security with accessibility and affordability.

To achieve this balance, the strategy may include:

• Approaches to reduce compliance costs
• Shared assessment resources
• Tiered evaluation pathways based on contract sensitivity
• Alignment to existing cybersecurity frameworks, i.e. NIST SP 800-171

Practical, shareable tools and mentoring

• User-friendly self-assessment tools that offer clear, actionable guidance to prepare for CMMC.
• Mentoring support, leveraging programs such as APEX Accelerators and the DOD Mentor-Protégé Program to help small businesses navigate the compliance journey.

Grace periods and allowable cost structuring

The strategy may evaluate contractors to see if they’re demonstrating a good-faith effort:

• A grace period to complete CMMC requirements post-award
• Designating CMMC-related costs as allowable contract expenses, currently only allowed as overhead or general and administrative expenses as a fractional cost

NDAA cybersecurity mandates:

• Assign the Assistant Secretary of Defense for Cyber Policy as a Principal Staff Advisor on cyber, further aligning this role as the principal advisor to the Secretary of Defense.
• Direct a report on support for small businesses as it pertains to meeting cybersecurity compliance requirements under the CMMC program.

Congress is acting on your concerns

First, cybersecurity, including CMMC, is top of mind for congressional leaders. They clearly intend for all defense contractors to improve the protection of Controlled Unclassified Information (CUI), artificial intelligence (AI) data, and more.

Second, Congress is working to help contractors for whom costs tied to CMMC represent major obstacles or barriers to entry. It’ll be interesting to see the final 2026 NDAA and note which of these assistance initiatives remain intact.

I’ll continue to keep you updated on help coming from the federal government. In the meantime, if you have questions about the compliance part of the equation, please feel free to contact me.

Smithers
https://www.smithers.com

About the author: Robert McVay is a senior consultant for information security services in Smithers Quality Assessments Division.