Skip to main content
govconCyber
Analysis

"CMMC for AI": What the NDAA's New AI Security Framework Means for Defense Contractors

The FY2026 defense law directs DoD to build a security framework for the AI it buys and wire it into DFARS and CMMC. A status report to Congress is due June 16, 2026.

Brandon Hancock, J.D., CMMC-RPPublished June 7, 2026Updated June 8, 20266 min read

If your company builds, hosts, or runs AI for the Department of Defense, a new layer of cybersecurity compliance is on the way — and it's being modeled on CMMC. Section 1513 of the FY2026 National Defense Authorization Act directs DoD to develop a risk-based framework for the cybersecurity and physical security of artificial intelligence and machine-learning (AI/ML) technologies it acquires, and to incorporate that framework into the Defense Federal Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC) program. Commentators have already nicknamed it "CMMC for AI." With a status report to Congress due June 16, 2026, the contours are about to get clearer.

What Section 1513 Actually Directs

The statute doesn't hand DoD a finished rule. It directs the Department to build a framework and then fold it into the acquisition system. As written, the framework is expected to:

  • Address AI-specific threats and vulnerabilities — including adversarial tampering, model manipulation, and data poisoning.
  • Cover supply-chain risks, data theft, workforce risks, and security-posture management for AI systems.
  • Apply most stringently to highly capable AI systems likely to attract sophisticated threat actors, with protections aligned to those used for national security systems.
  • Be implemented as an extension or augmentation of existing DoD cybersecurity frameworks — explicitly including CMMC — rather than as a standalone regime.

Critically, the law reaches beyond the running model. "Covered" AI/ML is defined broadly to include the source code, model weights, training data, algorithms, and the software and methods used to develop the system. For contractors, that means the crown-jewel artifacts of an AI product — not just its outputs — fall within scope.

Why It Borrows the CMMC Playbook

The "CMMC for AI" label is apt because the structure mirrors what defense contractors already know. CMMC verifies that contractors have implemented an existing control baseline (NIST SP 800-171) before they can win CUI work. Section 1513 contemplates a comparable move for AI: define the security expectations, bake them into DFARS clauses, and condition AI/ML work on demonstrated compliance. If DoD follows that pattern, contractors should expect flow-down obligations, assessment of some kind, and contract-eligibility consequences for AI work — the same enforcement architecture that makes CMMC consequential.

The June 16 Report Is the Signal to Watch

Section 1513 sets no hard implementation deadline for the framework itself. Instead, it requires DoD to produce a plan with implementation timelines and milestones and to give Congress a status update by June 16, 2026. That report won't impose obligations on contractors, but it is the first authoritative indication of *how fast* and *in what form* the requirements will arrive — and whether DoD intends to build a separate AI assessment track or extend CMMC's existing levels. Anyone selling AI/ML to DoD should read it closely when it lands.

How AI Contractors Should Prepare Now

Nothing is enforceable yet, so the right move is groundwork, not overhaul:

1. Inventory your AI assets. Catalog the models, weights, training data, source code, and pipelines you develop or host for DoD — you can't protect scope you haven't mapped. 2. Extend your existing CMMC/800-171 program to cover AI artifacts. Treat model weights and training data like the sensitive information they are: access control, encryption, logging, and supply-chain vetting. 3. Harden the AI supply chain. Know the provenance of your foundation models, datasets, and third-party components; adversarial tampering and data poisoning are explicit concerns. 4. Watch the rulemaking, not just the law. The real obligations will arrive through DFARS amendments and CMMC integration — track those the way you track any clause change in a solicitation.

Key Takeaways

  • NDAA Section 1513 directs DoD to build an AI/ML security framework and wire it into DFARS and CMMC — hence "CMMC for AI."
  • Scope is broad: it covers source code, model weights, training data, and algorithms, not just deployed models.
  • A status report to Congress is due June 16, 2026 — the first concrete signal of timing and structure for contractors that build or host AI for DoD.

Ground yourself in the CMMC baseline this will build on with our CMMC 2.0 overview, review the underlying control set on the Frameworks page, and see what applies to your work via Find My Requirements or the Defense industry page.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

AnalysisState Cybersecurity Laws Government Contractors Often OverlookFederal rules aren't the whole story. State breach-notification and privacy laws can apply based on whose data you hold.April 29, 2026 · 6 min readAnalysisThe Federal Push on Healthcare Cybersecurity: What Health-Sector Contractors Should KnowAfter the Change Healthcare attack, the federal government leaned hard into health-sector cyber. Here's what the effort means for contractors handling health data.June 10, 2024 · 6 min readAnalysisTwo Weeks Offline: Incident-Response Lessons from the Kansas Court CyberattackA 'security incident' kept most Kansas courts offline for two weeks. The disruption is a case study in why resilience — not just prevention — wins.October 25, 2023 · 5 min read