Compliance is no longer just a requirement — it's becoming a prerequisite for doing business as FIPS cryptographic deadlines, manufacturing OT scoping, and assessment failures reshape contractor obligations.
title: "CMMC & Cybersecurity Intelligence Brief – 10" date: "March 30, 2026" author: "Michael Devine" category: "CMMC and Cybersecurity" excerpt: "Compliance is no longer just a requirement — it's becoming a prerequisite for doing business as FIPS cryptographic deadlines, manufacturing OT scoping, and assessment failures reshape contractor obligations."
This briefing identifies three compliance domains generating the most assessment failures and two regulatory deadlines reshaping contractor obligations before year-end. Key concerns include the FIPS 140-2 cryptographic module sunset, operational technology scoping challenges in manufacturing, and a significant documentation-to-practice gap causing assessment failures. Additionally, the NDAA Section 866 harmonization deadline arrives June 1, while NIST SP 800-171 Rev 3 remains under class deviation with Rev 2 as the current standard.
Top Developments
Development 01: FIPS 140-2 Sunset Creates Six-Month Compliance Cliff
On September 21, 2026, NIST's Cryptographic Module Validation Program will move all FIPS 140-2 validated modules to the Historical List. Federal agencies will no longer accept FIPS 140-2 validated modules for protecting controlled unclassified information; only FIPS 140-3 validated modules will satisfy requirements going forward.
Assessment data confirms that NIST SP 800-171 control 3.13.11 (employing FIPS-validated cryptography to protect CUI confidentiality) is the single most failed requirement across all assessments. Non-compliance results in a 3-to-5-point deduction from the maximum SPRS score of 110 — potentially determining pass or fail near the 88-point conditional certification threshold.
Required Actions:
- Inventory every cryptographic module within your CUI boundary
- Verify CMVP certificate numbers against the NIST validated modules database
- Initiate vendor engagement for FIPS 140-3 validated replacements
Development 02: Manufacturing Floor Compliance Collides with Legacy OT Realities
The CMMC Final Rule has formally brought operational technology into assessment boundaries for defense manufacturers. When a CNC machine's program file contains CUI, that machine falls within scope. This creates a collision between cybersecurity requirements designed for modern IT environments and production floors running controllers on unsupported operating systems.
100 percent of manufacturing contractors have at least one machine running an unsupported operating system. Common assessment failures include flat networks where operational technology and IT share common infrastructure, engineering repositories with broad permissions, vendor remote access lacking monitoring, and logging deficiencies.
The scoping guide provides remediation pathways through documented network segmentation that isolates legacy equipment into separate, non-routable VLANs and evidence that machines without direct CUI contact have been scoped out. Manufacturers typically require 6 to 12 months to reach audit readiness.
Development 03: Assessment Readiness Gap — Documentation Fails to Match Practice
Expert assessors report that documentation and evidence quality, not tools or cloud service providers, caused the most failures. Assessment data indicates that 30 to 50 percent of companies going through Phase 1 are not passing. The primary failure mode involves documentation describing an ideal state rather than actual implemented practice.
Under independent validation through C3PAO assessment, every claim in a System Security Plan must be supported by objective evidence: screenshots, log exports, configuration files, policy acknowledgment records, and access review documentation. When an SSP claims MFA enforcement on all privileged accounts but assessors find shared admin credentials in active use, this constitutes a compliance failure.
Procurement misalignment represents an emerging risk. When a contractor's procurement process excludes security requirements from vendor selection criteria, this surfaces during assessment as systemic control weakness.
Development 04: NDAA Section 866 Harmonization Deadline — June 1, 2026
The FY 2026 National Defense Authorization Act includes Section 866, directing the Secretary of Defense to harmonize cybersecurity requirements applicable to the defense industrial base by June 1, 2026. The provision requires coordination between the DoD CIO, military department CIOs, and service acquisition executives.
Section 866 mandates three specific outcomes:
- Establish processes to identify and eliminate duplicative and inconsistent requirements
- Create structures for evaluating whether future cybersecurity requirements duplicate existing ones
- Establish mechanisms ensuring stakeholder visibility into requirements across DoD
By December 31, 2026, and annually thereafter for three years, the DoD CIO must submit reports to congressional defense committees describing harmonization efforts and status.
Development 05: NIST SP 800-171 Rev 3 Class Deviation Holds; ODP Publication Signals Planning Window
The DoD's class deviation (2024-O0013) continues to govern: DFARS 252.204-7012 compliance remains locked to NIST SP 800-171 Revision 2, with no announced end date. CMMC Phase 2, scheduled to begin November 10, 2026, will align Level 2 C3PAO assessment requirements to Rev 2, not Rev 3.
However, the DoD's April 15, 2025 publication of organization-defined parameter values for Rev 3 signals active transition preparation. The ODP document establishes recommended or default values for nearly all configurable parameters. The earliest realistic date for formal Rev 3 requirement is H2 2027, with an expected 12-to-18-month transition period.
Rev 3 introduces substantive changes: reorganized control structure, new control families including Planning, System and Services Acquisition, and Supply Chain Risk Management, and consolidated or rewritten controls.
Impact Analysis
Contract Eligibility and Competitive Positioning: The FIPS 140-2 sunset creates a hard deadline affecting assessment scoring. Contractors relying on FIPS 140-2 validated modules after September 21, 2026 will face control findings on the most-failed requirement, potentially falling below conditional certification threshold. For manufacturers, OT scoping means production-floor systems previously considered outside IT scope are now assessment-relevant.
Assessment Readiness and Documentation Expectations: The 30-to-50-percent Phase 1 failure rate demonstrates the compliance bar has fundamentally shifted. Every SSP claim must now be backed by objective evidence. Organizations investing heavily in documentation without corresponding operational implementation face maximum exposure.
Operational Risk and Financial Impact: Section 866 harmonization offers medium-term relief from duplicative requirements but creates near-term uncertainty. Until the DoD CIO's December 2026 report clarifies consolidated requirements, contractors managing portfolios across multiple military departments may encounter conflicting expectations.
Strategic Positioning: Contractors completing FIPS 140-3 migration, mapping OT boundaries, and aligning documentation to actual practice before Phase 2 enforcement in November will hold measurable competitive advantage through early certification positioning.
Recommended Actions
Conduct a FIPS Cryptographic Module Inventory
Map every cryptographic module within your CUI boundary. Document CMVP certificate number, FIPS validation standard, and certificate expiration date. Flag any FIPS 140-2-only modules and initiate vendor engagement for 140-3 validated replacements, prioritizing modules protecting data in transit.
Map CUI Data Flow Through Manufacturing Environments
Document precisely where CUI enters, transits, and exits production floors. Identify which machines process CUI-containing program files and which can be demonstrated out of scope through network segmentation.
Audit Your SSP Against Actual Practice
Select five controls from your System Security Plan and attempt to produce objective evidence an assessor would request. If evidence cannot be produced for a documented control, the control is not implemented for assessment purposes regardless of SSP statements.
Begin Rev 3 Familiarization in Parallel
Download the DoD's published ODP values and NIST SP 800-171 Rev 3 document. Assign compliance team members to produce gap analysis between current Rev 2 implementations and Rev 3 requirements. This planning exercise will compress transition timelines when formal rulemaking is announced.
Monitor Section 866 Implementation Signals
Track DoD CIO communications and DFARS Federal Register notices through June 1. If contracts span multiple military departments with department-specific requirements, document discrepancies now to leverage any harmonization relief that emerges.
Readiness Tips & Accelerators
Use the NIST CMVP Database to Verify Your Cryptography
The CMVP maintains a searchable database of all validated modules at csrc.nist.gov. For each encryption product in your environment, search by vendor name and confirm the module appears on the Active list to FIPS 140-3. Document the certificate number in your SSP. This exercise typically requires 2–4 hours for small contractors and eliminates the number one DIBCAC finding.
Network Segmentation Documentation for Manufacturers
Create a one-page network diagram showing three zones: (1) CUI Processing, (2) Segmented OT with legacy machines isolated via VLAN with no CUI access, and (3) Out of Scope. For each zone boundary, document the segmentation method and evidence proving the boundary is enforced. Assessors expect documented isolation rather than equipment upgrades.
The Five-Control Evidence Drill
Weekly, pick five controls at random from your SSP and attempt to produce evidence an assessor would request within 30 minutes. Repeated for 10 weeks, this drill surfaces documentation-to-practice gaps before assessors discover them.
Forecast & Emerging Issues
- FIPS 140-3 Procurement Bottleneck (Q2–Q3 2026): As the September 21 deadline approaches, demand for FIPS 140-3 validated products will spike, potentially creating extended lead times for validated modules.
- Section 866 Harmonization and Phase 2 Collision (H2 2026): The June 1 harmonization deadline and November 10 Phase 2 enforcement date create a window where contractors may receive conflicting signals from contracting offices.
- Rev 3 Rulemaking Initiation (H2 2027 or Later): ODP publication removed a key precondition for formal rulemaking. The next signal to watch is a proposed DFARS rule amending the NIST SP 800-171 version reference.
- Manufacturing Sector Assessment Surge (2026–2027): As Phase 2 makes Level 2 certification mandatory for CUI-handling contracts, the manufacturing sector will generate a disproportionate share of complex assessments due to OT scoping requirements.


