House FY2027 NDAA orders DoD cyber-governance review for single accountability
Until DoD names one official responsible for network security, contractors have no stable compliance target for CMMC and 800-171 refresh cycles locking in now.
TL;DR
The House FY2027 NDAA, set for a June 4 markup, would direct the Secretary of Defense to review and potentially consolidate cyber responsibilities across the DoD Chief Information Officer, the Assistant Secretary for Cyber Policy, the Principal Cyber Advisor, U.S. Cyber Command, and DoD Cyber Defense Command. The goal is a single designated official accountable for DoD information-network security, with authority to reassign personnel and eliminate duplicative functions. For defense contractors, that consolidation determines which office owns CMMC compliance enforcement, supply-chain audit authority, and incident-reporting chains. This is the fourth consecutive NDAA to address the same fragmentation problem.
The language in the House Armed Services cyber, information technologies and innovation subcommittee print is blunt by statutory standards: review the roles, responsibilities, relationships, authorities, and governance structures across DoD's cyber enterprise and produce a single accountable official for the security of DoD information networks. The provision names five entities in scope: the DoD Chief Information Officer, the Assistant Secretary of Defense for Cyber Policy, the Principal Cyber Advisor to the Secretary of Defense, the Commander of U.S. Cyber Command, and DoD Cyber Defense Command. The Secretary of Defense gets authority after the review to realign, consolidate, reassign personnel and resources, and eliminate duplicative functions, subject to prior notification of the congressional defense committees.
That is a significant consolidation authority. Whether Congress will grant it in the final bill is a different question. But the fact that the same governance fragmentation problem has appeared in four consecutive NDAAs is itself diagnostic: the reviews have not produced accountability, the duplicative structures have persisted, and the cycle repeats.
Why contractors cannot afford to wait
For the defense industrial base, this is not an abstract reorganization. The identity of the single accountable official determines which office enforces CMMC third-party assessment requirements, which office conducts supply-chain network-defense audits, and which office owns the incident-reporting chain under DFARS 252.204-7012. Primes and their major subcontractors are building CMMC compliance programs now, against a NIST SP 800-171 Rev. 2 baseline that itself is still being absorbed. If the reorganization shifts the responsible office after program plans are locked, remediation is not a rounding error.
The subcommittee print also includes studies on zero trust implementation, open-source software risk, and agentic artificial intelligence. Each of those could generate downstream acquisition or policy guidance. But the governance provision is the one with structural consequences: it is the only piece that changes who a contractor calls, who issues a cure notice, and who signs off on a corrective action plan. Contractors should track the markup outcome on June 4 and the Secretary's review timeline closely. If DoD announces its realignment decision after the FY2027 budget cycle closes, the first practical impact lands in FY2028 compliance submissions.
Published ·Updated ·Deep Fathom