The Broadside
RSS →

Watch hub·cmmc · dfars · cui · nist-800-171

CMMC

Rules, assessments, the C3PAO ecosystem, and the road to contract enforcement.

Updated ·RSS ↗

CMMC is the Department of Defense's certification regime for handling Controlled Unclassified Information across the Defense Industrial Base. This hub tracks rule milestones, C3PAO certifications, assessor body decisions, and DIBCAC activity as they happen.

What changed in the last 30 days

  • nist-800-171/standards

    NIST NCCoE releases SP 1800-41 draft on ICS/OT incident response

    The NIST National Cybersecurity Center of Excellence (NCCoE) published an initial public draft of SP 1800-41, covering incident response and recovery for industrial control system (ICS) and operational technology (OT) environments in the manufacturing sector. Comments are due July 8, 2026. Defense industrial base suppliers and manufacturing contractors running ICS/OT systems should track this: if SP 1800-41 gets folded into CMMC or federal procurement mandates (still an open question) it will add operational resilience requirements on top of the existing NIST SP 800-171 preventive control baseline.

  • nist-800-171/standards

    NIST SP 800-70 Rev 5 mandates CSF 2.0 traceability in federal checklists

    NIST published SP 800-70 Revision 5 on May 8, 2026, requiring security configuration checklists to carry explicit traceability mappings to NIST CSF 2.0 outcomes, SP 800-53 controls, and Common Configuration Enumeration (CCE) identifiers. The revision also extends checklist scope to cloud, IoT, and AI systems and adds explicit support for automated checklist formats. Contractors, primes, C3PAOs, and assessors relying on National Checklist Program (NCP) checklists for audit evidence will need to verify that any checklist they cite maps to Rev 5 structure. NIST has not specified when non-compliant legacy checklists will be deprecated from the NCP repository.

  • nist-800-171/standards

    NIST releases BloSS@M draft, a blockchain supply chain framework for federal software

    NIST published IR 8500A initial public draft (BloSS@M) on May 19, 2026, proposing a blockchain-based framework for how federal agencies acquire, track, and retire software assets government-wide. The draft ties real-time vulnerability feeds from the National Vulnerability Database (NVD) and OSCAL-based compliance automation into a shared procurement infrastructure intended to consolidate purchasing and eliminate redundant spending. Comments are due June 26, 2026, to blossom@nist.gov. Whether BloSS@M will become mandatory for federal software procurement or remain advisory is not answered in the draft.

  • nist-800-172/standards

    NIST opens comment period on SP 800-52 Rev. 2 TLS guidelines

    NIST's Crypto Publication Review Board opened a public comment period through July 10, 2026 on SP 800-52 Rev. 2 (2019), its TLS implementation guidance. The revision targets alignment with IETF TLS 1.3 drafts, but the consequential question is whether NIST will downgrade server-side TLS 1.2 support from "should" to "may." Contractors, primes, MSPs, and C3PAOs with federal TLS configurations should comment now, the outcome will shape compatibility windows across 800-172 and CMMC controls.

  • nist-800-171/standards

    NIST releases draft SP 800-228A on RESTful API security controls

    NIST published the initial public draft of SP 800-228A, Guidelines for the Secure Deployment of RESTful Web APIs, on May 18, 2026, with public comment open through July 2, 2026. The document analyzes threats across pre-runtime and runtime phases and provides controls specific to the RESTful architectural style, complementing the broader SP 800-228 control set. Contractors, C3PAOs, and assessors building or auditing systems that use RESTful APIs should review the draft now: once finalized, gaps against these controls are likely to surface in CMMC and related assessments.

  • nist-800-172/standards

    NIST releases SP 800-172r3, tightening enhanced CUI controls

    NIST published SP 800-172r3 and its companion assessment guide SP 800-172Ar3 on May 13, 2026, adding enhanced requirements across access control, network segmentation, asset management, and supply chain security for contractors handling controlled unclassified information (CUI) in nonfederal systems. Assessors must update evaluation procedures to match r3 or their assessments will be considered non-compliant. NIST has not announced a compliance deadline for contractors currently operating under r2, nor whether existing r2 assessments remain valid during any transition period.

  • nist-800-171/trade-press

    NIST seeks comment on 186-page OT incident response practice guide

    NIST published a draft practice guide on May 21 covering cyber incident response and recovery for manufacturing-sector OT/ICS environments, built on NCCoE collaboration with 11 industry partners. The 186-page guide walks through three scenarios: HMI compromise, data exfiltration, and unauthorized command injection. Each gets a response and recovery execution sequence; Appendix C adds build implementation instructions from individual collaborators. The project traces to a 2022 description and a 2023 collaborator announcement. Comment period closes July 8.

  • stateramp/regulator

    GovRAMP adds five 3PAOs to assessment discount program

    GovRAMP added 360 Advanced, Data Lock Consulting Group, Lunarline, Schellman, and Securisea to its 3PAO Discount Program, bringing total participating firms to ten. The program offers up to 30% off independent security assessments, but only for providers that have completed the GovRAMP Progressing Security Snapshot or achieved GovRAMP Core verification. Founding participants A-LIGN, Prescient Security, Coalfire, Fortreum, and RISCPoint remain in the program. The discount is explicitly scoped to smaller and midsize technology vendors pursuing SLED and federal government work through GovRAMP verification.

  • nist-800-171/trade-press

    USDA OIG finds AI systems deployed without required ATOs or governance

    A USDA OIG report released last week found the Agriculture Department has deployed AI across supply chain risk, crop yield estimation, and permitting without completing required cybersecurity and governance controls. Almost none of the AI use cases in the FY2024 inventory carried an authority to operate. USDA has no generative AI policy, hasn't updated agency-level AI policies, and hasn't implemented minimum risk management practices for high-risk AI systems, as required by OMB guidance. The OIG also flagged shadow AI risk, noting the department relies solely on an annual employee self-report to track AI use. USDA agreed with all recommendations.

  • cui/regulator

    Siemens Opcenter RDnL carries critical ActiveMQ auth flaw; patch now

    CISA published ICS advisory ICSA-26-134-09 covering CVE-2026-27446, a CVSS 7.1 missing-authentication flaw (CWE-306) in Apache ActiveMQ Artemis as shipped with Siemens Opcenter RDnL. All versions are affected. An adjacent-network attacker can force the broker to open an outbound Core federation connection to an attacker-controlled host, enabling message injection or exfiltration on any queue. Siemens recommends updating to Apache Artemis 2.52.0 or later; three interim mitigations cover Core interceptors, acceptor protocol restriction, and two-way SSL. Opcenter RDnL sits in critical manufacturing environments worldwide.

  • nist-800-171/trade-press

    NIST splits AI incident response into two separate guidance tracks

    NIST announced two parallel work streams on AI incident response at a May 14 workshop in Gaithersburg: one updating existing cybersecurity guidelines to cover attacks on AI systems, a second establishing new recommendations for AI-induced incidents including misuse, malfunction, and unintentional harms. Federal contractors and defense industrial base organizations deploying AI will eventually face more granular playbook requirements than traditional NIST 800-171 incident response controls demand. Who bears liability across the developer-deployer-user stack remains an open question NIST has not yet answered.

  • nist-800-171/trade-press

    NIST targets summer 2025 debut for AI cybersecurity framework overlays

    NIST's Security Engineering and Risk Management Group plans to release a draft cybersecurity framework profile for AI, plus tailored control overlays, beginning this summer: predictive-AI overlay first, agentic-systems overlay by late summer or early fall, with finalization targeted for 2027. Primes, subs, and managed service providers in the defense supply chain should treat the sequenced drafts as early signals of what will land in contract vehicles. The critical unanswered question is whether these overlays will be mandatory references in federal procurement or advisory supplements to NIST SP 800-171/172.

  • nist-800-171/trade-press

    Draft EO sets 2030-2031 federal PQC migration deadlines for agencies and contractors

    A White House draft executive order would require federal agencies to migrate key establishment systems to post-quantum cryptography (PQC) by Dec. 31, 2030, and digital signatures on high-impact systems by Dec. 31, 2031. "Covered contractors" face the same 2030 key establishment deadline under NIST PQC standards. The order tasks OMB with issuing implementation guidance. Critical open questions remain: whether "covered contractors" sweeps in all subcontractors or only primes above a threshold, and what enforcement mechanism OMB will specify, the same gap that made NSA's 2022 quantum-resistant guidance effectively optional for four years.

Open questions

  • 01How will Joint Surveillance Voluntary Assessments transition to Level 2 certifications post-rule effective date?
  • 02When will DoD finalize the second tranche of CMMC contract clauses?
  • 03How are primes flowing CMMC requirements down to subs?

Sources we watch

Related from Deep Fathom