The Senate Armed Services Committee has advanced legislation that would set up a grant program for small businesses and nontraditional contractors to cover the costs of Cybersecurity Maturity Model Certification (CMMC) compliance.
The CMMC grant program is included in the full text of the committee’s fiscal 2027 defense authorization bill, released Tuesday. The committee released the text Tuesday after approving the bill in a June 10 closed-door mark up.
If passed into law, the provision would require the Defense Department to establish the CMMC grant program by July 1, 2027.
DoD is ramping up CMMC “Level Two” requirements starting this November. Those requirements are expected to apply to tens of thousands of companies. They generally require contractors that are expected to handle sensitive controlled unclassified information (CUI) to have their data security practices evaluated by a CMMC Third-party Assessment Organization (C3PAO).
The grant program in the Senate defense bill would be available to small businesses and new entrants to offset the costs of a C3PAO assessment.
The maximum amount per grant would be $100,000. The bill would cap the total funding allotted for the CMMC grant program at $50 million. It would also require the program to prioritize organizations that have not previously held a DoD contract or subcontract.
The bill would also require that the grant only be used to offset direct costs associated with a CMMC Level Two third-party assessment.
The Senate bill’s language seeks to address persistent concerns around whether CMMC compliance could force small businesses to leave the defense industrial base or dissuade new companies from seeking defense contracts.
In the final CMMC program rule issued in 2024, DoD estimated that the Level Two certification costs for a small business would be a little more than $101,000.
Those cost estimates don’t include the cost of building a cybersecurity program, as the Pentagon notes CMMC merely evaluates cyber requirements that have been on the books since 2016.
Instead, the estimates reflect the expected costs of preparing for a CMMC assessment – such as working with an external service provider – and then conducting the assessment, including paying a C3PAO.
While Pentagon officials have said the cybersecurity evaluations are necessary to ensure defense contractors can protect sensitive data, DoD has also sought to address some of the concerns raised by small business advocates about the burdens of the cyber compliance regime.
Last year, DoD’s Office of Small Business Programs conducted a pulse survey to gauge CMMC readiness, concerns and challenges.
The Army has also launched a cloud-based, secure environment that small businesses can use to store data and meet the cyber requirements evaluated by CMMC. Earlier this year, the Army awarded contracts to eight companies worth a collective $49 million to provide services under the Next-Generation Commercial Operations in Defended Enclaves, or NCODE, program.
Insider threat reporting for AI companies
The Senate bill would also establish insider threat reporting requirements for major artificial intelligence companies that do business with the Pentagon. The insider threat reporting rules would be aimed at protecting DoD “systems, missions, personnel, operations, and supply chains from counterintelligence, security, and other national security risks.”
The provision comes as the Pentagon works with major AI model manufacturers to integrate the technology across its operations. At the same time, the Trump administration recently prohibited any foreign access to Anthropic’s latest frontier model over national security concerns. The decision forced Anthropic to block all access to the tool.
The Senate bill’s provision would bring major AI companies into the same fold as classified defense contractors, which are required to maintain insider threat programs and provide training to their employees.
Post-quantum deadline
The Senate bill also establishes deadlines for when DoD should adopt post-quantum cryptography algorithms approved by the National Institute of Standards and Technology.
The bill would set a deadline of Dec. 31, 2030, for key establishment, which is used for establishing confidential communication using encryption among two or more parties, according to the Cybersecurity and Infrastructure Security Agency.
The deadline for adopting PQC for digital signatures would be one year later under the Senate bill, on Dec. 31, 2031. CISA says digital signatures are “often essential for authenticating the parties participating in a communication and for establishing the authenticity of data, products, and services.”
The deadlines would not apply to cryptographic keys generated and distributed by the National Security Agency for protecting classified and sensitive national security information.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
