Watch hub·cmmc · dfars · cui · nist-800-171

CMMC Watch

What's moving in CMMC: rules, assessments, the C3PAO ecosystem, and the road to contract enforcement.

Updated TODAY·RSS ↗

CMMC is the Department of Defense's certification regime for handling Controlled Unclassified Information across the Defense Industrial Base. This hub tracks rule milestones, C3PAO certifications, assessor body decisions, and enforcement actions as they happen.

What changed in the last 30 days

nist-800-171/trade-press
NIST plans two AI incident response guidance streams under Trump action plan
NIST is developing two work streams on AI incident response following a July 2025 White House action plan directive. The first would update existing cybersecurity incident response guidelines to address attacks on AI systems. The second would create recommendations for responding to harms caused by AI systems, including misuse and malfunction. NIST sought feedback at a May 14 workshop and plans to scope the work to the most severe harms, affecting organizations that deploy AI systems and their users.
TODAY
stateramp/regulator
GovRAMP Policy Papers Push OMB-Led Reciprocity for Cybersecurity Frameworks
GovRAMP released two publications on April 16 calling for harmonization of overlapping federal and state cybersecurity frameworks built on NIST SP 800-53. The policy white paper identifies OMB-led reciprocity anchored in shared baselines as the highest-impact near-term action. State, local, tribal, and territorial governments are most affected by duplicated compliance efforts and delayed procurement. No rulemaking is proposed; the publications are recommendations intended to support coordinated execution under existing authority.
TODAY
stateramp/regulator
GovRAMP working group maps StateRAMP controls to CMMC Levels 1 and 2
GovRAMP's Framework Harmonization Working Group met April 13 to align GovRAMP requirements with CMMC Levels 1 and 2, identifying shared foundational controls and a new federal overlay for low, moderate, and high impact levels. Providers operating across federal, defense, and state/local markets would be affected by any resulting mutual-recognition pathways. GovRAMP said it will next examine how its authorization can satisfy the FedRAMP Equivalency provision for CMMC and plans to address FedRAMP 20x alignment at a future working group session.
TODAY
nist-800-171/trade-press
NIST to release AI cybersecurity framework draft this summer
NIST plans to publish a draft cybersecurity framework profile for AI systems this summer, according to Victoria Pillitteri, manager of NIST's Security Engineering and Risk Management Group. The guidance will include control overlays for predictive, agentic, and generative AI systems, with the predictive AI overlay arriving this summer and agentic guidance due in late summer to early fall. NIST aims to finalize all guidance by 2027. Organizations adopting AI should track the draft for baseline cybersecurity controls that may affect vendor and supply chain security requirements.
TODAY
nist-800-171/trade-press
Draft executive order sets 2030-2031 PQC deadlines for federal agencies, contractors
A White House draft executive order would require federal agencies to migrate digital signatures for high-impact systems to post-quantum cryptography (PQC) by Dec. 31, 2031, and key establishment to PQC by Dec. 31, 2030, according to sections viewed by Nextgov/FCW. Covered contractors working with federal agencies face a 2030 deadline to comply with NIST-developed PQC standards. National security systems are excluded from the mandate. The order is expected to be released as soon as this week, a source told Nextgov/FCW.
TODAY
nist-800-171/standards
CIS warns of authentication bypass in pac4j-jwt JWT library
CIS published an advisory about a vulnerability in pac4j-jwt (JwtAuthenticator) that could allow an unauthenticated remote attacker to bypass authentication and impersonate any user, including an administrator. The flaw affects Java applications using the pac4j security framework for JSON Web Token validation. Organizations using pac4j-jwt should review the CIS advisory and assess impact on their systems, particularly where JWT-based authentication supports compliance with NIST SP 800-171 access control and authentication requirements.
TODAY
nist-800-171/standards
Fortinet vulnerabilities allow arbitrary code execution across 16 products
CIS published an advisory on multiple vulnerabilities in Fortinet products including FortiOS, FortiManager, FortiAnalyzer, and FortiClientEMS. The most severe could let an attacker execute arbitrary code under the affected service account. Organizations covered under NIST SP 800-171 and 800-172 that use these products should apply patches and validate that affected systems are not out of compliance with security control requirements. CIS did not publish a specific CVE list or patch timeline in this advisory; further review of Fortinet security bulletins is advised.
TODAY

Open questions

01How will Joint Surveillance Voluntary Assessments transition to Level 2 certifications post-rule effective date?
02When will DoD finalize the second tranche of CMMC contract clauses?
03How are primes flowing CMMC requirements down to subs?

Sources we watch

Cyber AB Blog
assessor-body·last fetched TODAY
live
DOJ Civil Cyber-Fraud Initiative press releases
judicial·last fetched TODAY
live

Related from Deep Fathom

Deep Fathom articles on CMMC ↗

CMMC Watch

NIST plans two AI incident response guidance streams under Trump action plan

GovRAMP Policy Papers Push OMB-Led Reciprocity for Cybersecurity Frameworks

GovRAMP working group maps StateRAMP controls to CMMC Levels 1 and 2

NIST to release AI cybersecurity framework draft this summer

Draft executive order sets 2030-2031 PQC deadlines for federal agencies, contractors

CIS warns of authentication bypass in pac4j-jwt JWT library

Fortinet vulnerabilities allow arbitrary code execution across 16 products