The Senate Armed Services Committee has moved forward with a bill that would create a grant program to help small businesses and nontraditional contractors cover the costs of complying with the Cybersecurity Maturity Model Certification (CMMC).
This grant program is part of the committee’s full fiscal 2027 defense authorization bill, which was released on Tuesday. The committee had already approved the bill during a closed-door markup session on June 10.
If the bill becomes law, the Department of Defense (DoD) would be required to launch the CMMC grant program by July 1, 2027.
Starting this November, DoD is expanding its CMMC “Level Two” requirements. These rules are expected to impact tens of thousands of companies. Generally, contractors handling sensitive controlled unclassified information (CUI) will need their data security practices reviewed by a CMMC Third-party Assessment Organization (C3PAO).
The grant program outlined in the Senate defense bill would be open to small businesses and new market entrants to help offset the expenses of a C3PAO assessment.
Each grant could be worth up to $100,000. The bill sets a total funding cap of $50 million for the CMMC grant program. It also mandates that priority be given to organizations that have never held a DoD contract or subcontract before.
Additionally, the bill specifies that grants can only be used to cover direct costs related to a CMMC Level Two third-party assessment.
The language in the Senate bill aims to address ongoing worries that CMMC compliance might push small businesses out of the defense industrial base or discourage new companies from pursuing defense contracts.
In the final CMMC program rule published in 2024, DoD estimated that the Level Two certification would cost a small business just over $101,000.
These cost estimates do not include expenses for building a cybersecurity program, as the Pentagon clarifies that CMMC only evaluates cyber requirements that have been in place since 2016.
Instead, the estimates reflect the anticipated costs of getting ready for a CMMC assessment—such as hiring an external service provider—and carrying out the assessment itself, including fees paid to a C3PAO.
While Pentagon officials have emphasized that cybersecurity evaluations are essential for ensuring defense contractors can safeguard sensitive data, DoD has also tried to address some concerns raised by small business advocates regarding the challenges of meeting cyber compliance requirements.
Last year, DoD’s Office of Small Business Programs conducted a quick survey to assess CMMC readiness, concerns, and obstacles.
The Army has also introduced a cloud-based secure environment where small businesses can store data and fulfill the cyber requirements evaluated by CMMC. Earlier this year, the Army awarded contracts totaling $49 million to eight companies to provide services under the Next-Generation Commercial Operations in Defended Enclaves (NCODE) program.
Insider Threat Reporting for AI Companies
The Senate bill would also introduce insider threat reporting requirements for major artificial intelligence companies working with the Pentagon. These rules are designed to protect DoD “systems, missions, personnel, operations, and supply chains from counterintelligence, security, and other national security risks.”
This provision comes as the Pentagon collaborates with leading AI model developers to integrate the technology across its operations. Meanwhile, the Trump administration recently banned all foreign access to Anthropic’s latest frontier model due to national security concerns, prompting Anthropic to block access to the tool entirely.
The Senate bill’s provision would place major AI companies under the same obligations as classified defense contractors, which must maintain insider threat programs and train their employees accordingly.
Post-Quantum Cryptography Deadlines
The Senate bill also sets deadlines for when DoD should adopt post-quantum cryptography algorithms approved by the National Institute of Standards and Technology.
According to the Cybersecurity and Infrastructure Security Agency, the bill would require key establishment—used for setting up encrypted communication between two or more parties—to be completed by December 31, 2030.
The deadline for adopting post-quantum cryptography for digital signatures would be one year later, on December 31, 2031. CISA notes that digital signatures are “often essential for verifying the identities of parties involved in communications and confirming the authenticity of data, products, and services.”
These deadlines would not apply to cryptographic keys generated and distributed by the National Security Agency for protecting classified and sensitive national security information.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
