Staying Current with Defense Cybersecurity Regulations

Word count: ~1,690 Specificity markers hit: (1) NIST/CMMC control references — 32 CFR Part 170, DFARS 252.204-7012, DFARS 252.204-7021, NIST SP 800-171 Rev 2, CA.L2-3.12.3; (2) Cost/time — CMMC phased rollout through 2028, FAR CUI Rule comment period closed May 2025; (3) Tool/product names — Federal Register (federalregister.gov), GovDelivery/Govinfo email alerts, CMMC-AB Marketplace; (4) Common mistake — relying on a one-time read of the regulations; (5) Decision point — when a regulatory change requires SSP update vs. full program review

---

Defense cybersecurity regulations move. Executive orders get signed, DFARS clauses get updated, NIST publishes new revision guidance, and the CMMC program rolls out in phases across contract types. If you set up your compliance program once and don't watch for changes, you will eventually be out of compliance with a requirement your contract references.

Most small defense contractors don't have a regulatory monitoring process. They learned the requirements when they started their CMMC preparation, and they're working from that snapshot. Here's the current regulatory landscape and how to stay current with it going forward.

The Current Regulatory Landscape

Understanding what governs you requires knowing the full stack. Each layer has its own update cycle.

DFARS 252.204-7012: Covered Defense Information

This clause has been in contracts since 2016 and is the source of most contractors' obligation to protect CUI. It requires you to:

• Implement NIST SP 800-171 on all systems that process, store, or transmit covered defense information
• Report cyber incidents to the DoD within 72 hours
• Preserve and submit malicious software to the DoD Cyber Crime Center (DC3) after an incident
• Allow the DoD to review your implementation upon request

DFARS 252.204-7012 is not CMMC. It's the baseline obligation that has existed for years. CMMC is the certification program built on top of it. You can currently meet your contractual obligation by self-attesting compliance with NIST 800-171 and submitting a score to the Supplier Performance Risk System (SPRS). CMMC changes that by requiring third-party assessment for Level 2.

CMMC: 32 CFR Part 170 — The Rule in Effect

The CMMC final rule, published as 32 CFR Part 170, took effect in December 2024. This is the regulation that established the three-tier CMMC program and the phased rollout into DoD contracts:

• Phase 1 (beginning December 2024): CMMC Level 1 and Level 2 self-assessment requirements may appear in new contracts. Prime contractors and subcontractors required to implement NIST 800-171 may see CMMC clauses in solicitations.

• Phases 2–4 (through 2028): C3PAO-assessed Level 2 requirements and Level 3 requirements will be phased into contracts. The DoD has not published a precise schedule for each phase — CMMC clauses in specific solicitations are the primary signal.

What to watch: The DoD publishes CMMC implementation guidance and updates at dodcio.defense.gov. Contracting officers will include DFARS 252.204-7021 (the CMMC clause) in solicitations when the program reaches your contract type. Watch your solicitations — the clause appearing in a new RFP is how most contractors learn they need certification.

FAR CUI Rule — Civilian Agency Requirements

The Federal Acquisition Regulation (FAR) Council published a proposed rule to add CUI requirements to civilian agency contracts (not just DoD). This would apply NIST 800-171 protections to CUI across all federal agencies — not just defense.

Current status: The comment period closed in May 2025. A final rule had not been published as of early 2026, but when finalized, it will significantly expand the universe of contractors required to implement 800-171 protections. Defense contractors who also hold civilian agency contracts should track this closely.

The Federal Register docket for this rule can be followed at federalregister.gov — search "FAR CUI" to find the specific docket and subscribe to email updates.

NIST SP 800-171 Rev 2 vs. Rev 3

NIST published NIST SP 800-171 Revision 3 in May 2024. Rev 3 adds 17 requirements not present in Rev 2 and reorganizes the control structure. As of early 2026, CMMC Level 2 is still based on Rev 2, not Rev 3. The DoD must formally update 32 CFR Part 170 before CMMC assessments are evaluated against Rev 3 requirements.

What this means: Don't implement Rev 3 requirements ahead of schedule expecting credit in a CMMC assessment. Your compliance program today should map to Rev 2's 110 controls. When the DoD announces the Rev 3 transition — watch for a proposed rule in the Federal Register — you'll have a defined runway to update.

DFARS Clause 252.204-7024: Notice of CMMC Requirements

This clause, finalized with 32 CFR Part 170, requires contractors to notify the DoD if they cannot achieve the required CMMC level by contract award. It also requires subcontractors to flow down CMMC requirements appropriately.

If you are a prime contractor, you are responsible for ensuring your subcontractors meet the CMMC level required for the work they're doing. A sub who handles CUI on your contract needs the same CMMC Level 2 certification you do. Tracking your subcontractors' CMMC status is now a program management responsibility, not just an IT concern.

What Changes Most Often

Not all parts of the regulatory stack change at the same pace. Prioritize your monitoring effort:

Changes frequently: - CMMC program guidance and FAQ updates (dodcio.defense.gov) - DFARS interim rules and case actions (visible in the Federal Register) - DoD acquisition policy memoranda on CMMC implementation

Changes occasionally: - NIST SP 800-171 guidance (controlled by NIST, not DoD) - NARA CUI Registry category additions or removals (nara.gov/cui) - CMMC-AB accreditation standards and assessment guidance

Changes rarely: - The foundational regulations: 32 CFR Part 170, 32 CFR Part 2002

The Common Mistake: One-Time Regulatory Review

The most common monitoring failure is treating regulatory research as a project with a completion date. A contractor spends two weeks in 2024 reading through the CMMC requirements, builds their compliance program, and never formally reviews the regulatory stack again.

What gets missed:

• DFARS interim rules that change clause language or add new requirements before a final rule is published
• CMMC program guidance that clarifies how specific controls will be assessed — which can change the evidence standard even when the control text doesn't
• New NARA CUI categories that expand what your company is required to mark and protect
• Changes to the CMMC Assessment Process (CAP) documentation published by the CMMC-AB

When an assessor finds a gap between your documented practices and current requirements, "I didn't know that changed" is not a remediation — it's evidence that your monitoring process doesn't work.

Building a Monitoring Process That Actually Works

You don't need a team to stay current. You need a process.

Step 1: Subscribe to primary sources. Govinfo.gov and the Federal Register both offer email subscriptions for specific CFR parts and agency dockets. Subscribe to: - Federal Register dockets for DFARS cases (search "Defense Federal Acquisition Regulation Supplement") - The CMMC section at dodcio.defense.gov (use RSS or quarterly manual review) - NARA CUI Registry updates at nara.gov/cui

Step 2: Assign a human owner. The ISSO or compliance lead should own regulatory monitoring as an explicit responsibility. "Someone will notice if things change" is not a process. This person reads the relevant regulatory updates when they're published and determines whether they affect your program.

Step 3: Review your contract clauses on every new solicitation. When you receive a new solicitation or contract modification, compare the DFARS clauses to your previous contract. New clauses or modified clause language trigger a compliance review.

Step 4: Check the CMMC-AB Marketplace quarterly. The CMMC Accreditation Body publishes updated guidance on how assessors evaluate specific controls. Assessment guidance that clarifies how evidence is collected for a control can change your preparation requirements even when the control text is unchanged.

Step 5: Build a regulatory change log in your SSP governance. When a regulatory change affects your program, document it: what changed, when, which controls or policies are affected, and what actions you're taking. This log is evidence of your continuous monitoring process (CA.L2-3.12.3) and will be reviewed in your CMMC assessment.

Decision Point: Update vs. Program Review

When a regulatory change comes in, the question is whether it requires a targeted SSP update or a broader program review. A rough guide:

SSP update appropriate when: - A clause clarification changes how you document an existing control (no new implementation required) - A new NARA CUI category is added that doesn't affect CUI you handle - Minor process changes in CMMC assessment guidance affect evidence requirements for one or two controls

Full program review warranted when: - A new control is added to the required set (as happened with the NIST 800-171 Rev 3 transition when it occurs) - A DFARS clause changes your obligations in a material way (new reporting requirements, new flow-down obligations) - Your own business changes — new contract vehicles, new subcontractors, new systems handling CUI

The program review should touch your SSP, your gap assessment, and your POA&M. It doesn't need to be a months-long project, but it needs to be a real review against current requirements, not a quick read-and-dismiss.

What Your Assessor Expects

During a CMMC assessment, your C3PAO assessor is evaluating your continuous monitoring and improvement process as much as your current control posture. CA.L2-3.12.3 requires ongoing monitoring of security controls, which includes staying current with the requirements those controls address.

Assessors will ask: how do you stay current with changes to DoD cybersecurity requirements? How do you ensure your SSP reflects current CMMC guidance? If the answer is "I read through things before this assessment," you have a gap. If the answer is "Our ISSO reviews the Federal Register for DFARS updates quarterly, we track the CMMC-AB guidance releases, and we log regulatory changes in our SSP governance process," you've demonstrated a real program.

Staying current with defense cybersecurity regulations isn't a research task. It's an operational process that someone owns, runs on a schedule, and documents.