What changed in compliance — Q2 2026 briefing: CMMC Phase 2, DOJ enforcement, ICD 705, FedRAMP 20x, and the DoD Zero Trust cliff

Updated May 8, 2026 — Two material developments since this briefing first published:

(1) GAO Report 26-107861 (April 27, 2026) documented 815 security violations across 4,600+ DCSA cleared-contractor security reviews in FY2025, plus 1,032 open security vulnerabilities. Distribution: data spills ~60%, improper storage 11.5%, unauthorized access 6.5%, physical losses 6.3%, improper transfers 5.6%. DCSA’s review capacity covers only 25-30% of the cleared industrial base in any fiscal year, and industrial security funding has remained “relatively flat” while personnel-vetting funding increased. Real annual industry violation count, extrapolated, is probably 2,500-3,300. Our DCSA 815 violations analysis walks through each category and the architectural patterns that prevent them.

(2) L3Harris insider-threat case (May 8, 2026) — Peter Williams, formerly head of L3Harris’s offensive cyber tooling division, ordered to pay $10M restitution for stealing surveillance and hacking tools and selling them for $1.3M to a Russian broker. Reinforces the personnel-security control family (NIST 800-171 3.9) as a real risk vector for cleared and CUI-handling contractors, not just a paper requirement.

Neither development changes the strategic conclusions below — but both are evidence that the policy direction (more enforcement, more visibility on contractor failures) is producing observable consequences month-over-month, not just at policy-cycle inflection points.

The first half of 2026 has been the most consequential compliance-landscape quarter since the original DFARS 252.204-7012 rollout in 2017. Multiple large-scale regulatory shifts have landed in a narrow window: a new CMMC enforcement posture, a rewrite of the DFARS clauses that underpin CUI handling, a step-change in DoD cloud-provider requirements, the first major SCIF standard overhaul in fifteen years, an accelerating DOJ enforcement program with the first defense-subcontractor False Claims Act settlement, and the quiet staging of the NIST 800-171 Rev 3 transition.

This briefing is a practitioner’s view of what changed, what it means for each buyer profile (defense subcontractor, cloud SaaS, classified-work contractor, commercial vendor with federal exposure), and what to prioritize over the next two quarters. The article is built from primary rulemaking review, DoD and Cyber AB communications, and pattern-recognition across engagements we’ve run this year.

A single-sentence TL;DR for each reader:

• Defense subcontractors: Phase 2 is in November and you’re almost certainly not ready.
• Cloud SaaS: FedRAMP 20x is finally real, IL5 just got 40% harder, and IL6 now has government pentest rights.
• Classified-work contractors: ICD 705 2025 requires most SCIFs to be rebuilt or significantly remediated.
• Commercial SaaS with federal exposure: ISO 27001:2013 is dead, GSA added CUI requirements for civilian contractors, and DOJ is actively pursuing false SPRS scores under the FCA.

The rest of the article unpacks each, with citations to primary sources where useful.

1. CMMC Phase 2 — November 10, 2026

The single most important date in DoD compliance this year. On November 10, 2026, CMMC Phase 2 activates: contracting officers will require C3PAO-assessed Level 2 certification by default for contracts involving CUI. Self-assessment ceases to satisfy the DFARS 252.204-7021 obligation for the majority of subcontractors handling CUI.

The capacity math is the alarming part. DoD estimates 76,000+ organizations need Level 2 certification to continue serving defense primes. As of February 2026, fewer than 1,100 had completed it — roughly 8% readiness against a deadline now under six months out. C3PAO assessor capacity is the binding constraint. Our CMMC Level 2 timeline article lays out what a realistic engagement looks like month-by-month.

Phase 3 (November 10, 2027) extends the mandate to option exercises on existing contracts — there is no grandfathering for contracts awarded before Phase 2 if they contain option years extending past November 2027. Subcontractors who plan to ride existing contracts through 2027 without certifying need to re-check their option-year structure; most will need Level 2 before 2027’s option exercise.

What to prioritize: If you are a defense subcontractor and have not started a CMMC engagement as of Q2 2026, the realistic options shrink fast. Our typical firm-led engagement runs six to nine months; kickoffs in May or June 2026 are the last that reliably land certification before Phase 2 activates on November 10. A platform-led engagement compresses to three to five months but requires mature existing 800-171 posture. Pushing beyond August 2026 without acknowledging you’ll miss the Phase 2 window is strategic denial. The CMMC self-assessment vs C3PAO piece explains which profile can ride self-assessment longer.

2. DOJ False Claims Act enforcement — the cybersecurity wave is real

The DOJ Cyber Fraud Initiative announced in 2021 is no longer theoretical. 2025 data:

• Seven DOJ cyber fraud settlements in 2025 — a 156% year-over-year increase in cybersecurity-related FCA cases
• $875,000 — a major university research institution settled in September 2025 for submitting a false SPRS score and failing to install anti-malware tools on CUI-handling lab systems
• $421,000 — an Illinois precision machining subcontractor settled in December 2025, the first FCA settlement targeting a subcontractor rather than a prime
• First acquirer-liability case — a company held liable for pre-acquisition cyber violations by a target it had acquired

The pattern to notice: FCA liability attaches to the certification, not the incident. You don’t need a breach to be actionable. An SPRS score self-asserted at 110 that an assessor would score at 87 is, in DOJ’s reading, a false claim to the government — prosecutable under 31 U.S.C. §§ 3729-3733 even if no data was exfiltrated.

This creates a specific asymmetric risk for subcontractors who told their prime “we’re fully compliant” to win the subcontract and aren’t. The whistleblower incentive (qui tam provisions pay up to 30% of recovery to the relator) creates disgruntled-employee risk that subcontractors historically didn’t have to model.

What to prioritize: Audit your SPRS score against a pre-engagement gap assessment. If the reported score is more than 5-10 points above what an honest third-party assessment would produce, the subcontract is both a contract performance risk and a potential FCA exposure. Remediating before the prime asks is cheaper than remediating after DOJ asks.

3. DFARS clause renumbering — February 1, 2026 Revolutionary FAR Overhaul

On February 1, 2026, DoD issued a class deviation restructuring the DFARS cybersecurity clauses as part of the broader Revolutionary FAR Overhaul — the first comprehensive federal acquisition regulation rewrite in 40+ years.

The material changes:

• DFARS 252.204-7019 is deleted. The old self-assessment/SPRS-upload obligation is eliminated because contractors now fulfill the assessment obligation through DFARS 252.204-7021 (CMMC).
• DFARS 252.204-7020 is renumbered to 252.240-7997. Same substantive obligation (NIST 800-171 assessment + Medium assessor coverage), new citation.
• DFARS 252.204-7012 and 252.204-7021 are unchanged. Incident reporting (72-hour rule), cloud computing, and CMMC flowdown obligations remain in full force.

The strategic implication: CMMC now is the assessment regime for CUI. The parallel 7019/7020 track that existed alongside CMMC during 2023-2025 is gone. Any subcontractor whose compliance strategy was “hit the SPRS score via 7019 self-assessment and postpone CMMC” needs to re-read the flowdown in their subcontract — most are now obligated through 7021.

Our DFARS 252.204-7012 incident-reporting article was updated this month to reflect the clause restructuring.

4. NIST 800-171 Rev 3 — DoD is staging the transition

NIST 800-171 Rev 3 was published in 2024. DoD has not yet transitioned CMMC Level 2 from Rev 2 to Rev 3 formally — the current 110-practice baseline is still Rev 2. But in May 2025, DoD published Organization-Defined Parameters for Rev 3, specifying values for Rev 3’s 88 ODP placeholders.

The DoD isn’t publishing ODPs for fun. Publishing the parameters before formal rulemaking is the clearest possible signal that Rev 3 transition is coming — probably on a 2028-2030 timeline, and Tier-1 primes are starting to ask subs about Rev 3 readiness in pre-award evaluations even where Rev 2 remains the contractual baseline. Our prime evaluation article covers how this shows up in practice.

Rev 3 structural changes worth knowing:

• Three new control families: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR) — alignment with NIST 800-53 Rev 5
• 88 Organization-Defined Parameters allowing organizations to specify implementation details
• Tighter language on several existing controls (access control, audit, configuration management)

What to prioritize: Don’t redesign your control environment for Rev 3 yet — the rulemaking isn’t there, and Rev 2 is what C3PAOs will assess against through at least 2027. But do track the Rev 3 / Rev 2 delta for your own environment so when Rev 3 becomes formal, you’re not rediscovering it under deadline.

5. DoD Cloud Computing SRG v1r3 — IL5 just got 40% harder

On July 2, 2025, DISA published CSP SRG v1r3, the most consequential update to the DoD Cloud Computing Security Requirements Guide in years.

The headline change: Impact Level 5 Cloud Service Offerings must now implement National Security Systems controls from CNSSI 1253 — approximately 170 additional controls layered on top of FedRAMP High baseline. That’s a ~40% increase in control count from the prior IL5 baseline. The SRG also completes the transition from NIST 800-53 Rev 4 to Rev 5 across all impact levels (aligning with CNSSP-32 national-security-system requirements).

For Impact Level 6, the DoD added language granting government the right to perform internal and external penetration testing on CSP IL6 hosting environments. This is new — prior guidance allowed government-led assessments but did not explicitly grant offensive-testing rights on production environments.

The consequence for cloud service providers: the IL5 and IL6 assessment scope just increased materially. CSPs currently authorized at IL5 under the pre-v1r3 baseline face additional control implementations at their next authorization renewal or reassessment. CSPs pursuing a fresh IL5 authorization in 2026 should plan for a longer and costlier assessment than 2024 industry averages suggest.

Our IL5 controls that burn CSPs article has been updated with the v1r3 delta — worth re-reading if IL5 is on your roadmap. For broader context on the IL4→IL5→IL6 upgrade path, the upgrade path article covers sequencing.

6. ICD 705 2025 overhaul — the first major SCIF standard update since 2010

This update has received less coverage than it should. Intelligence Community Directive 705 — the standard governing SCIF and SAPF construction, TEMPEST protection, and accreditation — received its first major overhaul since 2010 in the 2025 update.

Material changes:

• Minimum RF attenuation is now typically 60 dB on SCIF walls, ceilings, floors, and doors, structurally integrated rather than surface-applied. Most existing SCIFs were built to 45-50 dB.
• Enhanced TEMPEST countermeasures — including updated zoning requirements for emanation-security
• Tightened acoustic controls — intelligibility testing protocols and STC-rating minimums have moved up
• Accreditation posture shift — AOs and DSS expect earlier documentation at project initiation, design development, and preconstruction review. Late-stage compliance discovery is being flagged as higher risk.

The practical consequence is blunt: most existing SCIFs are now architecturally non-compliant with the updated technical specifications. Organizations with aging SCIFs need to plan for either significant renovation or new construction on a 4-5 year horizon. Organizations starting the accreditation process in 2026 have more flexibility than those who wait — accrediting authorities are still absorbing the updated standard and early applicants benefit from engagement bandwidth that will compress as 2028+ demand builds.

Our SCIF/SAPF accreditation playbook has been updated with the 2025 ICD 705 changes. The SCIF vs SAPF differences article still holds but picked up a 2025-update callout. For venture-backed defense startups, the first SCIF article incorporates the updated RF and acoustic requirements.

7. FedRAMP 20x — Phase 2 wrapped, Phase 3 active

FedRAMP 20x is GSA’s long-promised modernization of the FedRAMP authorization program. Phase 2 wrapped on March 31, 2026 with the targeted ~10 FedRAMP Moderate pilot authorizations completed. Phase 3 (FY26 H2) is now active, expanding 20x to broader adoption for Low and Moderate CSPs.

The structural difference: Key Security Indicators (KSIs). Instead of manual 3PAO attestation against every control, 20x defines machine-verifiable indicators (e.g., “data encrypted at rest with FIPS 140-validated algorithms”) that CSP environments can demonstrate automatically. The goal is faster, cheaper authorizations with less manual review overhead.

Phase 4 (FY27 H1) pilots FedRAMP High. DoD Cloud Computing SRG paths (IL4/IL5/IL6) are not yet in scope for 20x, though the underlying KSI automation direction foreshadows where those assessments will eventually move.

What to prioritize: If FedRAMP Moderate is on your 2026 roadmap, evaluate 20x against the traditional path. Pilot authorizations completed so far are running meaningfully faster than 2024 industry averages. The trade-off: 20x requires more automation tooling and instrumentation than a traditional 3PAO-driven path, so the time savings come with upfront engineering investment.

Our FedRAMP Moderate realistic timeline article still reflects the traditional path. A FedRAMP 20x-specific piece is in the queue.

8. ISO 27001:2013 — the deadline passed (October 31, 2025)

This is old news but the implications are still live. The international transition deadline from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 passed on October 31, 2025. Every active ISO 27001 certification is now the 2022 edition. Any organization still operating on a 2013-era certificate has an invalid certificate — not a deprecated one, not a grace-period one, an invalid one.

If you missed the transition, the path back is a full Stage 1 / Stage 2 audit against the 2022 standard with a new certification body. No shortcut. Transition-audit pathways are no longer available from accredited certification bodies under IAF rules.

For organizations currently holding a valid 2022 certificate, the focus shifts to the four new Annex A themes (organizational, people, physical, technological) and the 11 new Annex A controls introduced in the 2022 edition. Our ISO 27001:2013 to 2022 transition article has been updated with the post-deadline status.

9. GSA CUI requirements for civilian contractors — the parallel track

In March 2026, GSA published new Controlled Unclassified Information security requirements for federal civilian contractors. The practical effect: a CMMC-like regime is beginning to emerge for civilian agency contracts, parallel to DoD’s CMMC.

The GSA requirements draw from NIST 800-171 (same baseline as CMMC Level 2), with GSA-specific implementation parameters. Civilian-agency contractors handling CUI should expect a formalized assessment and attestation regime within 2-3 years, following a similar pattern to CMMC’s 2019-2026 rollout.

For cloud SaaS vendors whose addressable market includes both DoD and civilian agencies, the strategic implication is that NIST 800-171 compliance is becoming the default federal CUI baseline, not just a DoD obligation. Building toward it once and serving both markets is more efficient than the bifurcated posture most vendors currently run.

10. DoD Zero Trust — Target Level deadline September 30, 2027

The DoD Zero Trust Strategy, published in 2022, set a target-level capability deadline of September 30, 2027. The strategy identifies 91 Target Level capability outcomes that DoD components — and Defense Industrial Base partners serving DoD — must demonstrate by the FY27 deadline. Another 61 Advanced Level capabilities extend to a 2032 target.

Pentagon officials continue to publicly affirm the 2027 target, but the practical path is ambitious: 91 distinct capability outcomes across seven pillars (User, Device, Application, Data, Network, Automation, Visibility). A Zero Trust Strategy 2.0 update is expected from the Pentagon in early-to-mid 2026.

For defense contractors, the enforcement mechanism matters: organizations that miss Target Level by September 30, 2027 face contract ineligibility — not award withdrawal of existing contracts, but inability to receive new awards, exercise options, or extend contract periods of performance. Primes are increasingly flowing down Zero Trust readiness requirements into subcontracts ahead of the deadline.

The Zero Trust overlay intersects with CMMC — several CMMC Level 2 practices map to Zero Trust pillars, but the Zero Trust Target Level demands more than CMMC Level 2 requires. Defense contractors pursuing CMMC Level 2 certification in 2026 should design with Zero Trust Target Level in mind to avoid a second, larger remediation in 2027.

What this means for the next two quarters

Synthesizing across the ten changes above, four operating priorities fall out for compliance-affected organizations this year:

Priority 1: Defense subcontractors should close their CMMC engagement gap this quarter or accept Phase 2 exposure. Starting a 6-9 month firm-led engagement in May or June 2026 still reliably lands certification before the November 10 cliff. Starting in July or later requires compressed timelines that reduce score quality and increase assessment risk.

Priority 2: Cloud SaaS on an IL5 path should re-scope assessment work for the v1r3 delta. Approximately 170 additional controls layered on top of FedRAMP High is not marginal. Budget and timeline adjustments at next renewal are unavoidable for organizations holding authorizations issued before July 2025.

Priority 3: Organizations with SCIFs older than 2015 should commission a gap assessment against the 2025 ICD 705 update. Most will need renovation or replacement on a 4-5 year horizon. Early engagement with accrediting authorities produces better outcomes than late-stage remediation.

Priority 4: False Claims Act exposure on SPRS scores is a board-level risk, not a compliance-team housekeeping item. Any organization where the gap between reported and assessable SPRS score exceeds ten points should treat it as an active legal exposure.

For most organizations, the right operating response is not one engagement but a coordinated compliance posture review across the dimensions that changed: CMMC readiness, SPRS-score accuracy, cloud-assessment scope, SCIF architectural status, and Zero Trust Target Level gap. Running these in isolation produces duplicative work and misses the dependencies between them.

If you want an outside read on where your specific situation sits across these changes, book a 30-minute scoping call. If we can give you the view in thirty minutes without an engagement, we will. If the situation warrants an engagement, we’ll scope it honestly against a realistic timeline.

---

Related reading:

• CMMC Level 2 real cost breakdown — engagement, tooling, C3PAO, and year-2 costs with specific ranges
• How primes evaluate CMMC-certified subs — SPRS thresholds, SSP review, POA&M scrutiny, audit rights
• Why 30-day compliance claims are misleading — the positioning article this briefing complements
• DFARS 7012 incident reporting gap — updated for the February 2026 clause restructuring
• FedRAMP Moderate realistic timeline — traditional path; 20x-specific piece in the pipeline
• IL5 assessment controls that burn CSPs first — updated for CSP SRG v1r3
• SCIF/SAPF accreditation playbook — updated for 2025 ICD 705

This briefing is written as a reference document that Fortinetics will refresh quarterly. Next update: Q3 2026, reflecting Phase 2 activation evidence, FedRAMP 20x Phase 3 adoption, and the Pentagon’s Zero Trust Strategy 2.0 release.