Photo of Matthew FerraroPhoto of Kate GrowleyPhoto of Michael G. Gruden, CIPP/GPhoto of Jacob CanterPhoto of Jacob HarrisonPhoto of Vanessa A. Perumal

In an important first, the yearly defense policy law, the National Defense Authorization Act (NDAA) for Fiscal Year 2026, directs the Department of Defense (DoD)  to develop and implement a framework addressing the cybersecurity and physical security of artificial intelligence and machine learning technologies (AI/ML) acquired by the Pentagon.

The NDAA (at Section 1513) also directs the DoD to incorporate this framework—once developed—into the Defense Federal Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC) program to ensure that contractors developing, deploying, storing, or hosting AI/ML for DoD comply with the framework.  CMMC, a unified assessment model for defense contractors handling certain categories of regulated data, was finalized in the autumn of 2025 and is expected to apply to the entire defense industrial base.

Given the size and scope of DoD procurement, these contracting provisions will have a significant impact on the development of cybersecurity standards for AI/ML in the general market and may help establish de facto industry standards that extend beyond the national security sector.

AI/ML Security Framework:

  • The DoD framework will be designed to address AI/ML-specific security risks, including supply chain vulnerabilities, such as data poisoning (e.g., when attackers contaminate the datasets on which ML models train to misclassify information, generate biased output, or embed hidden vulnerabilities), adversarial tampering (e.g., when attackers deliberately compromise hardware, software, data, or processes), and unintentional data exposure (e.g., when sensitive data is accidently disclosed through mistakes in configuration, handling, access controls, or processes).
  • The framework will be informed by established cybersecurity standards, including the NIST Special Publication 800 series, that include guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.
  • The framework must be implemented as “an extension or augmentation” of existing DoD cybersecurity frameworks, including CMMC.
  • The framework will focus on highly capable AI systems that may be of highest interest to cyber threat actors, applying stringent security requirements that align with protections for national security systems.
  • The framework will apply to “covered” AI/ML, defined as AI/ML acquired by DoD and all associated components, including source code, model weights, and the methods, algorithms, data, and software used to develop the AI/ML.

DFARS Security Requirements for Contractors:

  • The DFARS will be amended to mandate that DoD contractors implement the framework’s best practices.
  • The framework will guide the specific security measures that contractors must adopt, ensuring they are tailored to the particular AI/ML technologies and tasks that they handle.
  • In creating new DFARS regulations, the DoD must conduct a cost-benefit exercise weighing the benefits of imposing new security requirements against the costs of slowing down AI/ML development and deployment.
  • The security requirements will apply to “covered entit[ies],” defined as entities entering into contracts or agreements with the DoD for the development, deployment, storage, or hosting of covered AI/ML.

Section 1513 does not provide an implementation deadline for the framework or security requirements but instructs the DoD to create a plan establishing implementation timelines and milestones and to provide a status update to Congress by June 16, 2026.  Notably, CMMC began with a provision in the FY2020 NDAA and took years to finalize, only recently coming into effect.  Despite its slow burn, many contractors have found themselves unprepared for CMMC’s roll-out.  To avoid similar challenges here, contractors focused on developing AI/ML technologies should closely monitor the establishment and implementation of these requirements.

Tags: AI, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Matthew Ferraro Matthew Ferraro

Matthew F. Ferraro is a partner in Crowell & Moring’s Privacy and Cybersecurity Group, where he helps clients address complex regulatory matters at the intersection of advanced technology, national security, and crisis management. He advises leading organizations on high-impact matters related to artificial

Matthew F. Ferraro is a partner in Crowell & Moring’s Privacy and Cybersecurity Group, where he helps clients address complex regulatory matters at the intersection of advanced technology, national security, and crisis management. He advises leading organizations on high-impact matters related to artificial intelligence (AI) and other emerging technologies, cyberattacks, domestic and international privacy compliance, internal investigations, foreign direct investment reviews, and high-stakes crises.

Before joining the firm, Matthew served as the Senior Counselor for Cybersecurity and Emerging Technology to the Secretary of Homeland Security. As a principal advisor to the Secretary and a member of the U.S. Department of Homeland Security’s leadership team, he served at the heart of U.S. government policymaking around AI and cybersecurity. He assisted in the development and drafting of key AI, cyber, and technology policies and regulations; advised on the deployment of AI to fulfill the department’s missions; and counseled on cyber-incident responses and investigations. Matthew also helped establish and served as the Executive Director of the Artificial Intelligence Safety and Security Board, a flagship public-private advisory committee focused on AI’s use in critical infrastructure and chaired by the Secretary and composed of industry, nonprofit, and government luminaries.

Read more about Matthew Ferraro
Show more Show less
Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate Growley
Show more Show less
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Jacob Canter Jacob Canter

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent…

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent, as well as general complex commercial matters.

Jacob graduated from the University California, Berkeley School of Law in 2018, where he launched Berkeley’s election law outreach program and pro bono project. He joins the firm after a year of practice at an international law firm in Washington, D.C., and a year clerking in the Southern District of New York for the Hon. Lorna G. Schofield. Jacob was exposed to and provided support in a variety of complex substantive and procedural legal topics during the clerkship, including trade secrets, insurance/reinsurance, contracts, class actions, privacy, intellectual property, and arbitrability.

Read more about Jacob Canter
Show more Show less
Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Read more about Jacob Harrison
Show more Show less
Related Posts
White House AI Action Plan Seeks to Establish “Dominance,” Boost Innovation, and Scrutinize Regulations
August 1, 2025
“Confirm You’re Not a Robot”: AI-Written Briefs Could Lead to Sanctions
May 14, 2025
Putting the “AI” in Compliance—DOJ Updates its Corporate Compliance Program Guidance to Address Emerging AI Risks and Leveraging Data 
October 2, 2024