DoD rule talk at NSAC
Speakers at an NSAC event flagged how the Pentagon’s CMMC rules can create revenue risk for contractors — a theme Rick Olivier, Director of Cybersecurity Advisory Sales at Eide Bailly, spoke about in public remarks. (x.com) Bridgeworks alongside the panel pushed proactive, defense‑first measures as the recommended commercial response, not just compliance checklists. (x.com)
Pentagon cybersecurity rules are now moving from policy talk into contract language, and cooperatives that sell into defense supply chains are being told the revenue risk is immediate. (nsacoop.org) The National Society of Accountants for Cooperatives scheduled an April 22, 2026 Zoom session on the Cybersecurity Maturity Model Certification, with Rick Olivier of Eide Bailly presenting a “non-technical overview” of how the rule affects Department of Defense eligibility, cost, risk, and operations. (nsacoop.org) National Society of Accountants for Cooperatives says the rule “directly affects an organization’s ability to win and retain” Defense Department work, which turns cybersecurity from an information-technology project into a bid requirement. (nsacoop.org) The Department of Defense began Phase 1 of Cybersecurity Maturity Model Certification implementation on November 10, 2025, and says that phase runs through November 9, 2026 with a focus on Level 1 and Level 2 self-assessments. (dodcio.defense.gov) The rule is being added through the Defense Federal Acquisition Regulation Supplement, the contract rulebook the Pentagon uses to buy goods and services, and the department says the rollout will take three years before the requirements apply across covered contracts. (business.defense.gov) In plain terms, Cybersecurity Maturity Model Certification is the Pentagon’s check that a contractor can protect federal contract information and controlled unclassified information on its own systems before award. (federalregister.gov) The current framework has three levels. Defense Logistics Agency says Level 1 and some Level 2 work can be handled through self-assessments, while other Level 2 work requires a certified third-party assessment organization and Level 3 requires a Defense Industrial Base Cyber Assessment Center review. (dla.mil) Acquisition.gov says a current Final Level 1 status is valid for one year, while Final Level 2 self and third-party assessment statuses are valid for three years, with annual affirmations of continuous compliance still required. (acquisition.gov) That timing is why accountants, finance staff, and cooperative managers are now in the conversation. The National Society of Accountants for Cooperatives is pitching the April 22 session to organizations planning for “cost, risk, and operational impacts” now, not after a solicitation arrives. (nsacoop.org) Defense officials have framed the program as an enforcement layer on top of cybersecurity duties that already existed under earlier contract clauses and National Institute of Standards and Technology Special Publication 800-171. The new piece is that the Pentagon is tying proof of those controls to contract award through Cybersecurity Maturity Model Certification clauses. (business.defense.gov) The practical message coming out of the cooperative event calendar is narrower than a generic compliance warning: if a contractor or subcontractor touches Defense Department information, missing the required certification level can now block new work and put existing revenue streams at risk. (nsacoop.org)
