336-886-3282[email protected]
Preferred Data Logo
Schedule

CMMC AI Framework: June 16 DoD Report, NC Contractor Plan

DoD must report AI security framework plan to Congress by June 16, 2026 (NDAA Sec 1513). NC defense contractor readiness plan. Call (336) 886-3282.

Cover Image for CMMC AI Framework: June 16 DoD Report, NC Contractor Plan

TL;DR: Section 1513 of the FY 2026 National Defense Authorization Act requires the DoD to deliver a plan for an AI Security Framework to Congress by June 16, 2026, per Crowell & Moring's analysis and the Government Contracts Legal Forum brief. The framework will sit alongside CMMC (it is being called "CMMC for AI" in industry shorthand) and will draw on the NIST SP 800 series to cover workforce, supply chain, adversarial tampering, and security monitoring for "covered AI/ML" used by DoD contractors. For NC defense contractors and manufacturers, this is the next compliance wave after CMMC Phase 2 in November 2026. The June 16 report will define the direction and implementation pace; the smart NC contractor move is to start the AI inventory, AI vendor diligence, and AI usage policy now so the eventual rule is an extension of existing posture, not a separate program.

Key takeaway: The DoD's June 16, 2026 AI Security Framework report to Congress sets the trajectory of "CMMC for AI." NC defense contractors that start their AI inventory and governance this quarter will absorb the eventual rule as a routine update, not a fire drill.

Need an NC partner who already runs CMMC programs for defense contractors and adds AI governance on top? Preferred Data Corporation has supported NC manufacturers for over 37 years. Call (336) 886-3282 or request a CMMC + AI readiness assessment.

What does NDAA Section 1513 actually require?

Per Crowell & Moring's January 2026 client alert and the parallel Government Contracts Legal Forum analysis, Section 1513 of the FY 2026 NDAA directs the Department of Defense to:

  • Establish an AI Security Framework that augments the Cybersecurity Maturity Model Certification (CMMC) program and draws on NIST SP 800 series cybersecurity requirements.
  • Cover workforce risks, supply chain risks, adversarial tampering, and security monitoring as applied to AI/ML systems used in DoD contracts.
  • Apply to "covered entities," defined as entities entering into contracts or agreements with the DoD for the development, deployment, storage, or hosting of covered AI/ML.
  • Deliver a plan to Congress by June 16, 2026, including implementation timelines, milestones, and resource requirements.

The text does not yet set the final compliance deadline. That will come from the implementation plan. But the trajectory is clear: AI security is being formalized into the defense contracting cybersecurity stack alongside CMMC, not as a substitute for it.

Why should NC defense contractors care about a "DoD report to Congress" right now?

Three reasons.

  1. The report defines the runway. Per Akin's analysis of Congressional AI measures in defense legislation, the June 16 report will publish DoD's implementation timeline. Once that timeline is public, every prime and sub-prime contract amendment that follows will flow toward it. NC subcontractors that start inventory and governance after the timeline is published are already behind.
  2. CMMC Phase 2 is already running on November 10, 2026. Per the CMMC C3PAO five-month countdown analysis, Level 2 certification becomes a mandatory contract award condition this November. Stacking AI Security Framework readiness on top of an already-stressed CMMC program is best done with deliberate sequencing, not panic.
  3. NC has a high concentration of defense subcontractors and manufacturers. Per the NC State Industry Extension Services defense directory, the Piedmont Triad, Charlotte, and Raleigh-Durham areas are home to hundreds of NC defense subs. A trajectory change in DoD cybersecurity policy is a trajectory change for the NC industrial base.

What does "covered AI/ML" likely include for an NC subcontractor?

Per Crowell & Moring and Freshfields' analysis of AI supply chain mandates, the term "covered AI/ML" is expected to include AI systems used in or supporting:

  • Direct deliverables to DoD (e.g., an AI model embedded in a system being sold to DoD).
  • Operations supporting DoD work (e.g., AI-assisted engineering tools used to design a controlled part).
  • Storage or hosting of DoD AI systems (e.g., cloud hosting of a DoD model).
  • Development of AI systems intended for DoD use (e.g., a contractor training a model with CUI inputs).

For an NC small precision-machining subcontractor that uses an off-the-shelf AI vendor for proposal generation or shop floor optimization, this likely creates a vendor diligence and usage policy obligation, not a model-development one. For an NC engineering firm building AI capabilities into a deliverable, the obligation is materially heavier.

The point is not to predict the exact scope. The point is that the inventory of AI tools touching defense work, the vendor inventory underneath them, and the data classifications flowing through them is the foundation for any version of the eventual rule.

What is the right NC defense contractor AI readiness plan for 2026?

A defensible 2026 AI readiness plan for an NC defense subcontractor has six steps. None require enterprise budget. All can be started before the June 16 report drops.

StepWhat to doWhy it matters
1. AI tool inventoryList every AI tool in use in the org including embedded features (Copilot, Gemini, Salesforce Einstein, etc.)The foundation of any AI compliance posture
2. AI vendor diligenceFor each tool, record vendor, hosting region, training data posture, model provenance, and FedRAMP statusPre-empts the supply chain requirements
3. Data classification mappingIdentify what data each AI tool processes; flag any FCI/CUI exposureCritical for any covered AI/ML scoping
4. Acceptable use policyDocument approved uses, prohibited uses, and human-in-the-loop rulesRequired under most AI governance frameworks
5. Monitoring and loggingCapture which users use which AI tools on which data; alert on prohibited useAligns with NIST SP 800 monitoring expectations
6. Sub-tier flow-downIf you use subcontractors that use AI, add AI inventory and policy requirements to their flow-downDoD has flagged AI supply chain as a focus area

The full program is achievable in 60-to-120 days for a typical NC sub in the 25-to-300-employee band. Done well, it converts the eventual AI Security Framework into a routine attestation rather than a new program.

Ready to scope an AI readiness program alongside your CMMC effort? Call (336) 886-3282 or request a CMMC + AI readiness review.

How does this stack on top of CMMC Phase 2 in November 2026?

Per the CMMC Phase 2 NC defense contractor briefs, November 10, 2026 is the inflection point where C3PAO Level 2 certifications become a mandatory contract award condition. The AI Security Framework will not be at that deadline. It is the next wave behind it.

Practical sequencing for an NC sub:

  • Now through November 2026: Complete CMMC Level 2 readiness, gap remediation, and C3PAO assessment scheduling. Parallel: begin AI inventory and vendor diligence (steps 1-2 above).
  • November 2026 through Q1 2027: Maintain CMMC Level 2 posture. Parallel: complete data classification mapping and acceptable use policy (steps 3-4 above).
  • Q2 2027 and beyond: Operationalize monitoring, logging, and sub-tier flow-down (steps 5-6 above) as the DoD AI Security Framework rule materializes.

The sequencing is deliberate. CMMC Level 2 evidence supports much of what the AI framework will require (NIST SP 800-171 controls already address access control, audit, and supply chain in part). Building AI governance on the CMMC foundation is materially cheaper than running them as parallel programs.

What about the OSiBeyond and Elevate Consult takes on "CMMC AI upgrade"?

The shorthand "CMMC AI upgrade" comes from defense-industry analysis houses including OSiBeyond's CMMC AI brief and Elevate Consult's prep guide. Both emphasize that the framework is being designed to complement, not replace, CMMC, and that the practical foundation is the same: NIST SP 800-171 plus NIST AI RMF (AI Risk Management Framework).

For an NC sub, that translates to: if you are already aligning to NIST 800-171 for CMMC Level 2, the marginal lift to align to NIST AI RMF is modest. If you are not yet at NIST 800-171, the AI framework lift is on top of, not instead of, the CMMC lift.

How does Preferred Data Corporation help NC defense subs prepare?

PDC supports NC defense contractors with a stacked program that covers both CMMC and the emerging AI Security Framework:

  • Managed IT services with NIST SP 800-171 alignment, documented patch SLA, asset inventory, and AI tool inventory as a standing program.
  • Managed cybersecurity with 24/7 SOC, identity attack detection, EDR/MDR, and AI-related monitoring built on the same telemetry that CMMC Level 2 requires.
  • AI transformation services with AI vendor diligence, acceptable use policy, NIST AI RMF alignment, and integration into the existing CMMC governance program.
  • CMMC compliance support with gap assessment, remediation, and C3PAO assessment preparation for Level 2 NC contractors.

PDC has supported NC manufacturers, distributors, and defense subcontractors for over 37 years from High Point, with on-site coverage within 200 miles. The combination of regulated-industry experience, manufacturing operations depth, and modern AI/security tooling is what gets NC subs through both the November 2026 CMMC deadline and the AI Security Framework that follows.

Want a 60-minute readiness conversation, no obligation? Call (336) 886-3282 or book a CMMC + AI readiness assessment.

Frequently Asked Questions

What exactly is due on June 16, 2026?

Per Crowell & Moring's analysis, the DoD is required to deliver a plan to Congress for the AI Security Framework, including implementation timelines, milestones, and resource requirements, by June 16, 2026. The framework itself is not the deliverable on that date. The plan that will produce the framework is the deliverable.

When will compliance actually be required?

The exact compliance dates have not been set. They will be defined in the implementation plan delivered to Congress. Per Akin's legislative analysis, industry expectations are that initial requirements will flow into FY 2027 contracts, with full enforcement following the same multi-phase model as CMMC. NC defense contractors should plan for first-wave AI-related contract clauses starting late 2026 or 2027.

Does this replace CMMC?

No. Per Crowell & Moring, the AI Security Framework augments CMMC. NC defense subcontractors still need to achieve CMMC Level 2 certification ahead of the November 10, 2026 Phase 2 inflection. The AI framework will be additive.

Will small NC subcontractors really be in scope?

If a small NC sub uses any AI tool in support of DoD work, including off-the-shelf AI in proposal writing, engineering, or shop floor optimization, scope is likely. Per Freshfields' analysis of AI supply chain mandates, the eventual rule is expected to include flow-down obligations, so primes will push some level of AI vendor diligence and acceptable use policy onto subs as a contractual requirement well before the rule is finalized.

Do we need a NIST AI RMF program right now?

You do not need a fully implemented NIST AI Risk Management Framework program today, but starting an AI inventory, AI vendor diligence, and acceptable use policy in 2026 is the lowest-friction path to AI Security Framework readiness. NIST AI RMF is the most likely de facto baseline the DoD framework will lean on.

Where do we start if we want PDC to help us?

Call (336) 886-3282 or request a CMMC + AI readiness assessment. The first call is a 60-minute scoping discussion covering current CMMC posture, AI tool usage, vendor inventory, and contract pipeline. You walk away with a written sequencing plan whether you engage PDC for the execution or not.

Support