Hi folks!

I manage contracts for a NASA contractor and have been keeping an eye on CMMC developments over the last few years. With the final rule now in effect for DoD contractors, I can’t help but wonder when—or if—we’ll see similar requirements creeping into regulations for non-DoD agencies, especially those funded through the NDAA.

In my experience, once requirements like these are established, it’s not long before civilian agencies start adopting them, either directly or with their own variations. I've heard talk of a potential FAR rule that could mandate cybersecurity standards for contractors handling Controlled Unclassified Information (CUI) across all federal agencies.

I’m curious—how do you think these requirements might make their way to non-DoD contractors? Do you think it’ll happen through FAR updates, agency-specific clauses, or something else entirely? Are there any signals that civilian agencies like NASA, DOE, or others are already moving in this direction?

Looking forward to hearing your perspectives and insights!