On June 17, 2026, Federal News Network reported that the Senate Armed Services Committee has advanced legislation that would set up a grant program for small businesses and nontraditional contractors to cover the costs of Cybersecurity Maturity Model Certification (CMMC) compliance.
The bill would cap the total funding allotted for the CMMC grant program at $50 million. The maximum amount per grant would be $100,000. The Senate Armed Services Committee's bill also includes provisions on insider threat reporting for AI companies and new post-quantum cryptography deadlines.
It's a serious policy acknowledgment: CMMC compliance is expensive, and small defense contractors are struggling with the cost. DoD estimated that the Level Two certification costs for a small business would be a little more than $101,000 — and that's before counting the cost of building the underlying cybersecurity program.
The headline nobody wrote: even if every one of those grants lands, the AI enforcement problem in the defense industrial base stays completely unsolved.
What CMMC Level 2 Actually Certifies
DoD is ramping up CMMC "Level Two" requirements starting this November. Those requirements are expected to apply to tens of thousands of companies. They require contractors handling sensitive Controlled Unclassified Information (CUI) to have their data security practices evaluated by a CMMC Third-party Assessment Organization, or C3PAO.
The bill would also require that the grant only be used to offset direct costs associated with a CMMC Level Two third-party assessment. That's what these grants fund: paying a C3PAO to come in and evaluate whether a contractor's information systems adequately protect Federal Contract Information and CUI.
A Level 2 assessment validates 110 controls against NIST SP 800-171. A certified contractor has demonstrated that its systems have the right configuration gates in place.
What those 110 controls don't measure: what happens when a cleared employee opens a browser, navigates to a commercial AI tool, and pastes a contract deliverable into the prompt box.
The Gap the Grants Won't Close
A C3PAO assessment is a point-in-time evaluation of system configuration. It happens before contract award. It doesn't run continuously during contract performance. It doesn't have eyes on what employees send to commercial AI platforms day-to-day.
The threat model is simple: a defense prime contractor can have a flawlessly certified CMMC Level 2 environment and still have analysts routinely feeding CUI into ChatGPT, Claude, Gemini, or Copilot. The assessment doesn't catch that. The grant doesn't fund anything that would catch that.
The Senate bill would also establish insider threat reporting requirements for major artificial intelligence companies that do business with the Pentagon. That's a signal Congress understands AI tools are now inside the defense perimeter. What's still missing from the compliance architecture is the enforcement layer between the contractor's workforce and those AI tools — the point of send, before data leaves.
The Regulatory Direction Is Clear
The FY 2026 National Defense Authorization Act included Section 1513, which directs the DoD to develop and implement a framework addressing the cybersecurity and physical security of artificial intelligence and machine learning technologies acquired by the Pentagon. The NDAA at Section 1513 also directs the DoD to incorporate this framework — once developed — into the Defense Federal Acquisition Regulation Supplement and the Cybersecurity Maturity Model Certification program.
Section 1513 does not provide an implementation deadline for the framework or security requirements, but instructs the DoD to create a plan establishing implementation timelines and milestones and to provide a status update to Congress by June 16, 2026.
That deadline just passed. The framework is being built. When it lands in DFARS and CMMC, it will ask contractors to demonstrate controls over AI/ML systems — including the models their employees interact with.
Contractors who wait for the DFARS update to enforce AI session governance will face the same scramble that caught many off guard when CMMC Level 1 landed.
What Enforcement at the AI Layer Looks Like
Real enforcement at this layer doesn't live in the assessment report. It lives at the proxy and browser — the path every AI prompt travels before it reaches the model.
At the point of send, before a contractor's data leaves the perimeter, a governance layer can:
- Classify the content against CUI categories in real time
- Block transmission to unapproved AI endpoints based on policy
- Log the session for audit trail purposes that actual CMMC assessors can review
That's not what CMMC assessments certify today. It's what they will likely require evidence of when the AI security framework from Section 1513 works its way into DFARS. The contractors who implement it now will be able to demonstrate control effectiveness — rather than scrambling to retrofit a posture after the solicitation language changes.
The Senate's CMMC grant proposal is a good-faith acknowledgment that compliance is expensive and small firms need support. A $100,000 grant buys a C3PAO audit. It doesn't buy continuous AI session enforcement. Those are different problems — and only one of them is getting funded.
Containment.AI enforces AI governance at the proxy and browser layer — the point where employees interact with AI tools, before data leaves. Built for defense contractors preparing for CMMC Phase 2 and the coming AI security framework requirements. Learn more.