The FY 2026 National Defense Authorization Act includes Section 866 directing the Secretary of War, in coordination with each military department's CIO, to "harmonize the cybersecurity requirements applicable to the defense industrial base" by June 1, 2026 — and produce a report to Congress on actions taken. Coverage from King & Spalding, Miller & Chevalier, and GovWin IQ.
Why Section 866 matters
Defense contractors today face overlapping cybersecurity requirements: NIST SP 800-171, DFARS 7012, CMMC, sector-specific guidance, contract-specific clauses. Each adds compliance overhead. Section 866 demands consolidation — fewer unique requirements per contract, more uniform baselines.
Other relevant FY26 NDAA cyber/supply-chain sections
- Section 863 — Incentivizes supply-chain transparency tools (rewards for adopters)
- Section 869 — Speeds qualification of alternate suppliers (opens market for smaller manufacturers)
- Sections 834, 835 — Strategies to end reliance on adversary-nation sources for optical glass and computer displays (target Jan 1, 2030)
What harmonization could mean in practice
Likely outcomes between June 2026 and 2027:
- DFARS clauses simplified/consolidated
- Single CMMC framework as the cybersecurity baseline
- Prime-contractor flowdowns reduced via standard subcontract templates
- One unified contractor-attestation form replacing many specific certifications
What to do
- Track DoW's June 1, 2026 report — it'll define the consolidation framework for years
- If you've been investing heavily in CMMC compliance, your investment likely strengthens with harmonization (not weakens)
- Section 863 incentive structure is forthcoming — supply-chain transparency tooling is the lane