Summary5 min read

Podcast Summary: BIG Changes are Coming to CPARS (Cyber)

Podcast: Sum IT Up: CMMC News Roundup
Host: Summit 7
Date: October 16, 2025

Episode Overview

This episode breaks down significant upcoming changes to the Contractor Performance Assessment Reporting System (CPARS) as mandated by the Senate’s version of the FY26 National Defense Authorization Act (NDAA). The hosts, Jacob and Daniel, explain how these changes will make CPARS evaluations of contractor cybersecurity performance more objective and the broader implications for defense contractors, especially around CMMC, DFARS, and compliance flow-down requirements in the defense industrial base.

Key Discussion Points & Insights

1. Government Shutdown Doesn’t Halt CMMC (00:02–00:16)

The government shutdown does not affect the ongoing push for CMMC or related cyber requirements.
“No, it will not. That's the show. We'll see you next week.” — Jacob, satirically highlighting how CMMC remains unaffected by other disruptions. (00:08)

2. NDAA’s New Focus: Reforming CPARS via Section 876 (00:16–05:57)

The FY26 NDAA, having passed the Senate, brings dramatic changes to how government contractors’ cybersecurity performance is recorded and evaluated.
CPARS, essentially a “report card” for contractors, will shift from subjective assessments to fact-based, objective reporting of negative performance.
Jacob explains:
“Imagine that your teacher in school gives you a report card at the end of the year... In the grown-up world, when a company does work with the government, the government gives that company a report card as well... The CPAR report lives in the CPAR system.” (03:08)
Past CPARS often relied on personal impressions; now, verifiable negative events will be the focus.

3. What Will Change in CPARS? The Objective, Fact-Based Approach (05:57–07:52)

Section 876 requires the Secretary of Defense to revise DFARS/CPARS in two fundamental ways:
- Only report verifiable, negative events (e.g., cybersecurity failures, not general praise).
- Ease administrative burden—contracting officers need to only note past failures or contract breaches.
- Make it easier for DoD to avoid “bad apple” contractors with a history of poor performance or cyber issues.
“They’re like, nope, we want to know what you messed up. We want a report of the negative things that you have done as a contractor...” — Jacob (07:27)

4. The Three Big Negative Performance Criteria (07:52–11:43)

Mandatory reporting of eight negative events—three are highly relevant to cybersecurity:
1. Significant Cybersecurity Breaches or Failures
  - Contractors failing to meet cyber requirements or suffering breaches (especially from negligence) will be flagged. (08:12)
  - “Oh, you got your attention yet, everybody?” — Jacob emphasizing the gravity. (08:20)
2. Failure to Flow Down Required Clauses
  - Companies not passing DFARS cyber clauses to sub-contractors will face negative reports, closing loopholes in supply chain compliance.
  - “...if there’s a breach because you didn’t flow them down, going on the CPARS, they don't want to work with you.” — Jacob (09:52)
3. False Claims or Misrepresentations
  - Submitting falsified compliance info (e.g., self-attestations, invoices) will be tied to negative CPARS outcomes, dovetailing with existing DOJ enforcement.
  - “It’s very clear...they want to know what you’re doing wrong as a reason why they don’t want to work with you.” — Jacob (11:12)

5. Broader Applicability and Implications (11:43–14:11)

Daniel notes: These criteria could extend beyond just Controlled Unclassified Information (CUI)—potentially to Federal Contract Information (FCI) or export control data.
“I could point to these three things and be like, I have conversations with people on a daily...basis about one of these three things.” — Daniel (12:05)
Defense data with contractors is not secure enough, says Daniel: a “stick” is needed alongside the “carrot” of contracts and incentives.

6. Enforcement Timelines and Implementation (14:11–16:16)

All CPARS and DFARS revision must occur within 180 days of the NDAA’s enactment; DoD must train its contracting officers on the new, objective approach within one year.
“Guidance shall emphasize the use of objective evidence and the exclusion of all subjective judgments...” — Jacob (14:41)
Anticipated implementation: 12–15 months from episode date.

7. Strategic and Competitive Impact for Contractors (16:16–18:16)

This narrows the “subjectivity gap” for contracting officers; negative CPARS can instantly disqualify a vendor.
“This is going to give them...the ability to just look on your report card...and say they have bad cyber security. See you later.” — Jacob (17:32)
Host commentary: It is surprising and positive to see Congress doubling down on cyber, not bowing to contractor lobbying.

Notable Quotes & Memorable Moments

“If you’re not meeting the cyber requirements; if there’s a breach because of you, not meeting the cyber requirements; if you’re not flowing down the cyber requirements; if there’s a breach because you didn’t flow them down — going on the CPARS. They don’t want to work with you.” — Jacob (09:44)
“I don’t know which other way to say it. Like, they have to put a little bit of a stick and also have a little bit of a carrot ... but you just can’t do these things or you have to report them appropriately.” — Daniel (12:50)
“Look at the way the winds are blowing. I mean, this is something that they really care about.” — Jacob (13:34)
“This is going to give them the ability to just look on your report card, if you will, and say they have bad cybersecurity. See you later. There you go.” — Jacob (17:33)

Key Timestamps

00:02: Opening; government shutdown does NOT affect CMMC
01:05: Supply chain cyber risk and history of (non-)compliance
03:00: What is CPARS? The “report card” analogy
05:57: NDAA’s objective, fact-based approach to CPARS: Section 876
07:52: Introduction to mandatory negative performance reporting
08:12 – 11:43: Focus on breach reporting, flow-down failures, and false claims
14:11: Timelines for implementation; rollout expectations
16:16: Impact on contractor disqualification; strategic insights

Tone & Style

The conversation is energetic, candid, and pragmatic, mixing technical insight with relatable analogies (“report cards”, “Megazord”, etc.), mild humor, and direct advice. The hosts aim to demystify complex rules for listeners but don’t shy from expressing urgency or their viewpoint on the changes.

Conclusion

The Senate’s version of the FY26 NDAA introduces a seismic shift in how contractor cyber performance will be assessed: moving from subjective, often friendly reviews to objective reporting of measurable failures, particularly around cybersecurity breaches, compliance flow-down, and false claims. Contractors should prepare in the next 12–15 months for this reality, ensuring robust compliance throughout their supply chain—or risk their reputation, eligibility, and future business with the DoD.

Links and further reading:
The hosts mention a link to the Senate version of the NDAA and recommend closely monitoring Section 876 for final language.

Stay tuned: The hosts anticipate more updates as the NDAA passes and DFARS is revised, promising further breakdowns in future episodes.

Loading summary

Transcript23 lines

[00:03]
A
All right, folks, it is October of 2025. The government is shut down and everybody wants to know if that is going to affect cmmc. No, it will not. That's the show. We'll see you next week.
[00:14]
B
Yep. See ya.
[00:16]
A
Actually, actually, the government is still shut down as of this conversation, but that doesn't mean that things aren't happening, especially in the world of your cyber requirements. It just so happens that the FY26 National Defense Authorization act has passed the Senate and there are some big, big changes coming to how the government evaluates contractor cybersecurity requirements. Don't worry, don't worry. I know you're all worried. CMMC ain't going anywhere. That is not what the FY26 NDAA is doing. Instead, CPARs, the Contractor Performance Assessment Reporting System, is going to be changing in a big way related to cyber security. And that's what we're going to talk about today. Daniel, how the heck are you?
[01:05]
B
I'm doing great. It's interesting to see all of these moving pieces because one of the biggest levels of exposure we're seeing, and Jacob, you and I were on a call today about this is supply chain risk. Because what's become very evident, at least in the cyber security realm of thing, maybe not the production side of things, but the cyber security adherence and compliance has been lacking across some of the largest primes and even some of the mid tiers. Right. I mean, people just don't know how to truly get their hands around mitigating cyber security risk. And once you add CMMC and contractual flow downs there and they're like, wait, wait, but we like have to, have to do it this time. Like it's like, well, you had this requirement in DFAR 7012. Have you just not been doing it the whole time? Like, yeah. And so it's interesting to see, you know, Congress is kind of like, hey, we kind of picked up on a trend here where like primes haven't been actually enforcing or flowing down contractual obligations and they've been taking on undue risk on our behalf, quite honestly, because there's mishandling of data downstream. Like, it's interesting, interesting to see this. And it's also interesting to see like Rev 3 of NIST 800 171. Right. Because there's a whole supply chain kind of risk element to that now. And so you're balancing kind of different things where it's like, yeah, current CMMC structure, you know, there's not controls that you have to meet, but there's contractual flow down in the new version of CMMC down the line when they adopt Rev 3. Now there's going to be controls that you have to meet. And now Congress is saying, hey, dod, we really want you to really, really, really verify that primes are doing this thing and measuring some sort of risk where historically they've been kind of silent. So, yeah, I'm fascinated by this.
[02:54]
A
If you go far enough back to the FY20 NDAA, which had the Section 1648 specifically put in there by the Senate Armed Services Committee that said create a framework for holding contractors accountable. Back then, the way that they described it and the way that they described CMMC was CMMC is a first step towards securing the supply chain. This is not the end all be all. And now we got another step from our friends at the Senate Armed Services committee in the FY26 NDAA. We're changing CPARs. But there's some people out there maybe not familiar with cpars. Typically, cpars performance evaluations are generally like above the simplified acquisition threshold. It can vary. But the basics of CPARs here. What the heck is this? So, yeah, we all went to school, you know, for the most part. So imagine that your teacher in school gives you a report card at the end of the year and it would show how well you did stuff. It would say how well you listened in class and did you turn in your homework and did you play nicely with others. You had academic grades, you had citizenship grades. You know, you had all these evaluation criteria that showed your performance over the year, right? Well, in the grown up world, when a company does work with the government, the government gives that company a report card as well. The report card is called a cpars, the Contractor Performance Assessment Report. And the CPAR report lives in the CPAR system. Your CPCAR goes in CPARs. So your CPAR reports essentially tells how well your company did stuff. Did you do the work on time? Is the work good quality? Did you stay on budget? Were you easy to work with? The government keeps these report cards so that the next time they want to work with this company, the next time that company bids on a contract, they can check the past grades, sometimes called past performance, to see who does a good job or not. Now the thing here is that many times, traditionally these cpars evaluations are subjective. And by the government's own wording, they are not, quote, fact based. It is their subjective. Yeah, who needs that, right? There's subjective evaluation of how much they like working with you. And so good past performance Indicators are a huge advantage for winning additional government contracting work in the future. And that's getting ready to change everybody. So this is the Senate version of the ndaa. We got to wait and see what the final version of the NDAA looks like, but boy, oh boy, is this gonna change. That's the basic of cpars, Daniel. I think I got that mostly right at a very high level.
[05:39]
B
Yeah, I think that's good. I'm curious to see, like, well, if they're unhappy with their loose criteria for good scoring. I'm curious to see if they layer any other clarity around this with what they're submitting as part of the 2026 fiscal. So, yeah, what are they, what are they presenting to us here?
[05:57]
A
Absolutely. So National Defense Authorization act for fiscal year 2026 has passed the Senate. Section 8, 7, 6. This thing is like thousands of pages long. Section 876 is called reform of Contractor Performance Information Requirements. And it says the Secretary of Defense shall revise the DFARs, including CPARs, to modify contractor performance information requirements generally in two ways. First, to establish an objective, fact based and simplified system for reporting contractor performance information that will do three things. First, focus exclusively on negative events that are verifiable and measurable to reduce subjectivity and inconsistency in valuation. They want to only focus on negative things that you have done in your performance because they say that that is going to reduce subjectivity. Next, they want to, by doing this, reduce administrative burden on contracting officers by limiting reporting to prior contract failures or poor performance. And then lastly, to ensure the government can identify and avoid contractors with a history of poor performance or bad actions. Boy, oh boy. Is that a different tone than the traditional way of approaching cpars where it's like subjective, non fact based. Like, we like you a lot. Yeah, you guys, we're all friends here. They're like, nope, we want to know what you messed up. We want a report of the negative things that you have done as a contractor to reduce subjective, non fact based criteria. Makes it easier on our contracting officers. Makes it easier on us. Because if you're a known bad apple, we don't want to work with you.
[07:51]
B
That's right. Get out of here.
[07:53]
A
So that leads to the natural question, what are the negative, not subjective, the objective criteria here? What are the negative things that they're going to be evaluating people for? Well, it goes on to say that the Secretary of Defense will modify the DFARS and the cpars to provide the following requirements related to key issues of negative performance These are the key issues of negative performance. They say that there will be mandatory reporting. Contracting officers shall report the following eight negative performance events based on verifiable data or objective evaluations. And the three that we are concerned about today. First, significant cybersecurity breaches or failures. Failure to meet cybersecurity requirements or significant breaches caused by contractor negligence as verified by government assessments and incident reports. Oh, you got your attention yet, everybody. These are the same people who came up with the. The part of the FY20 NDAA that led to CMMC. And now they're saying, we want to evaluate people when they fail to meet cybersecurity requirements and mark them as somebody we don't want to work with.
[09:09]
B
Golly.
[09:11]
A
Next of the three things that we're focused on here, failure to flow down required clauses to subcontractors. Failure to include mandatory contract clauses and subcontracts as verified by contract reviews or audits. We all know, Daniel, you and I have talked to thousands of companies who do not flow DFARS 7012, DFAR 7008, 7019, 7020, soon 7021 and 7025 down to their subcontractors. And if the government finds out negative performance indicator on your cpars, they don't want to work with you. We talk about flow down in cybersecurity requirements probably more than the actual requirements themselves. And I mean, we're on calls very recently where people were basically like, okay, we know how to do it for us. What do we do for our subs? Basically, them saying, we're not flowing anything down. If you're not meeting the cyber requirements, if there's a breach because of you not meeting the cyber requirements, if you're not flowing down the cyber requirements, if there's a breach because you didn't flow them down going on the CPArs, they don't want to work with you, man.
[10:21]
B
So breaches and failures, not flowing it down, which those two Standalone.
[10:28]
A
Yeah. Now here's. Here's the big one. False claims or misrepresentations. Totally, totally not something that we've seen becoming more and more prevalent in the cybersecurity domain. More and more, submission of false claims, fraudulent invoices or misrepresentations as substantiated by investigations, legal findings or government records is going to be negative performance criteria on your CPARS report. First of all, I can't believe that hasn't been a thing that they would mark on the cpars beforehand. But you combine this with the department of Justice's Cyber Civil Fraud Initiative and this bow wave of, you know, cyber False Claims act settlements that we're hearing coming through the system. And it's very clear to me, reading the language of this section of the FY26 NDAA, that they want to get rid of subjective evaluations of who they're working with. They want to know what you're doing wrong as a reason why they don't want to work with you. Cyber requirements flowing down those cyber requirements or making false claims around those cyber requirements are all reasons why they want to discriminate against working with you as a contractor. End of story.
[11:43]
B
I mean, here's what's crazy is like, CMMC is one thing, right? Implement these controls, there's contractual flow down for cui. But like, you look at this and this could be around fci. This could be around any type Export control, export control data. Like, this is not just controlled on classified information. This is basically saying, like, if you're a publicly traded company, you're filing what is an 8K, right, because you had a cyber incident or you had DOJ do an investigation on you because of false claims, or it was found out that one of your subs and suppliers was compromised and you didn't contractually flow down the requirement to them. Like, and this is happening on a day. Like, I could point to these three things and be like, I have conversations with people on a daily or multi, you know, multi days in a week about one of these three things, right? And it's shocking. I'm happy that they're trying to sure up these areas even above cmmc, because I'll be honest, the data the federal government is giving to contractors is not secure. I don't know what other. Which other way to say it. Like, they have to put a little bit of a stick and also have a little bit of a carrot saying, hey, like, you want to keep working with us, we're going to give you a lot of money. But you just can't do these things or you have to report them appropriately.
[13:11]
A
I mean, when you add it all up, you're like, guys, I mean, it is immensely clear that the government cares about cyber security requirements. It's like they're putting multiple cyber security clauses into solicitations and contracts. They are making you verify up front before they award you the work that you have done the thing. They're making you attest every year to ongoing compliance. They reserve the right to show up and check whenever things are going on. From there, they've Structured a level of CMC above and beyond the existing requirements for specific types of data that they super duper care about. And then on top of that, if you fumble the ball at any time during that point, then the DOJ can come after you very easily with their program for holding people accountable. And, and now it's going to go on your quote unquote permanent record in CPARs as a reason why they don't want to work with you in the future. They really care about this issue. I mean this is like, I mean look at the way the winds are blowing. I mean this is something that they really care about. Well, speaking of really caring about, if they care about it so much, when is this all happening?
[14:12]
B
I was about to say like roll out quickly maybe, I don't know.
[14:15]
A
According to the language in the this version of the ndaa, all of this proposed change to the DFARS has to be done within 180 days of the enactment of the Act. And then a year from the enactment of the act they're going to require the DoD to issue training and guidance to the contract workforce. They say the Secretary of Defense will develop and provide training for contracting officers on these changes to CPARs. And that guidance shall emphasize the use of objective evidence and, and the exclusion of all subjective judgments in the evaluation of contractor performance. All of this not later than one year after the enactment of the bill. So you're talking about a little over a year from right now, essentially because these NDAs usually go out. I mean, I don't know when the government's going to come back on, but you're talking 12 to 15 months, ish, probably when we could see that change to cpars. So if you're familiar with what CPARS is, then this is probably going to really freak you out. If you're not familiar with what CPARS is, then that's probably great for you. But it's another indicator that this is a thing the government is super, super invested in. They are pulling the levers of the bureaucratic system to try to force this issue. We got to wait and see what the final version of the NDAA comes through. We'll link to the Senate version that's out there right now. But the part that you guys want to pay attention to is section 8, 6, 7. Yeah. For everybody out there who said, oh, CMMC is a thing, Congress is going to modify things or the ndaa, actually they did the exact opposite and they doubled down on something that, you know, it's the, it's like the, the Gundam armor on the outside of CMMC to turn it into Megazord from Power Rangers. Now it's, it's not undermining cmc, it's reinforcing what they're trying to accomplish with that program.
[16:17]
B
It's kind of fascinating to me because you would think defense contractors and the lobbying firms that they have behind them would try their hardest to make sure something like this isn't released. So it's actually kind of refreshing to see the federal government or Congress specifically really looking out for what I would consider the nation's interest for protecting this data. Right. Because it's like this is actually like huge. I mean let alone this is just the DOD like this. Unless I missed something, Jacob, this does not apply at a far or a federal level overall right now. This is just, hey, dod, you need to get your, your contractors in line.
[16:57]
A
Yeah, yeah. Now, you know, we'll have to just wait and see how that changes with, you know, the far CUI rule thing, you know, in the future as well. You know, obviously that's a slower cycle of change over time. But you know, as I was reading through this the other day, it's like I just am reminded of all the former contracting officers that we talked to. You know, Lauren Ayers talk to a bunch of former contracting officers out there and they consistently said they are looking for reasons to disqualify you from being in contention for winning. Right. You fill out the paperwork. Wrong. You don't meet a minimum requirement, this, that or whatever. It makes their lives easier if they don't have to consider your solicitation. That's just the way it works. They're just people. Right. And this is going to give that steroids essentially where it's going to give them the ability to just look on your report card, if you will, and say they have bad cyber security. See you later. There you go. So be sure to read it, check it out and we'll see. We'll keep an eye on how that issue progresses as the NDA comes through. But that's what they're looking at now. They have moved on from, you know, talking about what CMMC is gonna look like. That ship has sailed and now they're, you know, adding stuff to and around that program. So yeah, like, and subscribe and stay tuned with all of the rapid fire updates to the legislative and regulatory process because we find gems like this all the time and they don't really make the headlines. So I don't know where you're gonna hear about them. If you guys don't make a habit of reading proposed legislation all the time. We can't. We can't get enough.
[18:34]
B
Anyways, big fan.
[18:36]
A
That's what's going on this week. We are at CS5 today, so be sure to stop by and hang out and. Yeah, we'll see you guys next week.
[18:43]
B
Awesome. See y'.
[18:44]
A
All.