Podcast Summary: BIG Changes are Coming to CPARS (Cyber)
Podcast: Sum IT Up: CMMC News Roundup
Host: Summit 7
Date: October 16, 2025
Episode Overview
This episode breaks down significant upcoming changes to the Contractor Performance Assessment Reporting System (CPARS) as mandated by the Senate’s version of the FY26 National Defense Authorization Act (NDAA). The hosts, Jacob and Daniel, explain how these changes will make CPARS evaluations of contractor cybersecurity performance more objective and the broader implications for defense contractors, especially around CMMC, DFARS, and compliance flow-down requirements in the defense industrial base.
Key Discussion Points & Insights
1. Government Shutdown Doesn’t Halt CMMC (00:02–00:16)
- The government shutdown does not affect the ongoing push for CMMC or related cyber requirements.
- “No, it will not. That's the show. We'll see you next week.” — Jacob, satirically highlighting how CMMC remains unaffected by other disruptions. (00:08)
2. NDAA’s New Focus: Reforming CPARS via Section 876 (00:16–05:57)
- The FY26 NDAA, having passed the Senate, brings dramatic changes to how government contractors’ cybersecurity performance is recorded and evaluated.
- CPARS, essentially a “report card” for contractors, will shift from subjective assessments to fact-based, objective reporting of negative performance.
- Jacob explains:
“Imagine that your teacher in school gives you a report card at the end of the year... In the grown-up world, when a company does work with the government, the government gives that company a report card as well... The CPAR report lives in the CPAR system.” (03:08) - Past CPARS often relied on personal impressions; now, verifiable negative events will be the focus.
3. What Will Change in CPARS? The Objective, Fact-Based Approach (05:57–07:52)
- Section 876 requires the Secretary of Defense to revise DFARS/CPARS in two fundamental ways:
- Only report verifiable, negative events (e.g., cybersecurity failures, not general praise).
- Ease administrative burden—contracting officers need to only note past failures or contract breaches.
- Make it easier for DoD to avoid “bad apple” contractors with a history of poor performance or cyber issues.
- “They’re like, nope, we want to know what you messed up. We want a report of the negative things that you have done as a contractor...” — Jacob (07:27)
4. The Three Big Negative Performance Criteria (07:52–11:43)
- Mandatory reporting of eight negative events—three are highly relevant to cybersecurity:
- Significant Cybersecurity Breaches or Failures
- Contractors failing to meet cyber requirements or suffering breaches (especially from negligence) will be flagged. (08:12)
- “Oh, you got your attention yet, everybody?” — Jacob emphasizing the gravity. (08:20)
- Failure to Flow Down Required Clauses
- Companies not passing DFARS cyber clauses to sub-contractors will face negative reports, closing loopholes in supply chain compliance.
- “...if there’s a breach because you didn’t flow them down, going on the CPARS, they don't want to work with you.” — Jacob (09:52)
- False Claims or Misrepresentations
- Submitting falsified compliance info (e.g., self-attestations, invoices) will be tied to negative CPARS outcomes, dovetailing with existing DOJ enforcement.
- “It’s very clear...they want to know what you’re doing wrong as a reason why they don’t want to work with you.” — Jacob (11:12)
- Significant Cybersecurity Breaches or Failures
5. Broader Applicability and Implications (11:43–14:11)
- Daniel notes: These criteria could extend beyond just Controlled Unclassified Information (CUI)—potentially to Federal Contract Information (FCI) or export control data.
- “I could point to these three things and be like, I have conversations with people on a daily...basis about one of these three things.” — Daniel (12:05)
- Defense data with contractors is not secure enough, says Daniel: a “stick” is needed alongside the “carrot” of contracts and incentives.
6. Enforcement Timelines and Implementation (14:11–16:16)
- All CPARS and DFARS revision must occur within 180 days of the NDAA’s enactment; DoD must train its contracting officers on the new, objective approach within one year.
- “Guidance shall emphasize the use of objective evidence and the exclusion of all subjective judgments...” — Jacob (14:41)
- Anticipated implementation: 12–15 months from episode date.
7. Strategic and Competitive Impact for Contractors (16:16–18:16)
- This narrows the “subjectivity gap” for contracting officers; negative CPARS can instantly disqualify a vendor.
- “This is going to give them...the ability to just look on your report card...and say they have bad cyber security. See you later.” — Jacob (17:32)
- Host commentary: It is surprising and positive to see Congress doubling down on cyber, not bowing to contractor lobbying.
Notable Quotes & Memorable Moments
- “If you’re not meeting the cyber requirements; if there’s a breach because of you, not meeting the cyber requirements; if you’re not flowing down the cyber requirements; if there’s a breach because you didn’t flow them down — going on the CPARS. They don’t want to work with you.” — Jacob (09:44)
- “I don’t know which other way to say it. Like, they have to put a little bit of a stick and also have a little bit of a carrot ... but you just can’t do these things or you have to report them appropriately.” — Daniel (12:50)
- “Look at the way the winds are blowing. I mean, this is something that they really care about.” — Jacob (13:34)
- “This is going to give them the ability to just look on your report card, if you will, and say they have bad cybersecurity. See you later. There you go.” — Jacob (17:33)
Key Timestamps
- 00:02: Opening; government shutdown does NOT affect CMMC
- 01:05: Supply chain cyber risk and history of (non-)compliance
- 03:00: What is CPARS? The “report card” analogy
- 05:57: NDAA’s objective, fact-based approach to CPARS: Section 876
- 07:52: Introduction to mandatory negative performance reporting
- 08:12 – 11:43: Focus on breach reporting, flow-down failures, and false claims
- 14:11: Timelines for implementation; rollout expectations
- 16:16: Impact on contractor disqualification; strategic insights
Tone & Style
The conversation is energetic, candid, and pragmatic, mixing technical insight with relatable analogies (“report cards”, “Megazord”, etc.), mild humor, and direct advice. The hosts aim to demystify complex rules for listeners but don’t shy from expressing urgency or their viewpoint on the changes.
Conclusion
The Senate’s version of the FY26 NDAA introduces a seismic shift in how contractor cyber performance will be assessed: moving from subjective, often friendly reviews to objective reporting of measurable failures, particularly around cybersecurity breaches, compliance flow-down, and false claims. Contractors should prepare in the next 12–15 months for this reality, ensuring robust compliance throughout their supply chain—or risk their reputation, eligibility, and future business with the DoD.
Links and further reading:
The hosts mention a link to the Senate version of the NDAA and recommend closely monitoring Section 876 for final language.
Stay tuned: The hosts anticipate more updates as the NDAA passes and DFARS is revised, promising further breakdowns in future episodes.