The NDAA just pulled AI inside CMMC — and cloud chatbots don’t qualify
The FY2026 National Defense Authorization Act, signed in December 2025, did something defense contractors will feel for years. Section 1513 directs the Department of Defense to build a cybersecurity framework for AI and machine-learning systems and fold it into DFARS and the CMMC program — covering “covered” AI/ML down to the model weights, source, and training data.
The practical sting is CUI. Public cloud AI — ChatGPT, Claude, Gemini, Copilot — generally does not carry the FedRAMP authorization that CMMC assessments assume. If your people paste controlled information into a consumer chatbot, you are leaning on a service that was never authorized to hold it. DoD owes Congress an implementation plan by June 16, 2026, so this is moving, not hypothetical.
- The compliant path for CUI has always been “keep it inside your boundary.” An on-prem model is inside the boundary by construction.
- You can’t bolt CMMC onto a public chatbot. You can run a private model that never sends a token off your network.
Analysis: Crowell & Moring; King & Spalding. See defense & CMMC and CMMC-compliant AI.