Source: Crowell & Moring

Crowell & Moring analyzes a significant shift in U.S. national security policy with the introduction of new AI security requirements within the Cybersecurity Maturity Model Certification (CMMC) framework. The 2026 Defense Policy Law now imposes a rigorous AI security framework on contractors working with the Department of Defense (DoD). This law mandates that any artificial intelligence system used in defense projects must meet specific standards for cybersecurity, reliability, and technical transparency to prevent foreign exploitation and ensure mission success.

The law requires contractors to perform thorough impact assessments and undergo independent audits to verify the security of their AI models. These requirements aim to protect sensitive defense data and intellectual property that might be vulnerable during the training or deployment of intelligent systems. For federal contractors, non-compliance could lead to the loss of existing contracts and disqualification from future government opportunities. This development reflects the DoD's growing concern over the rapid proliferation of AI and the need to establish clear legal and technical guardrails for its use in strategic military operations.