Andrew Swick and Margaret M. Cassidy
Part 2 of our FY26 NDAA reviews shifts from industrial base investment to changes the Department of Defense’s (DoD) acquisition process, organized into five subcategories:
- When Cost Accounting Standards (CAS) Apply
- Truth in Negotiations Act (TINA) Threshold Changes
- Compliance Exemptions for Nontraditional Defense Contractors
- Encouraging Commercial Purchases
- Cybersecurity and Industrial Security Requirements
Bottom Line: The FY26 NDAA lowers barriers for commercial companies and nontraditional defense contractors to become part of the Defense Industrial Base by:
- Lowering thresholds for when contractors must comply with certain acquisition regulations related to accounting and costs
- Streamlining the commercial acquisition process
- Requiring more commercial acquisition
- Reducing some compliance burdens for contractors and subcontractors
- Raising mandates for cybersecurity, and industrial security
(Full bill: S.1071 — National Defense Authorization Act for FY2026).
When Cost Accounting Standards (CAS) Apply (§1806)
What Changed:
A barrier to entry into defense contracting are the Cost Accounting Standards (CAS) which define how contractors and subcontractors must determine costs, assign costs and allocate costs for negotiated prime contracts and subcontracts over $2.5 million.
Section 1806 raised this threshold to contracts valued at $35 million or more. It also eliminated the requirement for contractors and subcontracts to comply with CAS once they receive a CAS covered contract valued at $7.5 million or more.
The threshold for full CAS coverage was raised from $50 million to $100 million. Full CAS requires that contractors comply with all 19 of the cost accounting standards as opposed to modified CAS which only requires compliance with some of the standards.
Last, Section 1806 allows for portions of contracts to be exempt from CAS if those parts of the contract are for commercial services or commercial products or that are firm-fixed price.
Why It Matters:
CAS’ complex accounting procedures impose costly compliance requirements and failing to comply exposes contractors to the risk of False Claims Act investigations and onerous Defense Contract Audit Agency audits. Given this, even large, experienced contractors avoid contracts that require CAS compliance.
These changes should reduce compliance costs and risks and may result in more contractors pursuing contracts they previously avoided.
Truth in Negotiations Act (TINA) Thresholds Increased (§1804)
What Changed:
A related and equally burdensome legal requirement, the Truthful Cost or Pricing Data Statute (formerly the Truth in Negotiations Act, “TINA”) mandates that contractors provide the government detailed information about the costs and price they charge the government for its products or services in the form of a certified disclosure.
Section 1804 raised the threshold for when TINA applies from the current $2.5 million contract value to a $10 million contract value for contracts executed after June 30, 2026.
Why It Matters:
When contractors are required to submit certified costs and price data, they are exposed to a full forensic excavation of their cost structure and their pricing. Missteps expose contractors to audits and investigations. As a result, contractors often avoid contracts that require compliance with TINA. The increased TINA threshold means fewer requirements for cost and pricing data, lower audit and investigation risk and possibly more competitive pricing.
Exemptions for Nontraditional Defense Contractors (§1826)
What Changed:
Contracts and agreements with nontraditional defense contractors are exempt from having to comply with about nine Defense Federal Acquisition Regulations (DFARS) related to their internal systems such as accounting, property management and purchasing. (2026 NDAA at page 533 lists the exempted DFARS) (Click Here for The Defense Salon post defining nontraditional defense contractors.)
Why It Matters:
This provision is part of a multiyear effort to pull commercial innovation into the defense ecosystem and makes clear that commercial innovation must be a structural feature of defense acquisition.
For startups and tech firms that don’t have the resources to build systems to meet these requirements, these exemptions can be the difference between participating in a DoD program and walking away. For primes, teaming with nontraditional partners can be a competitive advantage, but also a compliance risk if status is misapplied or challenged.
Since almost 90% of all defense contractors meet the definition of nontraditional defense contractors, this will have broad impact. According to a George Mason University Costello College of Business July 2025 report, only about 7.5% of DoD contractors do not fall under the definition of nontraditional defense contractor.
Commercial Solutions and Reduced Compliance Burdens (Subtitle C – Matters Relating to Commercial Products and Services, §1821-§1824)
What Changed:
Sections 1821-1824 implemented several changes to facilitate DoD purchasing commercial products and services and to relieve some compliance requirements for commercial acquisitions:
- DFARS must publish a list of the DFARS clauses that apply to commercial acquisitions
- DoD must develop more robust procedures to justify non-commercial acquisitions, to include requiring program managers to document that no commercial items are available
- Commercial Solutions may be used for commercial products, commercial services and nondevelopment items, not just “innovative” products and, for follow-on production agreements, to include through a sole source contract
- Fewer FAR/DFARS are required to be flowed down to subcontractors
Why It Matters:
These changes are the tools DoD acquisition professionals need to make more commercial purchases. By requiring written justification for non-commercial purchases, acquisition professionals should be more thoughtful on finding commercial solutions.
When DoD buys commercial or uses commercial solutions, it unlocks faster timelines, fewer unique clauses, and more predictable pricing. Misclassification, however, creates compliance headaches and protest risk.
Limiting flowdowns strengthens the supply chain by addressing barriers to entry for commercial businesses because they have resisted defense work due to burdensome clauses.
Cybersecurity and Industrial Security Implications (§866, §1512, §1513)
What Changed:
Section 866 directs DoD to harmonize cybersecurity regulations to reduce duplicative requirements and eliminate inconsistent requirements. Sections 1512-1513 as well as Section 866 establish new requirements for securing AI and machine learning systems such as requiring DoD to conduct a cybersecurity risk assessment and to collaborate with industry and academia. DoD needs to review its governance frameworks related to cybersecurity and physical security; identify best practices in using AI to mitigate DoD’s risks; and evaluate commercial capabilities to monitor its systems.
The DFARS must be amended to require contractors to implement best practices related to security.
Why It Matters:
Cyber and industrial security are converging into a unified risk posture. Harmonization should reduce duplicative and inconsistent requirements over time and in the near term it will consolidate expectations around higher standards. AI/ML systems, once peripheral to compliance, are now recognized as critical attack surfaces. Contractors should expect tougher inspections, more coordinated oversight, and increased scrutiny of emerging technology use to include risks of False Claims Act investigations.
What To Do Now:
CAS & TINA: Update internal policies to reflect the new thresholds, retrain pricing, finance and proposal teams, and tighten estimating system controls. In CAS covered contracts, review for portions that may be exempt from CAS. Counsel should prepare for more aggressive oversight on large awards and work to make sure procedures are documented to withstand post award audits.
Non-Traditional Defense Contractors: Adequately document nontraditional status, build and structure teaming agreements and subcontracts to reflect the exemptions as well as to allocate risk around data rights, performance and audit/investigation exposure. Primes should treat nontraditional partnerships as both opportunity and liability and be sure to have oversight procedures.
Commercial Acquisition: Invest in robust commercial item determinations, detailed market research and be prepared to include it in proposals. Align pricing, warranty, and support models with commercial norms. Strategically pursue commercial solutions, especially in rapid prototyping and emerging technology programs. Revisit subcontract templates to ensure they align with the changes toward commercial contracting.
Cybersecurity and Industrial Security: Map cybersecurity obligations across frameworks and move toward a unified control set. Prepare for more rigorous IT system, facility and software supply chain reviews. Inventory AI/ML use cases and implement controls for model integrity, data provenance, and access management. Treat cyber and industrial security as eligibility criteria, not just compliance obligations.
Final Thoughts:
With this NDAA 2026 Congress is lowering barriers for nontraditional and commercial firms to sell to DoD and giving DoD the tools to make more commercial purchases. This is consistent with DoD memos and communications mandating changes to acquisitions. Through these actions, the defense industrial base should start to expand.
For current contractors and those looking to sell to DoD, the message is clear:
- DoD will look to make more commercial acquisitions and decrease its reliance on non-commercial purchases
- Innovators and those who have not previously worked with DoD will face less compliance burdens and more opportunities for their solutions to be selected
