%20Requirements%20Apply%20to%20Grants.png?width=1000&name=RGCI%20-%20Do%20Cybersecurity%20Maturity%20Model%20Certification%20(CMMC)%20Requirements%20Apply%20to%20Grants.png)
The Department of Defense (DoD) issued a final rule on September 10, 2025, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate the requirements of the Cybersecurity Maturity Model Certification (CMMC) for FAR-based contracts and subcontracts, effective November 10, 2025.
What About Cybersecurity on Federal Awards (Grants and Subawards)?
The Office of Management and Budget (OMB) issued a streamlined version of the 2 CFR 200 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, effective October 1, 2024, to clarify language, increase thresholds, reduce administrative burden, and specifically address cybersecurity in two sections.
- 2 CFR 200.303 Internal Controls states recipients and subrecipients must take “reasonable cybersecurity and other measures to safeguard information.” What is “reasonable,” you ask? Of course, reasonableness depends on whether you ask the government, an auditor, or a grant recipient.
- 2 CFR 200.206(b) Federal agency review of risk posed by applicants addresses the requirement for a Federal agency to conduct a risk assessment to evaluate the risks posed by applicants before issuing Federal awards. The risk assessment language was expanded to incorporate cybersecurity risks. It continues that the risk criteria to be evaluated must be described in the Funding Opportunity Announcement (FOA).
Just reading the regulations, OMB has not mandated a specific framework for cybersecurity in 2 CFR 200, similar to the DFARS clause.
Then Came the “Playbook”
In December 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued the Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure to assist agencies and recipients in implementing cybersecurity requirements.
While the Playbook guidance is focused on grants related to Critical Infrastructure, it points us in the direction most Federal agencies are likely to head. (emphasis added)
The Playbook states:
“…all grant-making agencies are encouraged to incorporate cybersecurity requirements into their respective grant programs for critical infrastructure. Federal agencies can do so by including cybersecurity requirements language in Notice of Funding Opportunities (NOFOs) and Terms and Conditions (T&Cs) to ensure grant recipients develop and maintain Project Cyber Risk Assessments and Project Cybersecurity Plans for these projects.”
The Playbook contains recommended cybersecurity actions and best practices for Federal agencies, recipients, and subrecipients, including:
- Model language for cybersecurity requirements to include in Notice of Funding Opportunities (NOFOs);
- Model language for grant award terms and conditions (T&Cs);
- A template and tools for developing a Project Cyber Risk Assessment;
- A template for developing a Project Cybersecurity Plan; and
- Resources outlining cybersecurity best practices to inform cybersecurity requirements.
What Have We Seen?
Due to the 2025 Executive Orders resulting in grant terminations, plus the government shutdown, we have not seen many new FOAs or how Federal agencies are addressing cybersecurity requirements. The Department of Health and Human Services (HHS) Grants Policy Statement, effective October 1, 2025, addresses criteria when a grant requires a cybersecurity plan. Section D.5.1.1 Cybersecurity requirements state:
You must create a cybersecurity plan if your project involves both of the following conditions:
- You have ongoing access to HHS information or technology systems.
- You handle personal identifiable information (PII) or personal health information (PHI) from HHS.
You must base the plan on the NIST Cybersecurity Framework.
While the HHS Policy statement applies to HHS grants, we anticipate that other Federal agencies will address cybersecurity requirements in their own policy statements. Recipients of grants not only need to review the Funding Opportunity Announcement, terms and conditions, and agency supplements for cybersecurity requirements, but also need to review the Federal Agency’s Policy Statements.
The NIST framework is a complex and time-consuming process. It generally requires the expertise of an internal Information Technology specialist or an external company to assist with NIST compliance, and it is not a quick process.
Recipients will need to understand how information on grants is received, transmitted, processed, and stored in their system. You will also need to determine whether you can document your compliance with the requirements using your existing Information Technology staff or if you need to engage a third-party subject-matter expert, which can be expensive. Recipients will need to assess their subawards and determine what cybersecurity requirements, if any, should be flowed down to the subaward. 2 CFR 200 does not include specific cybersecurity flow-down language, so recipients will need to mirror the language in the FOA or Agency Policy Statement.
Takeaways
Grant recipients and subrecipients should review the FOA, terms and conditions, and the Federal agency policy statement to determine whether there are cybersecurity requirements to comply with. Since there is no specific flow-down language in 2 CFR 200, recipients will need to develop a flow-down if a subrecipient needs to comply with the cybersecurity requirements. Recipients may receive a follow-on grant that requires cybersecurity requirements that weren’t specifically identified in the previous grant. Update your policy to implement the 2 CFR 200.332 requirement to assess the risk of your subrecipients and to develop monitoring plans to address cybersecurity.
If you are applying for a grant that requires a cybersecurity framework and your organization does not have one in place, we recommend you coordinate with your Federal Agency or recipient to discuss how quickly you can implement a cybersecurity framework and whether the agency will award the grant while you are in the process of establishing the framework.
Preparing for Cybersecurity Expectations in Government Grants
Redstone Government Consulting supports contractors and grant recipients by helping them understand and navigate the cybersecurity expectations that accompany federal awards. Our team provides guidance on working with established partners who offer penetration testing, incident response, security assessments, and support for the development and resolution of POA&Ms. We help clients evaluate policy requirements, assess flow-down obligations, and interpret procurement and pass-through expectations outlined in 2 CFR 200.318 to 200.327 Procurement Standards and 2 CFR 200.332 Requirements for pass-through entities. Through our consulting support and collaboration with trusted cybersecurity partners, we assist organizations in preparing for compliance, strengthening internal processes, and addressing cybersecurity requirements that accompany government contracts and grants.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting