What H.R. 8710 Means for CMMC Compliance: A New Cybersecurity Bill for Defense Contractors

🔊 Listen to Post

A new bipartisan House bill is moving through Congress that would fundamentally change how the Department of Defense handles cyber resilience and data recovery. H.R. 8710, formally known as the National Defense Data Resilience Act, requires the Pentagon to develop tested, measurable plans to restore critical systems and data after a cyberattack. For defense contractors already working through CMMC compliance, the implications are significant. This article walks through what the bill actually does, how it intersects with existing CMMC requirements, and what defense contractors and DoD suppliers should be doing right now to get ahead of the curve.

What Is H.R. 8710, the National Defense Data Resilience Act?

H.R. 8710 is a bipartisan House bill introduced in May 2026 by Rep. Suhas Subramanyam (D-VA) and Rep. Richard McCormick (R-GA), both members of the House Armed Services Committee. The bill is called the National Defense Data Resilience Act, often abbreviated as the NDDRA. Its core purpose is to require the Department of Defense to develop and regularly test capabilities to restore critical systems and data after a major cyber incident.

The bill responds to a growing concern across the federal government: cyber resilience has been treated more as a checkbox than as a measurable operational requirement. Existing cybersecurity regulations require defense contractors and DoD agencies to protect data. This data recovery bill goes further. It says protection alone is not enough. The Pentagon must also prove it can actually recover when defenses fail. As one widely cited perspective in the security press put it, recovery is becoming the new cyber deterrence.

For PacGenesis customers and any DoD supplier following this legislation, the headline is simple. Recovery is becoming as important as prevention in U.S. national security cybersecurity policy.

Why Are Lawmakers Pushing This Cybersecurity Bill Right Now?

The timing isn’t random. The past several years have seen a sharp uptick in nation-state cyber threats targeting the Pentagon, defense contractors, and critical infrastructure across the federal government. Reports through 2025 flagged supply chain compromises, ransomware attacks on defense industrial base companies, and aggressive activity from advanced adversaries including AI-assisted operations and artificial intelligence-driven reconnaissance.

Subramanyam and McCormick have positioned the bill as a building block for what they call building a more resilient defense infrastructure. In their statements, both lawmakers have emphasized that the Pentagon’s missions and readiness, and the safety of servicemembers, depend on data that adversaries are actively targeting. If a cyberattack takes down a critical system, the question isn’t whether to plan for recovery. The question is how fast.

CISA and other federal agencies have echoed this shift for several years. The bipartisan bill puts statutory weight behind that direction. Bipartisan support matters here. Most cybersecurity legislation in 2026 stalls along partisan lines. The fact that both parties are aligned on this act signals a clear policy direction even before final passage.

What Does the Pentagon Have to Do Under This Bipartisan Bill?

The bill imposes several specific requirements on the Department of Defense:

• Classify data into tiers. The DoD must identify and classify data as critical, important, or necessary. Military data of the highest priority will face the strictest recovery requirements.
• Set Recovery Time Objectives. For each tier of critical data, the Pentagon must establish maximum allowable recovery times following a cyberattack.
• Implement immutable backups. Backup data must be logically isolated and protected from tampering or alteration, even by privileged insiders.
• Run annual recovery drills. The DoD will conduct realistic exercises that simulate nation-state cyberattacks, including adversary emulation by independent groups using real-world tactics.
• Report to Congress. The defense secretary will be required to provide regular oversight reports on the Pentagon’s data recovery strategy.

This is a meaningful shift from the static planning that has characterized defense cybersecurity for years. RTOs in particular force the conversation from “do we have a plan” to “can we prove the plan works.”

How Do Recovery Time Objectives Change the Game for Defense Contractors?

Recovery Time Objectives are the operational metric that turns abstract resilience goals into hard requirements. An RTO defines the maximum acceptable time between a cyber incident and full restoration of a specific system or dataset.

For defense contractors, RTOs cascade down. If the Pentagon needs to restore a missions-and-readiness-critical system within a defined window, the contractors and software vendors supplying that system have to demonstrate they can meet the same timeline. That means contractor systems, not just DoD systems, will need tested recovery capabilities with documented performance.

What this looks like in practice: tighter data-availability SLAs in DoD contracts, requirements to demonstrate immutable storage for backup data, and audit-ready evidence that contractor recovery procedures actually work against simulated cyberattacks. Contractors who can’t produce that evidence will struggle to maintain DoD contracts as the bill’s requirements work their way into procurement language.

How Does H.R. 8710 Connect to CMMC Compliance?

CMMC Compliance, the Cybersecurity Maturity Model Certification framework, already requires defense contractors handling Controlled Unclassified Information (CUI) to meet 110 cybersecurity controls drawn from NIST SP 800-171. Many of those controls touch on access control, audit logging, encryption, and incident response.

The National Defense Data Resilience Act layers on top. It doesn’t replace CMMC. It strengthens the federal-side requirements that CMMC was built to support. Where CMMC asks contractors to demonstrate they can detect, respond to, and recover from cyber incidents, H.R. 8710 effectively requires the DoD to verify those recovery capabilities are real and tested. The downstream pressure on contractors is straightforward. If the Pentagon faces statutory RTOs, contractors will face contractual ones.

This is a pattern the regulatory landscape has seen before. Just as HIPAA reshaped how healthcare organizations handle sensitive health information and produced an entire industry of compliance-ready vendors, the National Defense Data Resilience Act is set to reshape how the defense industrial base handles military data. For organizations already pursuing or holding CMMC Level 2 certification, this isn’t an entirely new direction. It’s an acceleration of an existing one.

What Should Defense Contractors Be Doing Right Now?

Even though H.R. 8710 hasn’t been enacted yet, the direction of travel is clear. Defense contractors waiting for final passage before acting are likely to find themselves behind when DoD procurement language updates. A few practical steps worth taking now:

• Audit current backup and recovery infrastructure. Identify whether existing backups meet immutability requirements and whether they’re isolated from production environments in a way that would survive a ransomware event.
• Document recovery time objectives. Even informally. Knowing how long it takes to restore each tier of your own systems gives you a baseline before DoD contracts mandate one.
• Strengthen secure file transfer and secure data storage. The encryption, access control, and audit logging required by CMMC become more important when downstream resilience is also being measured.
• Plan for annual recovery exercises. Tabletop exercises are useful, but the bill points toward live, adversary-emulated drills. That’s a different operational lift.
• Review your CUI handling environments. FedRAMP-authorized cloud environments are increasingly the expected baseline for handling sensitive information.

The contractors who get ahead of this will be positioned to win contracts when the bill’s requirements become procurement requirements.

Where Does Secure File Transfer and Storage Fit Into This Picture?

Recovery starts with knowing where your data is, how it moves, and how it can be restored. Secure file transfer, secure file storage, secure data sharing, and the broader category of secure file sharing all sit at the operational core of the resilience equation.

If a defense contractor can’t demonstrate that file transfers are encrypted, logged, and access-controlled, the audit trail required to support recovery and compliance reporting falls apart. If secure data storage isn’t immutable, ransomware can corrupt the very backups needed to meet RTOs. If secure data transfer can’t move large CUI datasets quickly enough between production and recovery environments, the contractor’s recovery time will exceed whatever RTO the DoD has set.

This is where high-speed, secure, audit-ready file transfer and storage infrastructure stops being a back-office concern and becomes a compliance requirement. The bill doesn’t name file transfer technology specifically. It names recovery capability. But recovery capability is built on top of file movement and storage that meets enterprise security standards.

How Does IBM Aspera Map to CMMC and the National Defense Data Resilience Act?

IBM Aspera is the high-speed, secure data transfer platform PacGenesis deploys for DoD contractors and federal agencies. Aspera maps directly to several of the NIST SP 800-171 controls that CMMC compliance is built around, and many of those same controls are what the National Defense Data Resilience Act will effectively double down on.

A few specific mappings worth knowing:

• Encryption (NIST 3.13.8 and 3.13.11): Aspera supports FIPS-validated AES-256 encryption for data in transit and at rest, meeting the cryptographic protection standards required for CUI.
• Access Control (NIST 3.1.1 and 3.1.5): Aspera enforces the Principle of Least Privilege through centralized, role-based access controls, restricting users to authorized portions of the file system.
• Audit and Accountability (NIST 3.3.1 and 3.3.2): Aspera generates detailed access logs and event records, producing the audit evidence required to pass CMMC reviews and support cyber incident investigations.

Aspera also supports high-throughput data movement, which matters specifically for recovery. Restoring multi-terabyte CUI datasets within a defined RTO isn’t a problem solvable with TCP-based file transfer over long-haul links. Aspera’s FASP protocol delivers near line-rate throughput regardless of latency, which is the difference between meeting an RTO and missing it when the recovery clock starts.

What About FedRAMP, CUI, and the Cloud Question?

Handling CUI in cloud environments brings FedRAMP into the picture. For defense contractors who store or process sensitive information in the cloud, FedRAMP authorization is increasingly the expected baseline. The National Defense Data Resilience Act doesn’t name FedRAMP directly, but the bill’s emphasis on resilient defense infrastructure aligns with existing federal cloud security expectations.

IBM offers Aspera in several deployment models, including on-premises, hybrid, and SaaS through IBM Cloud for Government, which holds FedRAMP authorization at impact levels appropriate for CUI handling. For contractors who need to keep data fully on customer infrastructure, the on-premises deployment option remains available and is often the choice for air-gapped or classified-adjacent environments.

The right deployment depends on contract requirements, the sensitivity of the data involved, and how the contractor’s broader CMMC compliance architecture is structured. PacGenesis works with defense contractors to scope the right Aspera deployment model for each customer’s specific information handling and resilience needs.

What Happens Next With H.R. 8710?

The bill is currently with the House Armed Services Committee and is expected to move through normal subcommittee processes before potentially being folded into the larger National Defense Authorization Act or moving as standalone legislation. Bipartisan bills of this nature often pass through the House Armed Services and Senate Armed Services Committee tracks before reaching the floor.

Several possible paths exist. The bill could pass as standalone legislation that Congress would authorize on its own. It could be incorporated into the broader 2026 or 2027 NDAA topline. Appropriators may also embed its requirements in a spending bill or appropriations bill. Whichever path the legislation takes, the direction is consistent. The federal government across federal agencies is moving toward measurable, tested resilience, with the Pentagon leading.

For defense contractors, the precise timing matters less than the direction. CMMC compliance was the previous wave of defense cybersecurity policy. Recovery and resilience are the next. The contractors and DoD suppliers building secure file transfer, secure file storage, and immutable data recovery into their infrastructure today will be the ones ready when the next round of contract language drops.

What Defense Contractors Should Take Away

• H.R. 8710, the National Defense Data Resilience Act (NDDRA), is a bipartisan House bill that would require the Department of Defense to develop tested, measurable capabilities to restore critical systems and data after a cyberattack.
• The bill introduces tiered data classification, Recovery Time Objectives, immutable backup requirements, and annual adversary-emulated recovery drills.
• For defense contractors, the downstream effect is tighter data-availability SLAs, stricter requirements around immutable secure data storage, and audit evidence that recovery procedures actually work.
• The data recovery bill doesn’t replace CMMC compliance. It accelerates and strengthens the resilience side of what CMMC already requires.
• Defense contractors should be auditing backup infrastructure, documenting current RTOs, hardening secure file transfer and secure file sharing workflows, and planning for live recovery drills.
• IBM Aspera, deployed by PacGenesis, maps directly to the NIST SP 800-171 controls that underpin CMMC compliance, with particular strength in encryption, access control, audit logging, and high-throughput recovery.
• FedRAMP-authorized cloud environments are the expected baseline for CUI handling, with IBM Cloud for Government as one of the major options for Aspera deployment.

If you’re a defense contractor preparing for what comes after CMMC Level 2 and positioning your secure data transfer, secure file storage, and secure data sharing infrastructure for the resilience requirements coming down from the Pentagon, the conversation worth having is what your recovery capability actually looks like when measured against a real-world adversary scenario. PacGenesis builds Aspera deployments specifically for that scenario.