The six operative federal AI procurement rules for FY2026, mapped to NorthAI's sub-of-prime and direct-vendor scenarios, with the November 10, 2026 CMMC deadline as the controlling timing constraint.
Authorization is an investment in trust infrastructure. The first authorization is expensive; subsequent customer acquisitions leverage that investment through reciprocity.
No single "FAR 39.108" AI procurement rule exists as a published final rule. The operative federal AI procurement framework for FY2026 is built from six instruments: OMB M-25-22, the proposed GSAR 552.239-7001, DFARS 252.204-7021, DFARS 252.239-7018, FAR 52.204-21, and the FedRAMP 20x authorization pathway. The critical finding: if NorthAI or CHN Analytics is operating as a DoD subcontractor handling Controlled Unclassified Information (CUI), CMMC Level 2 certification with a C3PAO assessment is mandatory by November 10, 2026. That deadline is approximately six months away as of this writing. Gap assessment should be underway now.
| Rule | Proposed / Final | Effective Date | Sub-of-Prime Applicability | CHN-Direct Applicability | Required Action |
|---|---|---|---|---|---|
| GSAR 552.239-7001 Basic Safeguarding of AI Systems (Proposed) |
Proposed Comment period closed Apr 3, 2026. Not in Refresh 31; expected Refresh 32 (est. Q3 2026). |
TBD (est. Q3 2026 finalization) | No. Applies to GSA Schedule contracts only. DoD sub-of-prime uses DFARS, not GSAR. | Yes, once finalized. CHN as direct GSA Schedule contractor must identify all AI systems within 30 days of award, prohibit government data use for model training, segregate and delete government data at contract conclusion, grant government ownership of data inputs/outputs. | Monitor GSA Federal Register for Refresh 32 publication date. Begin contract review now to flag clauses that may conflict with the proposed data-ownership and non-training requirements. Legal review of any existing GSA vehicle language. |
| DFARS 252.204-7021 Contractor Compliance With CMMC Levels (Final) |
Final Final rule published Oct 2024; implementing DFARS clause effective Nov 10, 2025. |
Phase 1: Nov 10, 2025-Nov 10, 2026 (CMMC L1/L2 self-assess) Phase 2: Nov 10, 2026-Nov 10, 2027 (L2 C3PAO mandatory) |
Yes. If NorthAI/CHN handles CUI as a DoD sub-of-prime, the prime flows down L2 requirement. Must achieve CMMC L2 C3PAO certification by November 10, 2026. Cost: $30K-$50K for C3PAO assessment (plus remediation). | Conditional. CMMC applies to DoD task orders under a GSA Schedule contract. CHN as direct Schedule contractor is subject to CMMC requirements only if winning DoD task orders that involve CUI. | Assess gap now. November 10, 2026 is 6 months away. Primes will tighten vendor vetting 6-9 months before Phase 2 enforcement (July-October 2026). Engage a C3PAO for pre-assessment by September 2026 at the latest. |
| DFARS 252.239-7018 Supply Chain Risk (Final) |
Final Consolidated into revised DFARS structure Feb 1, 2026 as part of the Revolutionary FAR Overhaul (RFO). |
Immediate (Feb 1, 2026) | Yes. NorthAI as DoD sub-tier must implement all 110 NIST SP 800-171 security controls. Prime responsible for flow-down and audit. Note: DoD formally designated Anthropic as a supply chain risk under this clause on March 3, 2026 (first US AI company so designated). | Yes if CHN operates as a DoD prime. Must implement NIST SP 800-171 controls and manage sub-tier supply chain risk per DoD designation list. | Confirm whether NorthAI or CHN has been risk-designated under DFARS 252.239-7018. No public designation found as of 2026-05-28, but the Anthropic precedent signals DoD is actively reviewing AI analytics vendors. Document NIST SP 800-171 control implementation status. |
| FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems (Final) |
Final Core clause; subsumed from retired FAR 52.239-1. Already in effect. |
Already in effect | Conditional. If the DoD prime has FAA contracts, FAR 52.204-21 flows down to all subs handling Federal Contract Information (FCI). Applies to NorthAI's handling of FCI. Equivalent to CMMC Level 1 controls. | Yes. All GSA Schedule contractors handling FCI must comply. Baseline for commercial IT; applies to AI systems handling any federal contract information. | Implement basic safeguarding controls per NIST SP 800-171 Low baseline. This is the floor, not the ceiling. DoD work requires CMMC L2 above this baseline. |
| FedRAMP 20x (Phase 3) Cloud Service Authorization Pathway |
Final Program Program live March 2025. Phase 3 (full scale Low and Moderate) opens Q3-Q4 2026. Sponsor requirement eliminated January 2026 (RFC-0023). |
Phase 3 enrollment: Q3-Q4 2026 Cost: $500K-$1.5M (Moderate), $100K-$300K (Low Impact) |
No. If NorthAI is an analytics layer running on top of a prime's already-authorized cloud platform (e.g., AWS C2S, Salesforce GovCloud), NorthAI does not need independent FedRAMP authorization. Applies only if NorthAI operates as a standalone Cloud Service Provider handling CUI. | Yes, if CHN offers NorthStar or another product as a standalone cloud service to federal agencies. Pursuing Phase 3 Moderate authorization Q3-Q4 2026 recommended: sponsorless pathway now available; marketplace listing then enables agency-level adoption. | Clarify business model with Tim and Stephanie: direct cloud product (FedRAMP required) vs. analytics layer on prime's cloud (FedRAMP not required). Decision gates the authorization budget and timeline for FY2026-FY2027. |
| OMB M-25-22 Acquisition Framework Operationalized via GSAR 552.239-7001 (proposed) |
Policy Memo Issued April 2025; operationalized via proposed GSAR clause. FAR Part 39 rewritten via Revolutionary FAR Overhaul (RFO); formal AI-specific clauses expected Q3-Q4 2026. |
Guidance effective immediately; formal FAR clauses TBD | Indirect. M-25-22 encourages OTA contracting for AI; if NorthAI/CHN qualifies as nontraditional contractor, OTA engagement with DoD bypasses normal FAR procurement. | Indirect but favorable. Streamlined commercial AI purchasing (Part 12/13 expansion) benefits CHN if positioned as a commercial AI product. OTA authority benefits CHN if woman-owned small-business status qualifies as nontraditional. | Pursue OTA eligibility confirmation for CHN Analytics. Monitor FAR Council docket for formal Part 39 AI clauses (expected Q3-Q4 2026) that may relax security requirements for low-risk commercial AI. |
| EO 14179 (AI Regulatory Modernization) FAR amendments in progress; Unbiased AI Principles |
Executive Order Signed January 23, 2025. FAR class deviations effective February 1, 2026 via RFO. Formal rule rewrites timeline TBD. |
Phased: class deviations Feb 1, 2026; final rules Q3-Q4 2026 (est.) | Favorable but not yet mandatory. EO directs removal of AI procurement barriers; NorthAI/CHN benefit from streamlined commercial AI purchasing. No new mandatory clauses yet. | Favorable. Streamlined Part 12/13 commercial AI purchasing directly benefits CHN as a direct-vendor. GSA OTA toolbox creation (directed by EO) may offer accelerated access to DoD buyers. | Monitor FAR Council docket for proposed Part 39 AI-specific rules. Anticipate Q3-Q4 2026 formal requirements. No action required until final rules published. |
The applicability of these rules differs materially depending on whether NorthAI/CHN pursues the sub-of-prime or direct-vendor path. This is a business model decision, not a compliance decision, but it gates the compliance roadmap.
| Rule | Sub-of-Prime (DoD Integrator) | Direct Vendor (GSA Schedule) |
|---|---|---|
| GSAR 552.239-7001 | No (DFARS governs DoD) | Yes (when finalized, Q3 2026) |
| DFARS 252.204-7021 (CMMC) | Yes (if CUI involved; Nov 10, 2026 deadline) | Conditional (DoD task orders only) |
| DFARS 252.239-7018 (Supply Chain Risk) | Yes (NIST 800-171, flow-down required) | Yes if DoD prime |
| FAR 52.204-21 (Basic Safeguarding) | Conditional (if prime has FAA contracts) | Yes (all Schedule contractors handling FCI) |
| FedRAMP 20x | No (unless standalone cloud offering) | Yes (if cloud product serving CUI) |