Cyber Insurance for Defense Contractors

By The Defense Compliance Report Editorial Team · Last reviewed: June 2026 · Educational research only. This is not legal, insurance, contractual, or compliance advice.

Cyber insurance for defense contractors is not, by itself, required by any government-wide FAR or DFARS clause — but it is often required by your contract. What is mandatory, if your DoD contract contains DFARS 252.204-7012, is providing adequate security through NIST SP 800-171 and reporting cyber incidents to the Department of Defense within 72 hours. Buying cyber insurance does nothing for your CMMC status. These are separate jobs.

The rest of this page is the part nobody else assembles: where insurance and your defense obligations don’t line up, the two coverage gaps that hit defense contractors specifically, and the one move that quietly improves both your insurability and your contract eligibility at the same time.

Which system does what — read this first

Most of the confusion on this topic comes from treating cyber insurance, CMMC, and DFARS as one thing. They’re three. Here’s the clean separation.

Is cyber insurance required for defense contractors?

No single FAR or DFARS clause requires a defense contractor to buy cyber insurance. What’s mandatory under DFARS 252.204-7012 — when that clause is in your contract — is providing adequate security through NIST SP 800-171 and reporting cyber incidents to DoD within 72 hours. You may still be contractually required to carry cyber liability coverage by your prime’s flow-down terms, a specific solicitation, a lender, or a customer. So “required” depends on your contract, not on a regulation.

This trips people up constantly, so let’s be precise. There are two different obligations, and they get tangled.

The federal cybersecurity obligation is real and it is not optional. DFARS 252.204-7012requires adequate security on covered contractor information systems by implementing NIST SP 800-171. In May 2024, DoD issued a class deviation directing contractors subject to DFARS 252.204-7012 to keep complying with Revision 2 — so Rev. 2’s 110 requirements remain the operative standard, not the newly published Rev. 3.

CMMC certification is also phasing into contracts now: Phase 1 began November 10, 2025 (primarily Level 1 and Level 2 self-assessments) and Phase 2 begins November 10, 2026(adding Level 2 C3PAO certification). For a growing share of awards, the assessment piece is moving from “someday” to “this solicitation” — which is usually the moment a contractor starts getting prime questionnaires and insurance applications at the same time, and starts confusing the two.

The insurance obligation, when it exists, comes from somewhere else entirely — your contract, not the regulation. Subcontractors most often meet cyber insurance as a flow-down requirement: a prime’s subcontract specifies a minimum limit, an additional-insured endorsement, or “primary and non-contributory” wording.

So the practical answer to “do I need it” is: read the actual agreement in front of you. Find the insurance clause in the subcontract or solicitation, note the required limit and coverage type, and confirm the certificate language and any additional-insured requirement. Then — separately — confirm whether the same document is also asking for CMMC status, an SPRS score, NIST 800-171 evidence, or proof of how you handle CUI. Those are different asks that often arrive in the same email.

And the most expensive misunderstanding in this entire topic, said plainly: buying cyber insurance does nothing for your CMMC status. It is not a control. It does not get logged in the Supplier Performance Risk System (SPRS). It will not satisfy a self-assessment or a C3PAO certification assessment. Treat it as financial risk transfer, full stop.

A quick note on NIST 800-171 Rev. 2 vs. Rev. 3

NIST published SP 800-171 Revision 3 on May 14, 2024, and marks Revision 2 as superseded. For defense contracts, though, Revision 2 is still the operative standard. In May 2024 DoD issued a class deviation directing contractors subject to DFARS 252.204-7012 to keep complying with Revision 2, and the CMMC Program Rule (32 CFR Part 170) incorporates Revision 2 for Level 2.

If you’re a CISO who saw “Rev. 3” and started to panic that your whole program is outdated, breathe. Rev. 3 reorganized the controls and trimmed the count from 110 to 97, and DoD has signaled it will eventually move there — but it hasn’t yet, and it won’t until it amends the rule and prepares its assessors. Don’t let a vendor tell you Rev. 3 is the CMMC standard today. It isn’t.For now, the work is Rev. 2’s 110 requirements across 14 families — and that’s what underwriters and assessors will be checking.

What does cyber insurance for defense contractors actually cover?

A typical cyber policy covers first-party costs — incident response, forensics, data restoration, business interruption, cyber extortion — and third-party liability for claims and legal defense after a breach. The operative word is “covered.” Ransomware, social engineering, war and nation-state activity, the value of stolen intellectual property, and anything tied to misrepresenting your security posture can be limited, sublimited, or excluded depending on the exact policy wording.

Cyber coverage generally splits into two halves, and you want both.

First-party coverage pays for your costs when an incident hits you directly: incident response and digital forensics (often a “breach coach” and an approved vendor panel); restoration of damaged or destroyed data and systems; business interruption and extra expense while you recover; cyber extortion and ransomware response, where covered and often sublimited; and crisis communications and customer notification.

Third-party coverage pays when someone else — a customer, a prime, a vendor, a regulator — comes after you following a breach: privacy and network-security liability; legal defense costs; and regulatory defense, where the policy includes it.

The EPA’s published cyber insurance guidance — a useful, vendor-neutral government primer — flags a truth most broker pages skip: some cyber risks are excluded unless explicitly added back, and ransomware in particular may require its own coverage grant.

Questions to ask your broker before you bind — specific to defense contractors

For a defense contractor, the questions below deserve special attention before you sign anything, because they’re where the policy and your real-world DIB risk diverge. We added an “evidence to bring” column, because the same documents that answer a broker’s question are the documents an assessor wants.

Take these questions straight to your broker before you bind coverage. And if answering them surfaced control gaps you can’t evidence yet, that’s a readiness problem, not an insurance problem — see which provider category fits.

Where cyber insurance and your DFARS/CMMC obligations don’t line up

Cyber insurance and DFARS/CMMC are two different jobs that only partly overlap. Insurance pays for the response to an incident; DFARS 252.204-7012 and CMMC require the controls that prevent it and the reporting that follows. A policy never discharges your 72-hour reporting duty, never makes you compliant, and — critically — generally will not cover False Claims Act exposure arising from misrepresenting your compliance.

We built the table below because no broker page and no CMMC vendor page puts these two columns side by side. It’s our Obligation Gap Map: for each exposure a defense contractor actually carries, what the regulation requires, what a typical policy covers, and the gap that’s left in the middle. Read it as a checklist of conversations to have before you renew.

Cyber Insurance × DFARS/CMMC Obligation Gap Map — Last reviewed June 2026

The takeaway, stated cleanly so you can quote it to your CFO: cyber insurance pays for the response to an incident; DFARS and CMMC require the controls that prevent it and the reporting that follows. A policy does not make you compliant, and compliance does not replace a policy. The two most dangerous gaps for defense contractors are nation-state exclusions and misrepresentation — because the second one can void your coverage and trigger the False Claims Act at the same time.

When cyber insurance won’t pay: war exclusions, misrepresentation, and the False Claims Act trap

Three things most often stop a defense contractor’s cyber claim or create exposure no policy will cover: a state-backed or “war” exclusion — aimed at the exact threat that targets the defense industrial base; a misrepresentation on the application that lets the insurer rescind the policy; and the False Claims Act, which the Department of Justice uses against contractors who knowingly misstate cyber compliance. The trap is that a single act — claiming controls you don’t actually have — can void your coverage and trigger the False Claims Act simultaneously.

Gap one: the nation-state exclusion aimed straight at you

Defense contractors are disproportionately targeted by nation-state actors. Then read your war exclusion, because the insurance industry spent the last few years rewriting it specifically to limit that risk.

The turning point was the 2017 NotPetya attack — Russian-linked malware that tore through tens of thousands of machines worldwide. Pharmaceutical company Merck claimed roughly $1.4 billion in losses and its insurers refused, citing a “hostile/warlike action” exclusion. A New Jersey trial court (2022) and a state appellate court (May 2023) both held the war exclusion did not apply to NotPetya — until the parties reached a confidential settlement on January 5, 2024, days before oral argument, with about $700 million still in dispute (Merck & Co. v. ACE American Insurance Co.).

Two things matter for you. First, the policy that won for Merck was an all-risks property policy with old, generic war language — not a modern standalone cyber policy. Second, the industry’s response was swift: Lloyd’s of London Bulletin Y5381, effective March 31, 2023, required all standalone cyber-attack policies written at Lloyd’s (risk codes CY and CZ) to include a suitable state-backed cyberattack exclusion. The war language youface today is purpose-built to exclude state-backed operations, and it comes in variants — some require a government attribution before the exclusion bites, some don’t. Have your broker walk you through it line by line, and ask specifically whether there’s a carve-back for an organization that was an unintended bystander to a state operation.

Gap two: the lie that costs you twice

Underwriters no longer take your word for it. Applications now ask pointed, yes-or-no questions about MFA, EDR, backups, and incident response — and if a forensic review after a claim finds you didn’t actually have what you attested to, the insurer can rescind the policy as if it never existed. In a widely cited 2022 case, Travelers v. International Control Services, the insurer sued to rescind a cyber policy over alleged misrepresentations about multi-factor authentication. Treat that as the rescission risk — not a rule that every partial-MFA error automatically voids coverage, but a clear signal that an audit-backed application protects your claim.

Now hold that next to the Department of Justice. Under its Civil Cyber-Fraud Initiative (launched October 2021), DOJ uses the False Claims Act — with treble damages and whistleblower (qui tam) suits — against contractors who knowingly misrepresent their cybersecurity. In early 2026, DOJ Civil Division leadership characterized these cases as built on misrepresentations, not data breaches. You don’t need to have been hacked. You need to have said something false about your compliance.

Two settlements make the point, and we read the DOJ announcements directly:

• Georgia Tech Research Corporation — $875,000 (DOJ, September 30, 2025). DOJ alleged the affiliated lab had no System Security Plan until at least February 2020, ran without antivirus/anti-malware on covered systems until December 2021, and in December 2020 submitted a summary-level score of 98 that was premised on a “fictitious” or “virtual” environment— a score that didn’t apply to any actual system processing covered defense information. Two former members of the cybersecurity team brought the case as whistleblowers. DOJ stated the settlement resolved allegations only, with no determination of liability.
• MORSECORP Inc. — $4.6 million (DOJ, March 26, 2025).Widely described as the first FCA settlement centered on a contractor’s failure to update its SPRS score after a third-party assessment produced a lower number. DOJ’s allegations included using a third-party email host that didn’t meet FedRAMP Moderate-equivalent requirements and lacking a consolidated written System Security Plan.

Add Raytheon ($8.4 million in 2025), Aero Turbine and its private-equity owner Gallant Capital Partners ($1.75 million, July 2025), and Health Net Federal Services and Centene Corporation (over $11 million, February 2025), and the pattern is unmistakable. DOJ reported that overall False Claims Act recoveries exceeded $6.8 billion in fiscal year 2025, and cybersecurity cases have become a fast-growing share.

The synthesis no broker and no CMMC vendor will hand you:the same false statement does double damage. Say “yes, MFA everywhere” when it isn’t true, and that single misrepresentation can (1) let your insurer rescind the policy you paid for and (2) become the basis of a False Claims Act case the policy won’t cover anyway. The cheapest insurance against both is not a bigger limit. It’s a true, current security posture and honest affirmations.

Representation Risk Matrix — every place you make a cyber claim about yourself

How CMMC and NIST SP 800-171 readiness change your cyber insurance

The controls cyber underwriters demand in 2025–2026 — MFA, EDR, tested backups, a written and tested incident response plan, patching, training, and logging — are largely the same controls NIST SP 800-171 Rev. 2 already requires of defense contractors. That means CMMC readiness and cyber-insurance readiness are mostly one project: the same evidence package can serve both an underwriter and your DFARS 252.204-7012 work.

When we lined up the standard underwriting questionnaire against NIST SP 800-171 Rev. 2, the overlap was striking. Below is our Underwriting-to-NIST SP 800-171 Rev. 2 Crosswalk: each underwriter ask, the specific 800-171 Rev. 2 requirement it supports, the evidence that serves both purposes, and the provider category that typically closes the gap.

Underwriting-to-NIST SP 800-171 Rev. 2 Crosswalk — Last reviewed June 2026

NIST SP 800-171 maps to security outcomes, not specific commercial products. The tools above are how you implement and evidence the requirements; the standard doesn’t mandate any named brand of EDR, SIEM, or backup.

Read it this way:the work you do to pass a cyber-insurance underwriting review and the work you do to satisfy DFARS 252.204-7012 and CMMC are largely the same project. Build one evidence package — MFA exports, EDR coverage reports, a tested IR plan, dated restore tests, training records, your SSP and POA&M — and it serves both.

Now the place to be careful: backups. Underwriters expect immutable or offline backups with a tested restore. NIST SP 800-171 Rev. 2 is thinner here — requirement 3.8.9 covers the confidentiality of backup CUI, but it does not, on its face, require restore testing the way an underwriter (and basic ransomware survival) demands. So this is one of the few spots where doing the insurance-grade thing means going beyondthe letter of the control. Do it anyway. It’s the difference between a bad week and a closed business.

A fair question we get a lot: will CMMC certification lower my premium?Honestly — we’ve found no carrier publishing a guaranteed “CMMC discount,” so don’t bank on a number. But the logic holds: because the controls overlap so heavily, the same readiness work that earns your contract eligibility is the work underwriters reward with better terms and fewer denied claims. Marsh has reported that companies investing in controls are viewed favorably at renewal. The dual lever is real even if the discount isn’t a fixed figure.

How much does cyber insurance cost for defense contractors?

There’s no fixed price. General U.S. small-business cyber premiums commonly run from about $1,000 to $7,500 a year for $1 million in coverage, driven by revenue, sector, your security controls, the limits and sublimits you choose, and your retention. Reliable defense-specific premium data is thin, so treat any single number with caution and get real quotes — but know that the same controls that lower your premium are CMMC investments you’d make anyway.

After the brutal hard market of 2021–2022 — when ransomware drove premiums up 50% to 100% in some segments — the pendulum swung back. The U.S. cyber insurance market recorded its first-ever decline in direct written premium, falling roughly 7% to about $9.14 billion in 2024, down from $9.84 billion in 2023, according to the NAIC’s 2025 Cybersecurity Insurance Market Report. Marsh reported U.S. cyber rates down 5% on average in Q4 2024, with conditions staying buyer-friendly into 2025. And yet claims rose nearly 40%, to almost 50,000 reported in 2024.

Two implications for you. First, as of 2026 the soft cycle may be ending — some forecasters expect renewed increases of roughly 15–20% over the next year — so locking in good terms while you can, and walking in with documented controls, matters more than usual. Second, rates are falling but claims aren’t, which is precisely why underwriters scrutinize controls so hard. Marsh McLennan reports that 99% of cyber applications now ask specifically about MFA.

• General small-business pricing: roughly $1,000–$7,500 per year for $1 million in coverage (Marsh McLennan, 2025), varying widely by revenue, controls, and documentation.
• The controls themselves (which double as CMMC spend): MFA commonly runs a few dollars per user per month and EDR a bit more per device per month — real money, but money you’d spend for CMMC readiness anyway that also moves your premium.
• What drives your price up or down: revenue and data sensitivity, the maturity of your documented controls, your chosen limit and retention, claims history, and your third-party/cloud dependencies.

Items where defense contractors get burned at claim time:

• Sublimits. A $2 million policy can carry, for example, a $250,000 ransomware sublimit. Know your real caps.
• Retroactive date. Incidents that began before this date aren’t covered, even if you discover them during the policy period.
• The war / state-backed exclusion (see above).
• Warranty and condition language that ties coverage to the controls you attested to — the rescission trap, in fine print.

How much coverage do you actually need?

There’s no universal number, and we won’t invent one. What we can give you is the honest set of inputs that drive the decision. Take this to your broker.

What cyber insurance questions should a defense contractor expect at renewal?

Expect direct, evidence-backed questions about MFA, backups, endpoint detection, vulnerability management, incident response, business continuity, security awareness training, vendor risk, cloud services, sensitive-data handling, claims history, and governance. Because applications vary by carrier, the durable move is to maintain a standing evidence folder rather than treating any one questionnaire as the standard.

Underwriting has quietly become a technical audit. Roughly three out of four carriers now run an external scan of your attack surface during underwriting. “Yes” is no longer enough; they want the export, the screenshot, the coverage report.

Build the folder once and reuse it for renewals, prime questionnaires, and your CMMC assessment. Populate it with:

• Identity / MFA — conditional-access policies, enrollment exports, privileged-account list
• Endpoint / EDR / MDR — agent-coverage report by device and OS
• Backups — architecture, immutability settings, and dated restore-test results
• Vulnerability management — scan summaries, patch reports, exception register
• Incident response — the plan plus a tabletop record from the last 12 months
• Business continuity — your BC/DR plan
• Security awareness — training completion and phishing-simulation results
• Vendors and subcontractors — inventory, access list, flow-down language
• Cloud — service inventory and FedRAMP Moderate evidence where covered defense information is involved
• Governance — your SSP and POA&M

Who should answer the application? Not your MSP alone, and not your broker guessing at technical detail. The EPA guidance recommends a team: leadership, finance/risk, IT/security, legal/contracting, and whoever owns your CMMC evidence.

What never to do: don’t let a broker invent technical answers; don’t let an MSP answer coverage questions; don’t answer “yes” because a control is planned; don’t write “NIST compliant” without an SSP and evidence behind it; and don’t upload CUI, drawings, or sensitive contract documents into any insurance or matching form.

What happens if a defense contractor has a cyber incident?

A cyber incident can put you on two parallel clocks at once: the insurance track (policy notice and carrier-approved response) and the contract track (DoD review and reporting). If DFARS 252.204-7012 applies, you must review for evidence of compromise, rapidly report covered incidents to DoD within 72 hours via DIBNet, preserve relevant system images for at least 90 days, and coordinate required reporting — while also meeting your policy’s notice and approved-vendor requirements.

The DFARS track (when 7012 applies):

• Review for evidence of compromise; identify affected systems, data, and accounts
• Rapidly report to DoD through dibnet.dod.mil within 72 hours (a DoD-approved medium-assurance certificate is required to file)
• Submit isolated malicious code to the DoD Cyber Crime Center (DC3) if required
• Preserve and protect images of affected systems and relevant monitoring data for at least 90 days
• Pass reporting obligations and report numbers down to and up from affected subcontractors

The insurance track:

• Notify the insurer exactly as the policy requires — late notice can imperil the claim
• Use carrier-approved breach counsel and forensics if the policy mandates it
• Preserve privilege where counsel directs
• Do not pay a ransom without insurer, counsel, and sanctions review — the Treasury Department’s Office of Foreign Assets Control (OFAC) has warned that facilitating ransom payments to sanctioned actors can carry sanctions liability
• Document the timeline, systems, costs, and decisions as you go

Which provider category should help with cyber insurance readiness?

A licensed cyber broker places and interprets your coverage, but a broker doesn’t build the CMMC evidence behind your answers. Most contractors need one or more separate lanes: an RPO/RP or vCISO for scope and documentation, an MSP/MSSP for technical controls, a GRC platform for evidence workflow, a CUI enclave for scope reduction, broker/counsel for policy wording, and a C3PAO only when you’re assessment-ready.

One rule we will not bend: keep readiness and assessment separate. Under the Cyber AB CMMC Code of Professional Conduct (v2.0), a C3PAO is prohibited from conducting a CMMC assessment for an organization it served as a consultant to prepare for any CMMC assessment within the previous three years. Don’t hire one firm expecting it to both fix your environment and certify it. And software alone never satisfies CMMC — a GRC platform organizes your evidence; it doesn’t implement your controls or pass your assessment.

Cyber insurance by contractor type: machine shops, manufacturers, SaaS, SBIRs, primes, and subs

Your business model changes the answer. A machine shop with CUI drawings, a SaaS company hosting defense data, a prime managing supplier flow-down, and a staff-augmentation sub accessing a prime’s system create different underwriting, scoping, and incident-response questions. The constant: the contract clause and your CUI handling set your obligations, not your size or your industry.

If you’re a subcontractor, the most common version of “do I need cyber insurance” is a flow-down term in your subcontract — so match the limit and wording exactly. If you’re a manufacturer holding controlled technical drawings, your DFARS 7012 exposure is among the heaviest in the base. And if you’re a prime, remember that verifying your subs’ compliance is your risk, not just theirs.

How to buy or renew cyber insurance as a defense contractor (without a claim-time surprise)

Start 60–90 days before you need coverage, build your controls-evidence pack first (it doubles as CMMC evidence), and have a broker who understands DoD flow-downs read the war/state-backed exclusion, the sublimits, and the warranty language before you bind. The single biggest claim-time risk is attesting to controls you can’t prove — so make the application audit-backed.

• Build the evidence pack (mirror the crosswalk: MFA, EDR, backups + restore test, IR plan + tabletop, patching, training, logs).
• Ask your broker the hard questions — the war/state-backed clause variant, ransomware and social-engineering sublimits, the retroactive date, and whether your controls are written as policy warranties.
• Match the policy to your prime’s flow-down exactly — limit, additional-insured, primary/non-contributory.

This is educational research, not legal, insurance, or compliance advice — confirm coverage terms with a licensed insurance professional, and confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

Frequently asked questions

The bottom line

Cyber insurance for defense contractors works best when you stop treating it as a checkbox and start treating it as one coordinated step inside your larger CMMC path. Buy the coverage you actually need — from a licensed broker who understands DoD flow-downs — after you’ve built and documented the security posture that both underwriters and the Department of Defense expect. The two reinforce each other. The same evidence that earns a defensible insurance application earns a defensible affirmation, and the same false statement that voids a policy can put you in front of the Department of Justice.

If you’re earlier in the journey and just want to get organized, our CMMC Readiness Checklist mapped to the 14 NIST 800-171 families is a self-serve next step. Choose the right CMMC path before you hire.

Editorial standards and corrections: see our Methodology, Editorial & Advertising Policy, and Corrections Policy.

Last reviewed: June 2026