CMMC Phase 1 is now in effect, and the numbers are not reassuring. Only 1% of Defense Industrial Base contractors are fully prepared for self-assessment requirements under NIST SP 800-171. Phase 1 runs through November 2026, at which point Phase 2 introduces mandatory third-party C3PAO assessments. Organizations that have not documented compliance across their VPN, encryption, and remote access controls are operating with less than six months to close those gaps — and gaps discovered during Phase 2 assessments carry contract eligibility consequences, not just remediation timelines.

ExpressVPN’s deployment of ML-KEM in its Lightway protocol this month is the most significant VPN provider PQC development since NordVPN’s NordLynx integration. Lightway is ExpressVPN’s proprietary protocol, meaning ML-KEM protection is not automatic across all connection types — users must verify their client is running Lightway and that the update has been applied. For federal contractors evaluating commercial VPN services against CNSA 2.0 requirements, ExpressVPN now joins NordVPN and Mullvad as confirmed ML-KEM implementations. The PQC scorecard is moving.

Two critical infrastructure vulnerabilities dominated this week’s patching cycle. Ubiquiti’s UniFi OS received patches for three maximum-severity unauthenticated remote code execution flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) affecting Dream Machine and Cloud Key devices. These are network management appliances — compromise grants access to the management plane of everything they control. The attack surface here is not the device itself but every asset it manages.

Microsoft Exchange Server’s on-premises deployment has a new actively exploited zero-day. CVE-2026-42897 enables arbitrary JavaScript execution in Outlook Web Access via crafted email, without authentication from the target. Federal contractors running on-premises Exchange — still common in air-gapped and sensitive compartmented environments — should apply available patches and implement temporary mitigations immediately. Cloud-hosted Exchange is not affected.

The IETF ML-KEM Security Considerations draft expiration on May 21 is a process milestone worth tracking. Guidance on implementation security — side-channel resistance, key handling, hybrid construction — will inform how vendors approach FIPS 203 compliance. Organizations evaluating vendor implementations should verify that products reference this guidance in their security documentation.

Law enforcement dismantled First VPN in Operation Saffron on May 19–20, removing infrastructure that served more than 25 ransomware groups since 2014. The operational significance for federal contractors is not the takedown itself but the audit implication: organizations that have seen unexplained connection attempts from First VPN IP ranges should treat those as confirmed ransomware infrastructure contact and initiate incident review procedures.

The week’s pattern is increasing specificity in both threats and compliance requirements. CMMC Phase 1 is no longer approaching — it is here. ML-KEM deployment is no longer theoretical — it is shipping. Threat actors who relied on First VPN will re-establish elsewhere within weeks.