CMMC is already here — this is not a future requirement
The most important thing to understand about CMMC 2.0 in 2026 is that it is no longer a future requirement you can plan for later. The CMMC Final Rule took effect December 16, 2024. The DFARS acquisition rule went into effect November 10, 2025. New DoD solicitations are already including CMMC requirements as a condition of award — right now, today.
The confusion comes from CMMC's long and tortured history. The program was first announced in 2020, went through multiple revisions, and spent years in regulatory limbo. Many contractors adopted a "wait and see" attitude — understandably so. But that wait is over. The rules are finalized, the enforcement mechanism is in place, and the clock is running.
A common misconception: Many contractors believe CMMC introduces entirely new cybersecurity requirements. It does not. The underlying 110 NIST SP 800-171 controls that form the basis of Level 2 have been in DoD contracts since 2017 via DFARS 252.204-7012. CMMC is the verification mechanism — it replaces self-attestation with third-party audits. If your DFARS 7012 clause has been in your contracts for years, you have technically already been obligated to meet these requirements. CMMC just makes it verifiable.
The first thing to do: read your contracts
Before doing anything else, pull your active contracts and upcoming solicitations and search for these DFARS clause numbers:
- DFARS 252.204-7021 — the new CMMC clause. If this is in your contract, CMMC Level 1 or Level 2 is explicitly required. The clause specifies which level applies.
- DFARS 252.204-7019 and 252.204-7020 — the older clauses that required self-assessment against NIST SP 800-171. If these are in your contract, you have already been obligated to meet the 110 controls. CMMC Level 2 will be added when your contract is renewed, modified, or an option period is exercised.
- DFARS 252.204-7012 — the "Safeguarding Covered Defense Information" clause. If this is present, you handle CUI and will need Level 2.
Do your existing contracts automatically require CMMC? No — contracts awarded before November 10, 2025 are not automatically retroactively modified. However, when those contracts come up for option periods, renewals, task orders, or modifications, CMMC requirements will be added at that point. If your contract has option years coming up in 2026 or 2027, your compliance requirement is not as far away as it might seem.
Prime contractors are not waiting for the phased rollout. Many primes are already requiring subcontractors to show CMMC readiness before including them in bids — even when the solicitation doesn't formally require it yet. A non-compliant sub can disqualify the prime's entire proposal.
The phased rollout — exactly what happens when
CMMC 2.0 is being enforced in four phases over three years. Here is what each phase actually means for you:
Phase 1 — Now (November 10, 2025)
CMMC requirements begin appearing in new DoD solicitations. Level 1 self-assessments required for contracts involving FCI. Level 2 self-assessments required for most CUI contracts. The DoD has discretion to require C3PAO certification for high-priority Level 2 contracts even in this phase — so you could face a third-party assessment requirement right now if your contract is flagged as high-priority.
In effect nowPhase 2 — November 10, 2026 ← Critical deadline
Mandatory C3PAO certification required for Level 2 contracts across the board. This is the deadline most contractors are working toward. From this date, a self-assessment alone is no longer sufficient for most CUI contracts — you must have completed a third-party C3PAO assessment to be eligible for award. Given preparation takes 6–12 months and C3PAO slots are already scarce, the effective action deadline is right now.
8 months away — act nowPhase 3 — November 10, 2027
Level 2 C3PAO certification required for exercising option periods on contracts awarded after November 2025. Level 3 DIBCAC assessments begin appearing for the most sensitive programs.
November 2027Phase 4 — November 10, 2028
Full implementation. CMMC requirements apply to all applicable DoD contracts and option periods without exception. No waivers, no grace periods.
November 2028Level 1, Level 2, Level 3: which one applies to you
Your required CMMC level is determined by the type of information your systems process, store, or transmit — not by your company size or contract value.
Level 1 applies if your contract involves only Federal Contract Information (FCI) — basic administrative or logistical contract data. Requires meeting 15 basic cybersecurity practices from FAR 52.204-21. Self-assessed annually. Pass/fail — no POA&Ms allowed.
Level 2 applies if your contract involves Controlled Unclassified Information (CUI) — information the government designates as requiring protection beyond basic safeguarding. This covers the vast majority of defense contractors involved in programs involving technical data, engineering drawings, research, and operational information. Requires implementing all 110 NIST SP 800-171 Rev. 2 controls. Third-party C3PAO assessment required for most contracts by Phase 2.
Level 3 applies to contractors working on the DoD's most sensitive programs, assessed by DCMA DIBCAC (a government assessment center). Very few organizations will need this.
The FCI vs CUI confusion: The distinction between FCI and CUI is where most contractors get confused. The best way to determine which applies is to look at your contract and ask: does it reference any of the CUI categories — technical data, engineering drawings, research, export-controlled information, personally identifiable information, or other categories your contracting officer identifies? If yes, you handle CUI and need Level 2. When in doubt, ask your contracting officer directly — they are required to identify the CUI categories in scope for your contract.
Self-assessment vs C3PAO certification: the key distinction
This is one of the most misunderstood parts of CMMC 2.0. There are two paths to Level 2 compliance — and which one you need depends on your contract.
Level 2 Self-Assessment: Your organization evaluates its own controls against the 110 NIST SP 800-171 requirements, reports the score in SPRS, and has a senior executive affirm the results annually. This is only available for certain lower-sensitivity CUI contracts designated as non-prioritized acquisitions. A smaller percentage of Level 2 contracts — perhaps 10–15% — will remain eligible for self-assessment long-term.
Level 2 C3PAO Certification: An accredited third-party organization independently assesses your 110 controls, enters results into the DoD's eMASS system (which feeds into SPRS), and issues a Certificate of CMMC Status valid for three years. This is required for most CUI contracts starting November 2026, and already required for high-priority contracts in Phase 1.
How to know which you need: Check your solicitation for the DFARS 252.204-7021 clause. It will specify "CMMC Level 2 (Self)" or "CMMC Level 2 (C3PAO)." If the clause is not yet in your contract but CUI is involved, assume you will need C3PAO — it is the safer planning assumption for Phase 2 onward.
Know your NIST 800-171 gaps before your C3PAO does
Run a free gap assessment against all 110 NIST SP 800-171 controls and get your estimated SPRS score, identified gaps, and remediation roadmap.
SPRS scores: what they are and why they matter
The Supplier Performance Risk System (SPRS) is the DoD's primary database for verifying contractor compliance. Contracting officers check your SPRS score before awarding contracts. An outdated or low SPRS score is a direct barrier to contract award.
Your SPRS score is calculated from your NIST SP 800-171 assessment using a specific DoD methodology:
- You start at a baseline of 110 points — this represents perfect compliance
- Each unmet control deducts 1, 3, or 5 points depending on its security weight
- Scores can go negative — a contractor starting from scratch with no controls in place scores −203
What your SPRS score means for contract eligibility
One critical rule: POA&M items cannot include any controls weighted at 3 or 5 points. These high-value controls — things like multi-factor authentication, encryption, and incident response — must be fully implemented before or at the time of assessment. You cannot defer them to a POA&M.
POA&Ms: a bridge, not a workaround
A Plan of Action and Milestones (POA&M) documents security controls you haven't fully implemented, the resources needed to fix them, and a remediation schedule. Under CMMC 2.0, POA&Ms allow Conditional Level 2 status — meaning you can still be eligible for contract award even with gaps, as long as your score is at least 88 and those gaps don't involve high-weighted controls.
But POA&Ms are strictly time-limited: every item must be fixed and verified within 180 days of receiving Conditional status. The same C3PAO that conducted your original assessment must verify the closeout. If you fail to close all POA&M items within 180 days, your Conditional status expires — and you become ineligible for CUI contracts until you can pass a new assessment.
Do not use POA&Ms as a lazy planning tool. Some contractors are entering Phase 2 planning to achieve Conditional status with a large POA&M and "fix things later." This is a high-risk strategy. 180 days is not much time to remediate multiple complex controls, re-engage a C3PAO for closeout, and maintain contract eligibility throughout. The best approach is to get as close to 110 as possible before your assessment, using a POA&M only for genuinely time-constrained implementations.
The C3PAO shortage: the problem no one is talking about loudly enough
Here is the single most underappreciated risk in CMMC 2.0 planning: there are not enough assessors.
The DoD estimates approximately 80,000 contractors need Level 2 C3PAO certification. As of early 2026, fewer than 600 certified CMMC assessors exist, operating through approximately 80 accredited C3PAOs. The DoD's own projections estimate only 135 C3PAO assessments will be completed in year one, growing to 673 in year two and 2,252 in year three.
Do the math: 80,000 contractors, 80 C3PAOs, a November 2026 deadline. C3PAO slots are already booking into late 2026 and early 2027. Wait times are expected to exceed 18 months for new clients by mid-2026. If you have not already contacted a C3PAO, you may not be able to get an assessment slot before the Phase 2 deadline — meaning you could be excluded from contract awards through no fault of your security controls.
Book your C3PAO slot before you are ready. This is counterintuitive but critical. Contact multiple accredited C3PAOs through the CyberAB Marketplace (cyberab.org) now, get on their schedule, then use the time between now and your assessment date to complete remediation. A slot reservation typically requires demonstrating meaningful progress toward compliance — but you do not need to be at 110 to book. Do not wait until you feel "ready" — by then, there may be no slots available.
Your 8-step action plan for CMMC Level 2
Read your contracts today
Search for DFARS clauses 252.204-7021, 252.204-7019, 252.204-7020, and 252.204-7012. Identify whether you handle FCI or CUI. This tells you your required CMMC level and whether you need self-assessment or C3PAO certification.
Scope your CUI environment
Map exactly where CUI flows in your systems, networks, and people. Limiting scope — through network segmentation, CUI enclaves, or cloud-based CUI handling — directly reduces the number of systems that must be assessed and can cut costs by 30–50%.
Run a NIST SP 800-171 gap assessment
Evaluate your current controls against all 110 requirements. Calculate your current SPRS score. Identify which controls are MET, which are NOT MET, and which are partially implemented. This is your baseline — without it you are flying blind.
Build your System Security Plan (SSP)
Document your entire security environment — systems in scope, network architecture, personnel, and how each of the 110 controls is implemented. The SSP is the primary document your C3PAO evaluates. A well-organized SSP significantly reduces assessment duration and cost.
Remediate high-weighted controls first
Prioritize the controls worth 3 and 5 points — these cannot be deferred to a POA&M. They include MFA, encryption, incident response, and access control. Fully implementing these before assessment is non-negotiable for achieving any CMMC status.
Book your C3PAO slot now
Find accredited C3PAOs at cyberab.org. Contact multiple organizations and get on their schedule immediately. You do not need to be at 110 to book — but you need to demonstrate meaningful progress. Waiting until you feel ready will likely mean missing the Phase 2 deadline.
Complete your C3PAO assessment
Your assessor evaluates all 110 controls through document review, interviews, and technical testing. Aim for a score of 110 (Final status). A score of 88–109 gets Conditional status — valid for award, but requires all POA&M items closed within 180 days. Prepare your evidence in organized, accessible folders before assessment day.
Affirm compliance annually and maintain continuously
Submit annual compliance affirmations in SPRS. Update your SSP whenever your environment changes. Keep evidence continuously — not just at assessment time. Your C3PAO certification is valid for three years, but ongoing maintenance prevents costly scrambles at recertification.
What CMMC Level 2 actually costs
The DoD's own cost estimates put the total first-year compliance cost at approximately $34,000 to $112,000 for most small to mid-sized defense contractors. Here's what that includes:
- Gap assessment and remediation: $10,000–$60,000 depending on your starting SPRS score and how many controls need to be implemented
- System Security Plan development: $5,000–$15,000 if using a consultant, or significant internal time if done in-house
- C3PAO assessment fees: $15,000–$50,000 depending on your organization's size and the scope of systems assessed
- Compliance tooling: $5,000–$20,000 per year for automation platforms that help with evidence collection and continuous monitoring
The single biggest variable is your current SPRS score. A contractor already at 95+ on their NIST SP 800-171 assessment needs far less remediation investment than one starting at 60 or below. This is why a gap assessment is the first step — without knowing your current score, you cannot accurately budget for what lies ahead.
Find out where you stand before your C3PAO does
Run a free CMMC gap assessment — get your estimated NIST SP 800-171 readiness score, identified control gaps, and a prioritized remediation roadmap in under 10 minutes.