CMMC 2.0 in 2026: What Defense Contractors Actually Need to Do Now

If you sell to the US Department of Defense — or you sell to anyone who sells to the DoD — CMMC 2.0 has probably been on your radar for a while. The final rule (32 CFR Part 170) was published in October 2024 and took effect in December 2024. Phased enforcement through DFARS clause 252.204-7021 started in late 2025, and by 2028 it will be a contract requirement across essentially the entire defense industrial base.

That "phased" word does a lot of heavy lifting. Some contractors are already seeing CMMC requirements in new contracts. Others won't see them for another year or two. A lot of small subcontractors are discovering they're in scope when their prime contractor calls them to discuss flow-down requirements. And almost everyone is underestimating the effort.

Here's where things actually stand in 2026 and what you need to be doing.

What CMMC 2.0 Is (and Isn't)

CMMC stands for Cybersecurity Maturity Model Certification. It's the Department of Defense's answer to a persistent problem: information shared with defense contractors keeps getting stolen, often from smaller companies with weaker security than the primes.

CMMC 2.0 replaces the original CMMC 1.0 framework that was announced in 2020, went through two years of chaos, and was rolled back in favor of a simpler three-tier model. The simpler version is what's being rolled out now.

Three levels:

• Level 1 (Foundational) — 15 basic cybersecurity practices drawn from FAR 52.204-21. Annual self-assessment. For contractors handling only Federal Contract Information (FCI), not Controlled Unclassified Information (CUI).
• Level 2 (Advanced) — All 110 controls from NIST SP 800-171. Triennial assessment by a Certified Third-Party Assessor Organization (C3PAO), with some exceptions allowed for annual self-assessment. For contractors handling CUI.
• Level 3 (Expert) — All 110 NIST 800-171 controls plus a selected subset of enhanced controls from NIST SP 800-172. Triennial government-led assessment by DIBCAC. For contractors handling the most sensitive CUI associated with the DoD's critical programs.

The vast majority of defense contractors — by some estimates 220,000+ — need Level 2. Primes and large subcontractors with sensitive programs need Level 3. Small vendors providing commercial items without access to CUI need Level 1.

The Scope Question That Catches Everyone

The most common mistake I see is contractors assuming CMMC doesn't apply to them because they "don't really handle CUI." Then they look at their systems and discover that yes, they do — they just didn't realize the emails, specs, drawings, and project files they'd been working with were actually CUI.

Here's the rule: CMMC applies whenever you process, store, or transmit CUI or FCI for the DoD. Not just classified information. Not just sensitive documents. The moment a DoD customer shares covered information with you — even incidentally — you're in scope.

CUI includes (but isn't limited to):

• Technical data and specifications
• Engineering drawings and schematics
• Manuals and technical documents
• Software source code developed under contract
• Test results and research data
• Certain contract information beyond what's in FCI

If you've been emailed a PDF with "Controlled Unclassified Information" marked on it, you're handling CUI. If you've been given access to a DoD file share, portal, or system, you're handling CUI. If your engineering team is working on parts for a weapons system and receiving technical data from the prime, you're handling CUI.

The scoping exercise matters because it determines your CMMC level and, just as importantly, which of your systems are in scope for assessment. Most contractors separate their CUI environment from their corporate IT to minimize the assessment footprint. That's often called a "CUI enclave" — a set of systems dedicated to handling covered information, isolated from general business operations.

Why NIST 800-171 Is the Real Work

CMMC Level 2 is essentially an assessment against NIST SP 800-171 Rev 3, published in May 2024. The 110 controls fall into 17 families:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity
• Planning
• System and Services Acquisition
• Supply Chain Risk Management

For most small and mid-sized contractors, this is a significant program. You're implementing multi-factor authentication across all systems handling CUI, full disk encryption, SIEM logging and monitoring, incident response plans, configuration baselines, vulnerability management, and a lot more.

Notably, the DoD introduced Rev 3 of NIST 800-171 in 2024, which changed the control set from 110 controls in Rev 2 to a reorganized and somewhat expanded set. CMMC 2.0 currently references Rev 2, but the transition to Rev 3 is expected in subsequent rule updates. Don't build only to Rev 2 and assume you're done.

A System Security Plan (SSP) is mandatory — you have to document how you implement each of the 110 controls. Most contractors realize pretty quickly that their existing IT documentation doesn't cover this in the required depth.

The FedRAMP Wrinkle for Cloud Services

If you use cloud services to handle CUI, those services must meet FedRAMP Moderate equivalence (or higher). That's a real requirement, not a suggestion. Microsoft 365 GCC High, AWS GovCloud, Google Workspace Assured Workloads — these are the cloud environments that are actually set up to handle CUI compliantly.

The DoD has been specific that commercial Microsoft 365 and commercial cloud services generally do NOT meet the bar. Several high-profile assessment failures in 2024 and 2025 came down to contractors using standard commercial cloud tools for CUI.

This is often the biggest cost driver. Moving from commercial Microsoft 365 to GCC High is a non-trivial migration — it's roughly 2-3x the license cost per user, plus migration effort, plus the operational complexity of a more restricted environment.

How Assessment Actually Works

For Level 2 certification, the assessment process goes like this:

1. Self-assessment and SPRS score submission. Before your C3PAO shows up, you must submit a System Security Plan and a SPRS (Supplier Performance Risk System) score of 110 (maximum). If you score lower, you have a Plan of Action and Milestones (POA&M) documenting how you'll close the gaps. Certain controls cannot be POA&M'd.
2. Pre-assessment readiness check. Most contractors engage a consultant to run a gap assessment and help remediate before the formal C3PAO assessment. This is strongly recommended — the first attempt is expensive, and failing is more expensive.
3. C3PAO assessment. Your Certified Third-Party Assessor Organization reviews evidence for all 110 controls. This typically takes 4-8 weeks for a mid-sized environment. Assessors interview staff, review system configurations, examine documentation, and observe controls in operation.
4. Remediation (if needed). If you fail controls, you have 180 days to remediate and re-assess those specific items without redoing the whole assessment.
5. Certification. Valid for three years with annual affirmations from a senior company official.

Costs vary widely based on scope. For a mid-sized contractor with a well-scoped CUI enclave, expect $40K-$150K for the C3PAO assessment itself, plus significantly more for consulting and remediation costs. The first-time total budget is often $200K-$500K. Ongoing annual costs drop substantially but aren't trivial.

The Timeline That Matters

CMMC 2.0 is rolling out in phases over three years from the rule's effective date (December 2024):

• Phase 1 (December 2024 - December 2025): Self-assessments at the applicable level required for certain new contracts at DoD discretion.
• Phase 2 (December 2025 - December 2026): C3PAO assessments required for applicable new contracts; Level 1 and Level 2 self-assessments still allowed for some.
• Phase 3 (December 2026 - December 2027): Level 2 C3PAO assessments required; Level 3 assessments phased in.
• Phase 4 (December 2027 onwards): Full implementation across DoD acquisitions.

The practical implication: if you're going after a new DoD contract in 2026, you need to be actively working toward Level 2 now. The assessment capacity is limited — there aren't enough C3PAOs to handle the wave of demand, and you cannot book an assessment in the month before your contract requires it.

Where CMMC Intersects with Other Compliance

Good news if you've already invested in other security programs:

• ISO 27001 — maps to roughly 80% of NIST 800-171 controls. Not identical, but the work is highly reusable.
• NIST CSF 2.0 — conceptually aligned; CSF is the broader framework, while 800-171 is a specific control set. Running both in parallel is straightforward.
• FedRAMP Moderate — effectively mandatory for cloud providers serving DoD contractors handling CUI. Also maps to NIST 800-53, which is the parent control set for 800-171.
• SOC 2 — less direct overlap, but the general discipline around documented controls, access management, and monitoring translates.

If you've done none of these and you're starting from scratch, plan for 9-18 months to CMMC Level 2 readiness. If you have ISO 27001 certified, you can probably do it in 3-6 months.

The "I'm a Subcontractor" Conversation

If you're a subcontractor, you might be hoping the prime's compliance will shield you. It won't. DFARS 252.204-7012 and the forthcoming DFARS 252.204-7021 require flow-down to subcontractors that handle covered information. Your prime is required to ensure you're at the appropriate CMMC level. If they don't, their contract is at risk — which means yours is at risk.

In 2024 and 2025, several primes started quietly dropping subcontractors who couldn't demonstrate a path to CMMC compliance. This trend is accelerating. If you've been operating under "my prime will handle it," this is the year to have a direct conversation.

What to Do in 2026

If you're seriously in scope for CMMC Level 2 and haven't started:

1. Scope your CUI environment this quarter. Figure out what data you actually handle and which systems touch it. This is the single most impactful first step.
2. Move CUI into an enclave. Reduce your assessment footprint. Separate CUI handling from general corporate IT.
3. Get on FedRAMP-equivalent cloud. If you're using standard commercial Microsoft 365 or commercial cloud services for CUI, start that migration now.
4. Do a formal NIST 800-171 gap assessment. Your internal IT team is probably missing things. A good gap assessment finds them.
5. Engage a C3PAO early. Availability is the rate limiter. Get on their schedule even before you're ready, because lead times are measured in months.
6. Use the overlap with your existing frameworks. If you have ISO 27001 or a mature NIST CSF 2.0 program, leverage it. Don't rebuild from scratch.

The DoD made CMMC harder because the threat environment got harder. The companies that will thrive in the defense industrial base over the next decade are the ones that treat security as part of their product, not a compliance tax. The ones that try to check the box and move on are going to keep having bad quarters.

References

1. 32 CFR Part 170 — CMMC Program Rule — Department of Defense (October 2024)
2. NIST SP 800-171 Rev 3 — National Institute of Standards and Technology (May 2024)
3. CMMC Program Portal — DoD Chief Information Officer
4. Cyber AB — CMMC Accreditation Body — Official CMMC Accreditation Body