Uniqcli
Compliance

CMMC in 2026: The Mandate Is Live, But the Queue Is the Problem

The 48 CFR rule armed DoD's award-blocking authority in November 2025. Halfway through 2026, the binding constraint for most contractors isn't passing an assessment — it's getting one scheduled.

Uniqcli Newsroom · · 6 min read

Compliance

The rule the defense industrial base spent years anticipating quietly went live — and 2026 is the year it starts to bite

The CMMC acquisition rule took effect November 10, 2025, giving contracting officers the authority to block award to any offeror without a current CMMC status recorded in SPRS. The sharper question for mid-2026 isn't whether your controls will hold up under assessment. For most contractors handling Controlled Unclassified Information, it's whether they can get an assessment scheduled at all before Phase 2 arrives in November.

Two rules, one that actually blocks the award

There has been persistent confusion about which CMMC rule matters, largely because there are two. The first — the CMMC 2.0 program rule at 32 CFR Part 170 — took effect December 16, 2024. It defines the framework itself: the levels, the assessment methodology, the mechanics of the program. But a framework alone puts nothing into a contract.

The second rule is the one that changed the stakes. Published in the Federal Register on September 10, 2025, and effective 60 days later on November 10, 2025, the acquisition rule amends 48 CFR — the DFARS — to add clause DFARS 252.204-7021 and solicitation provision 252.204-7025. This is the instrument that inserts CMMC as an actual contract requirement.

Under 252.204-7021, a contractor's current CMMC status at the level the solicitation requires, together with a current affirmation of continuous compliance in the Supplier Performance Risk System (SPRS), becomes a precondition of award. The language is unambiguous: contracting officers 'shall not award' to an offeror who lacks it. That phrase, not the framework rule, is what makes 2026 different from every prior year of CMMC anticipation.

The rollout

Four phases, roughly three years — and where you sit right now

DoD structured enforcement as a phased plan so the acquisition system and the assessment ecosystem could absorb it gradually. As of June 2026, the defense industrial base is in Phase 1. Note that DoD reserves discretion throughout: even in Phase 1 it can require full C3PAO certification for select high-priority programs.

Phase 1 — now through Nov 9, 2026

DoD may require Level 1 or Level 2 self-assessment in new solicitations, and retains discretion to demand C3PAO Level 2 certification for select higher-priority contracts even during this window. This is the self-assessment era — but a discretionary one.

Phase 2 — starts Nov 10, 2026

Level 2 C3PAO third-party certification becomes the norm and a condition of award for applicable CUI contracts. This is the deadline most Level 2 contractors are — or should be — working backward from today.

Phase 3 — starts Nov 10, 2027

Level 3 certification requirements begin appearing in applicable solicitations, layering the highest tier onto the programs that handle the most sensitive information.

Phase 4 — Nov 10, 2028

Full implementation. All applicable contracts — including option periods and renewals — carry CMMC requirements. The transition window closes.

Level 1 versus Level 2, in plain terms

The dividing line is the kind of information you touch. CMMC Level 1 applies to contractors handling only Federal Contract Information (FCI). It requires meeting all 15 basic safeguarding practices in FAR 52.204-21, is self-assessed with no third-party assessor, and is scored strictly MET or NOT MET — there is no partial credit and no Plan of Action and Milestones (POA&M) permitted. You complete an annual self-assessment and have a senior official affirm compliance in SPRS. It is entirely within a contractor's own control.

Level 2 is a different order of effort. It applies to contractors handling Controlled Unclassified Information (CUI) and requires implementing all 110 security controls of NIST SP 800-171, assessed against 320 discrete assessment objectives. Depending on the contract, Level 2 can be self-assessed or require a certification assessment conducted by a Certified Third-Party Assessment Organization (C3PAO), recertified every three years with annual affirmations in between. The C3PAO variant is where the scheduling problem lives.

The distinction matters operationally because the two levels sit on opposite sides of the capacity constraint. Level 1 is something a contractor can and should finish this quarter. Level 2 certification is a resource a contractor has to get in line for — potentially many months before a solicitation forces the issue.

1%

of defense contractors reported being fully prepared for a CMMC audit (CyberSheath, Oct 2025) — down from 4% and 8% in prior waves

73%

lack multi-factor authentication; 78% lack patch management; 79% lack a vulnerability management solution

69% vs 30%

claim DFARS/NIST 800-171 compliance versus those who completed a medium- or high-confidence assessment validating it

~270

organizations held final CMMC certificates as of late August 2025, against 80,000-plus estimated to need Level 2

The readiness gap is real — and so is the bottleneck behind it

CyberSheath's fourth annual State of the DIB report, released around October 1, 2025, found that only 1 percent of defense contractors considered themselves fully prepared for a CMMC audit — a figure that has fallen from 4 percent and 8 percent in earlier waves, even as enforcement began. The underlying control gaps are specific and consequential: 73 percent lack multi-factor authentication, 78 percent lack patch management, 79 percent lack a vulnerability management solution, and 74 percent lack data-leakage protection. The same survey exposed a compliance-theater problem worth naming plainly — 69 percent claim DFARS/NIST 800-171 self-assessment compliance, but only 30 percent had completed a medium- or high-confidence assessment that actually validates the claim.

That gap between claimed and demonstrated posture is one problem. The assessment capacity to close it is a second, arguably harder one. The math is stark. Industry sources through 2026 count somewhere in the range of the high-60s to roughly 100 authorized C3PAOs nationally. As of the February 2026 Cyber AB Town Hall, 748 individuals were credentialed as Certified CMMC Assessors — against the 2,000 to 3,000 that analysts estimate full Phase 2 demand will require. The Pentagon's own estimates put the total affected supply chain at roughly 220,000 to 300,000 companies, with commonly cited figures of 80,000 to as high as 118,000 needing Level 2 certification specifically. (These counts vary by source; DoD has not published a single definitive number.)

Set those figures side by side and the practical risk for most of 2026 reframes itself. Industry sources reported C3PAO scheduling lead times of roughly 3 to 12 months even before Phase 2 demand began tightening, with some analysts projecting backlogs stretching to 24 to 30 months by late 2026. For a contractor whose award eligibility depends on holding a current certificate, the binding constraint is no longer 'can I pass' — it's 'can I get on the calendar in time.'

Do this now

Two tracks, two entirely different urgencies

The right move in mid-2026 depends on which side of the FCI/CUI line you sit on. Level 1 contractors have no capacity excuse. Level 2 contractors are racing a queue.

  • FCI-only (Level 1): complete your self-assessment against all 15 FAR 52.204-21 safeguarding practices — remember, it is MET/NOT MET with no POA&M, so every practice has to be genuinely in place.
  • FCI-only (Level 1): have a senior official submit the affirmation of continuous compliance in SPRS, and set a calendar reminder to renew it annually. There is little excuse to be behind on this at this point in the rollout.
  • CUI-handling (Level 2): get your System Security Plan (SSP) in order now, and stand up the specific controls the DIB data shows are most often missing — MFA, patch management, and vulnerability management.
  • CUI-handling (Level 2): get on a C3PAO's calendar today rather than waiting for a solicitation to force the issue. With lead times measured in months and backlogs projected to grow, scheduling is the long pole.
  • CUI-handling (Level 2): build out your POA&M for any control you cannot yet fully meet, and validate your NIST 800-171 self-assessment at medium or high confidence so your SPRS score reflects reality, not aspiration.
  • Both tracks: watch GSA's separate move toward CMMC-like cybersecurity requirements for civilian-agency contracts — a distinct second regime that contractors selling beyond DoD will need to track.

Questions contractors are asking in 2026

Do I need CMMC Level 2 C3PAO certification right now, in mid-2026, or can I still self-assess?

It depends on what's in your specific contract or solicitation. Through Phase 1 (which runs until November 9, 2026), DoD generally allows Level 1 and Level 2 self-assessment for most new contracts, but retains discretion to require full C3PAO third-party certification immediately for select higher-priority Level 2 programs. Starting Phase 2 (November 10, 2026), C3PAO certification becomes the norm for applicable Level 2/CUI contracts. Check the specific solicitation language and your contracting officer — don't assume self-assessment will suffice if you're bidding on higher-priority DoD work.

If I only handle Federal Contract Information (FCI), not Controlled Unclassified Information (CUI), what do I actually have to do?

You fall under CMMC Level 1, which is self-assessed — no C3PAO needed. You must meet all 15 basic safeguarding practices from FAR 52.204-21, score your self-assessment as MET in its entirety (no partial credit or POA&M is allowed at Level 1), and have a senior company official submit an affirmation of continuous compliance in SPRS annually. This is achievable without outside certification, and there's little excuse to be behind on it at this point in the rollout.

I handle CUI and need Level 2 certification — how far in advance should I be scheduling a C3PAO assessment?

As early as possible. Industry sources reported roughly 3-12 month scheduling lead times with C3PAOs even before Phase 2 enforcement began tightening demand, and some analysts project backlogs could stretch to 24-30 months by late 2026 as the November 2026 deadline approaches. With fewer than 100 authorized C3PAOs and under 1,000 credentialed assessors nationally against tens of thousands of companies needing certification, waiting until a contract explicitly requires it is a real risk to your award eligibility — get your System Security Plan (SSP) in order and get on a C3PAO's calendar well before you expect to need the certificate.

Ready to scope your program?

Talk to a Uniqcli engineer, or send a bill of materials for a TAA-verified quote — no payment up front.