CMMC Compliance: Everything Defense Contractors Need to Know in 2026

Introduciton

As you open a new solicitation from a prime contractor, the early excitement you feel quickly fades into confusion and panic. Somewhere in the requirements, buried between contract terms and performance expectations, you see it:

“DFARS 252.204-7021. CMMC Level 2 required for award.”

Maybe you've heard the acronym. Maybe you've been meaning to look into it. But now it's in writing, tied to a contract you need, and the clock is running.

You're not alone. The majority of defense contractors are in this exact position and many are looking to make up for lost ground.

This guide is built for you, the new defense contractor who’s late to the game and looking for answers and help along the way. We’ll break down what CMMC is, what each level requires, where you stand in the enforcement timeline, and what it realistically takes to get certified.

What Is CMMC Compliance?

CMMC (Cybersecurity Maturity Model Certification) is a Department of Defense framework that requires defense contractors to meet verified cybersecurity standards based on the type of information they handle. It has three levels tied to data sensitivity, and as of November 10, 2025, it is a contractual condition of award for applicable DoD solicitations.

The program was created because the DoD's sensitive information was consistently being compromised through defense contractor networks. For years, contractors self-reported their cybersecurity compliance. That era is over. CMMC replaces self-attestation with verified, structured assessment, and in many cases, mandatory third-party certification.

Every DoD solicitation that involves the processing, storage, or transmission of Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will now specify the exact CMMC level required for the contractor's information systems. Your CMMC status must be reflected in your Supplier Performance Risk System (SPRS) profile before you can win an award.

This applies to prime contractors and their entire supply chain. If you're a subcontractor, your prime is now responsible for verifying your compliance before flowing down any CUI to you.

Which Level of CMMC Compliance Do You Need?

If you handle only FCI (contract-related data not intended for public release) you need Level 1. If you handle CUI, which includes defense technical data, engineering specifications, export-controlled information, proprietary designs, or personnel data tied to government contracts, you need Level 2.

Here's the catch: most contractors discover they need Level 2 after already assuming Level 1 would be sufficient. But if your work touches any defense technical data, engineering specs, proprietary designs, or personnel data tied to government contracts, you are almost certainly handling CUI and need Level 2.

The distinction matters enormously. Level 1 is achievable in weeks. Level 2 takes up to two years. Getting this wrong from the start is one of the most expensive mistakes a contractor can make.

If you're unsure which category applies to your work, the answer is almost always Level 2. The types of information that trigger CUI designation are broad, and prime contractors like Lockheed Martin and Boeing are already pushing their entire supply chains toward Level 2 certification regardless of what the contract language technically requires.

What Level 1 Requires

Level 1 applies to contractors handling only FCI. It requires 15 basic cybersecurity controls drawn from FAR 52.204-21, covering:

• Access control
• Identification and authentication
• Media protection
• Physical protection
• System and communications protection
• System integrity

You complete an annual self-assessment, score your compliance, and submit the results to your SPRS profile. A senior official must affirm continuous compliance annually. No third-party assessor is required.

For most organizations starting from a reasonable baseline, Level 1 takes one to three months to achieve and typically costs between $15,000 and $30,000 in the first year, including any technology gaps that need to be addressed.

Level 1 is manageable, but you still need to have a current, accurate SPRS score. Contracting officers are checking, and bids are being rejected when SPRS profiles don't reflect current compliant status.

What Level 2 Requires

Level 2 is a different category of effort. It applies to contractors handling CUI and requires meeting all 110 security controls specified in NIST SP 800-171, organized across 14 security families:

1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity

Level 1 touches six of these families at a basic level. Level 2 goes significantly deeper into all six, and adds eight entirely new families that Level 1 contractors never have to address.

The assessment itself must be conducted by a Certified Third-Party Assessment Organization (C3PAO) as of November 10, 2026. Self-assessment is no longer accepted for most Level 2 contracts after that date. The C3PAO assessment covers document review, staff interviews, and technical testing. Certification is valid for three years, with annual affirmation of continuous compliance required each year in between.

First-year costs for Level 2 typically range from $70,000 to $250,000 or more, depending on your organization's size and starting security posture.

The Enforcement Timeline: Where You Stand Right Now

CMMC enforcement is rolling out in four phases through November 2028. Phase 1 is active now. Phase 2 mandatory C3PAO certification begins November 10, 2026. If you haven't started your preparation, you are already behind the Phase 2 deadline.

Here's what each phase means in practice:

Phase 1 — November 10, 2025 (Active Now)

DFARS 252.204-7025 now appears in applicable DoD solicitations. Bids are rejected if your SPRS profile doesn't reflect current compliance. Level 1 self-assessment is required for FCI contracts. Level 2 self-assessment is required for CUI contracts.

DoD contracting officers may require C3PAO third-party certification immediately at their discretion. Approximately 65% of the Defense Industrial Base is affected during this phase. Prime contractors including Lockheed Martin, Boeing, and Northrop Grumman are already issuing supply chain compliance directives independent of contract language.

Phase 2 — November 10, 2026

Self-certification for Level 2 ends. Mandatory C3PAO third-party assessment is required for all Level 2 contracts. Your SPRS profile must reflect current Level 2 certification before bids are accepted.

Conditional certifications with open Plans of Action and Milestones (POA&Ms) must close within 180 days or certification expires. Any organization handling CUI that hasn't started preparation is already behind this deadline. C3PAO assessment backlogs are currently running 6–12 months. Scheduling now is necessary, not optional.

Phase 3 — November 10, 2027

Level 2 C3PAO certification is now required for option period exercises on existing contracts, not just new awards. Previously awarded contracts come under CMMC scope when options are exercised. This effectively closes the last remaining path for non-certified organizations to maintain existing DoD work.

Phase 4 — November 10, 2028

Full enforcement. Every applicable contract requires certification, with no exceptions and no grandfathered contracts. Prime contractors must verify and document CMMC status of all subcontractors before flowing down CUI. Compliance becomes a permanent operational requirement.

The urgency is real. Only an estimated 200 defense contractors had completed C3PAO assessments as of early 2026, while approximately 80,000 need Level 2 certification. The gap between supply and demand for assessors is significant.