Self-assessment is ending. From November 10, 2026, if you want to bid on a DoD contract that touches Controlled Unclassified Information, a Certified Third-Party Assessor will need to look at your security program and agree it holds up.
If your certification lapses mid-contract, the contract could go with it.
Most companies in the Defense Industrial Base know this is coming. But have you done the math on what “coming” means in working days? Have you looked at your renewal calendar and worked out which of your existing contracts are about to renew into the new requirement?
If not, it’s time to act.
For years, DoD compliance for most contractors meant signing an annual document that said “yes, we meet the requirements.” That document went into a folder. Nobody checked.
CMMC 2.0 ends that. It introduces a new level 2 requirement.
Level 1 is annual self-assessment. It covers basic cyber hygiene for companies handling Federal Contract Information only. If that’s all you touch, you’re not in scope for Level 2.
Level 2 is the triennial C3PAO assessment that applies if you handle CUI. All 110 controls, evidenced under assessor questioning. This is where most of the Defense Industrial Base sits.
For Level 2, you’ll need a formal assessment by a Certified Third-Party Assessor Organization (a C3PAO). They will:
Pass, and you’re certified for three years. Fail, and you’re not bidding on Level 2 contracts until you’ve fixed what they found and gone back through the process.
If you’re not sure if CMMC level 2 requirements are relevant to you, the fastest way to check is ask yourself:
Do you, or anyone you work with, touch CUI (Controlled Unclassified Information)?
CUI shows up in places people don’t always recognize as “controlled,” including:
Anything marked CUI, anything that should have been marked CUI, and anything you reasonably know to be CUI even if the marking is missing.
Tier 2 and Tier 3 suppliers to defense primes almost certainly handle it.
So do precision machinists working aerospace components, electronics suppliers feeding avionics, ammunition and weapons manufacturers, body armor producers, and businesses with ITAR-controlled exports.
Any contract from your prime that includes DFARS clauses 7012, 7019, 7020, or 7021 puts CUI in scope by definition.
When in doubt, assume Level 2 applies. Assuming you’re out of scope and being wrong is the expensive direction.
If you’re still unsure, our free 60-minute CMMC readiness workshop will help assess your obligations and give you a clear understanding of your position.
CMMC Level 2 phase-in is already underway.
CMMC clauses are showing up in DoD RFPs and contracts now, with more appearing each quarter. By late 2026 the proportion will be high enough across new and renewing contracts that uncertified suppliers in CUI-handling roles will see their addressable pipeline shrink in a way they can measure on a spreadsheet.
Beyond 2026, “uncertified” will likely mean “uncompetitive”.
If your contract base renews on a one or two-year cycle, the math gets concrete fast. The next renewal you face after the requirement lands in your contract vehicles is the one that decides whether you stay in.
A C3PAO doesn’t grade your intent. They grade the evidence that controls have been in place long enough to leave a trail. Evidence like:
The common denominator? They look for evidence of implementation over time.
For a typical mid-market starting point – some controls in place, an MSP doing some of the work, an SSP that may or may not match what’s deployed – getting assessment-ready can easily be a 12-to-18-month exercise.
A common mistake is to confuse 12 to 18 months of consulting effort with 12 to 18 months of program maturity. They’re not the same thing. The clock can’t be compressed by hiring more help or paying more money. Your assessor needs to see that controls are operational and have been in place long enough to demonstrate consistency, and there’s only one way to produce that.
Working back from late 2026, companies starting today are inside the window. Companies starting in six months may not be.
The most direct cost is contract eligibility. If a solicitation requires Level 2 and you don’t have it, you can’t respond, whether the contract is worth $50,000 or $5 million. Every RFP you can’t answer is handed to a competitor.
Flow-down sits behind that. Primes are contractually obligated to push certification requirements down to suppliers, and they don’t have discretion to make exceptions because a relationship is twenty years old.
If a prime you depend on signs a Level 2 contract, you’ll definitely need to show Level 2 CMMC compliance.
Mid-contract risk is the slowest to surface and often the most painful when it does. A contract you currently hold, renewing into a Level 2 requirement on a date you’ve already agreed to, falls out from under you if you’re not certified by that date. Some primes may work with you. Some won’t be allowed to.
Add it up across your covered contract base, and what looks like a compliance line item is the revenue question for the next three years.
Are those costs – or risks – worth taking?
If CMMC level 2 might affect your business, find out exactly where you stand today… and determine what you need to do about it.
Whatever a CMMC assessor is going to conclude about your program, you’d rather know now, while there’s time to do something with the answer.
Our free 60-minute CMMC Readiness Workshop will help.
It’s a working session, not a sales pitch. In 60 minutes, you’ll know:
You’ll also walk away with a clear direction, a realistic ROM estimate for cost and a timeline range to plan around.
Be ready for CMMC Level 2, and get clear on certification pathways.
Get the latest cyber and AI insights to help your organization stay compliant, resilient and ready for ever-evolving threats and challenges.
Because while risk is constant, ready is a choice.
Self-assessment is ending. From November 10, 2026, if you want to bid on a DoD contract that touches Controlled...
Read more
At some point in the last few years, every backup tool, every MFA provider, and every monitoring dashboard in the...
Read more
Most cyber engagements open the same way. A “consultant” runs an assessment, hands over a list of gaps, and...
Read moreLet’s help Plan, Build and Run your cyber and AI programs to keep your business capable, compliant, and resilient. Because while risk is constant, ready is a choice.
