CMMC Is No Longer a Future Problem — It's a Contract Problem
CMMC Phase 1 is active. Phase 2 mandatory C3PAO certification is seven months away. What defense contractors need to understand and do right now.
If your organization handles Controlled Unclassified Information (CUI) under a DoD contract, CMMC is no longer a regulatory horizon you can monitor from a distance. It is in contracts today. Mandatory third-party certification requirements take effect in November 2026. And the organizations that are moving now are not being cautious — they are protecting future revenue.
Here is what you need to understand.
What CMMC Actually Is
The Cybersecurity Maturity Model Certification is the DoD's framework for verifying that defense contractors are adequately protecting sensitive government information. After years of self-reported compliance that was rarely verified, the DoD concluded that the honor system was not working. CMMC replaces self-attestation with assessed, certified compliance for organizations handling CUI.
The framework has three levels:
Level 1 covers organizations handling Federal Contract Information (FCI) — basic administrative and logistical data. It requires 17 foundational practices and allows annual self-assessment. Most prime contractors and larger subcontractors are well past this.
Level 2 is where the vast majority of the DIB sits. It applies to any organization handling CUI — design data, technical specifications, controlled technical information, export-controlled data. Level 2 requires all 110 security practices from NIST SP 800-171 Rev 2. Starting November 2026, it requires a certified third-party assessment by an authorized C3PAO.
Level 3 applies to organizations supporting critical DoD programs and requires an additional 24 practices drawn from NIST SP 800-172, assessed directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
The Timeline Is Not a Drill
The 32 CFR final rule took effect December 2024. The 48 CFR acquisition rule — the mechanism that actually puts CMMC requirements into contracts — went into effect November 10, 2025. That means contracting officers can require CMMC compliance in new solicitations right now, and many already are.
Phase 2, which makes Level 2 C3PAO certification mandatory for most contracts involving CUI, begins November 10, 2026. That is seven months from the date of this post.
Most organizations need 6 to 18 months to prepare for a Level 2 assessment. The math is straightforward: if you have not started, you are already behind for a November 2026 requirement.
There is a capacity problem compounding the timeline pressure. Roughly 100 authorized C3PAOs currently serve an estimated 118,000 organizations that need Level 2 certification. Many are already booked through the end of 2026. Waiting until a requirement shows up in your next solicitation means the assessment capacity you need may not be available when you need it.
The Part Most Organizations Are Getting Wrong
CMMC Level 2 is not a checkbox exercise. It is not a policy review. It is not something your IT person can knock out in a week between other projects.
It requires verified implementation of 110 security controls across 14 domains — access control, incident response, audit and accountability, system and communications protection, and more. Each control requires not just implementation but documented evidence that it is working as designed. That evidence is what a C3PAO assessor evaluates.
Fewer than 50% of DIB organizations have completed foundational documentation like a System Security Plan (SSP) or Plan of Action and Milestones (POA&M), or have implemented all NIST 800-171 requirements. The SSP alone — a comprehensive document describing how each of the 110 controls is implemented in your environment — is a significant undertaking for organizations doing it for the first time.
The organizations that treat CMMC as a documentation project invariably discover during gap assessment that their actual security posture does not match what their policies describe. Closing those gaps takes time, budget, and organizational attention that cannot be compressed indefinitely.
What You Need to Do
If you are a defense contractor handling CUI and you have not started CMMC preparation, the sequence is:
Start with a gap assessment. Understand where you actually stand against the 110 controls — not where you think you stand. Be honest about partial implementations. Map your CUI boundary: which systems touch, store, process, or transmit CUI determines your assessment scope.
Build or update your SSP. The System Security Plan is both a required deliverable and a forcing function. Writing it reveals gaps. Do not let this document become aspirational — it should describe your current state, with a POA&M capturing what is not yet implemented and your plan to close it.
Remediate the high-risk gaps. Access control, multi-factor authentication, audit logging, and incident response capability are consistently the areas with the widest gaps and the highest assessor scrutiny. Address these first.
Engage a C3PAO early. Assessment scheduling is constrained. If you need certification for a contract award or recompete in 2026, identify your C3PAO and begin pre-assessment planning now.
The Subcontractor Problem
Prime contractors are increasingly flowing CMMC requirements down to subcontractors. If you handle CUI on behalf of a prime — even as a small supplier of technical components or engineering services — your prime's CMMC compliance may depend on your compliance. Expect to see contractual requirements for CMMC certification appearing in subcontract agreements regardless of your direct relationship with the DoD.
This is not hypothetical. Primes who fail a C3PAO assessment due to a subcontractor's security posture have contractual recourse against that subcontractor. The liability is real and it flows in both directions.
The Competitive Dimension
CMMC compliance is increasingly a competitive differentiator in the DIB. Organizations that achieve Level 2 certification before it is required can truthfully advertise that they are assessment-ready — which matters to primes evaluating suppliers and to contracting officers awarding discretionary contracts.
The organizations waiting for a requirement to force their hand will be competing for limited C3PAO capacity alongside hundreds of other organizations in the same position. The organizations acting now will have their certification in hand before the deadline pressure hits.
Parallax Risk & Security provides end-to-end CMMC Level 2 and Level 3 readiness programs for defense contractors — from initial gap assessment through SSP development, remediation, and C3PAO audit preparation. If you are evaluating where to start, our free security self-assessment provides a directional indicator of your current posture against NIST SP 800-171.
Ready to discuss your CMMC timeline? Get in touch.
Questions about this topic?
We are happy to discuss how it applies to your environment.