USFCR Blog

CMMC in 2026: What Actually Changed From Last Year

Written by Kyle Hayes | Jan 29, 2026 5:57:30 PM

A lot of teams treated 2025 like a warm-up lap. Policies were “final,” but awards didn’t consistently test readiness.

January 2026 feels different. CMMC isn’t everywhere, but when it shows up in a solicitation, it can decide whether an offer is even eligible.

The Real 2025 to 2026 Shift

Two milestones drive the Cybersecurity Maturity Model Certification (CMMC) in different ways. One defines the program, the other determines when it shows up in contracts—so it helps to keep them separate.

  • The CMMC program framework became official under Title 32 of the Code of Federal Regulations, Part 170 (32 CFR Part 170). That rule defines levels, assessment types, affirmations, scoping, and Plan of Action & Milestones rules (POA&Ms).
  • Defense Federal Acquisition Regulation Supplement (DFARS) integration went into effect on November 10, 2025, triggering phased implementation in Department of Defense (DoD) contracting. That’s why 2026 isn’t just “prep and watch.” It’s “read the solicitation and prove status when the clause appears.”

CMMC is currently clause-driven, meaning it becomes a hard requirement only when the solicitation or contract includes the clause. At that point, your posted status and affirmations stop being a back-office detail and become a bid gate.

What Contractors Are Actually Asking in 2026

Most questions boil down to three:

  • Does this work touch Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)?

    • That answer drives Level 1 vs Level 2.

  • What level does the solicitation require—self-assessment or third-party?

    • Level 2 isn’t always the same path. The requirement language matters.

  • Can we prove it quickly when it counts?

    • In 2026, “almost there” is rarely good enough when a bid window is closing.

 

Where Teams Get Stuck

FCI vs CUI gets guessed instead of verified.

Service work can still touch CUI through deliverables, incident reports, maintenance records, drawings, or systems access.

Proof doesn’t match the requirement.

A binder of controls is not the same as a posted status plus an affirmation cadence that stays current.

Rollout timing gets misunderstood.

Phase 1 is real, but not universal. CMMC arrives through solicitations and can also show up through modifications and option exercises—not by instantly rewriting every DoD contract.

What’s Required Right Now (January 2026), By Level

Level 1 (FCI)

If the work only touches Federal Contract Information (FCI), Level 1 is your lane. Level 1 aligns with the basic safeguarding requirements in Federal Acquisition Regulation clause 52.204-21 (FAR 52.204-21), commonly referenced as 15 requirements.

In practice, you complete a self-assessment, an Affirming Official submits the annual affirmation in the Supplier Performance Risk System (SPRS), and you keep it current. Plan of Action & Milestones (POA&Ms) aren’t allowed at Level 1, so “close enough” tends to turn into delays when a prime needs proof fast.

If Level 1 applies, aim for “MET” across the full set before you chase clause-driven bids.

Level 2 (CUI)

Once Controlled Unclassified Information (CUI) is involved, you’re in Level 2 territory. Level 2 aligns to National Institute of Standards and Technology Special Publication 800-171, Revision 2 (NIST SP 800-171 Rev. 2), commonly referenced as 110 requirements.

Here’s the 2026 reality: Level 2 isn’t one decision, it’s two. First, confirm CUI is actually in your workflows (receive, store, transmit, or build deliverables from it). Second, read the solicitation to see what proof it requires. Some opportunities accept a self-assessment during phased implementation. Others require a Certified Third-Party Assessment Organization (C3PAO) assessment—and that single line can change your timeline and teaming risk.

Smart Scoping

Scoping is part of the program rule structure, and enclave approaches can work when architecture supports them. The goal is a real boundary that keeps CUI contained so assessment and remediation stay proportional; done well, scoping keeps Level 2 achievable, and done poorly, it creates rework when the bid clock is already running.

Level 3

Level 3 is uncommon and typically driven by specific programs. Most small and mid-size contractors won’t pursue it unless a target requirement clearly calls for it.

Why “Current” in SPRS Matters in 2026

A surprising number of teams do the work, then lose momentum on maintenance.

The practical reality is simple:

  • Level 1 operates on an annual rhythm

  • Level 2 status can have a longer validity window, but annual affirmations still matter

  • “We did it last year” doesn’t help if the proof trail drifted

When primes and program teams ask for readiness, they’re not asking for intent. They’re asking whether your status and affirmations are in place and defensible.

POA&Ms: Useful In Narrow Cases, Dangerous As A Strategy

Old fear: “One gap means no awards.”

New reality: a Plan of Action & Milestones (POA&M) can exist only in limited contexts—and it behaves like a timer, not a cushion.

  • Level 1: POA&Ms are not allowed.

  • Level 2 (and rare Level 3 cases): conditional status may be permitted with POA&Ms, but closeout must happen within 180 days through a closeout assessment.

The takeaway is that A POA&M can bridge short-term remediation when allowed, but it doesn’t replace readiness. Treat conditional status like a controlled sprint with a deadline.

Existing Contracts & “Grandfathering”

“Grandfathered” is the wrong mental model.

Many current awards may not change immediately, but options and contract modifications can trigger CMMC requirements as implementation expands. Renewal timing matters more than most teams expect.

Scenario: How A Solid Subcontractor Loses A Slot

A base operations prime needs a subcontractor for facilities support. The sub assumes “FCI-only” and says Level 1 is fine.

During clarification, a deliverable includes records marked CUI. Now Level 2 applies. The sub can’t confirm the right Level 2 path for this opportunity or produce clean proof fast enough.

The prime doesn’t argue. The prime picks a different sub who can show readiness immediately.

In 2026, readiness isn’t just compliance. It’s a teaming advantage.

What This Costs When Readiness is Missing

Readiness gaps rarely fail loudly. They fail quietly.

A bid slows down because evidence has to be pulled together at the last minute. A prime moves on because eligibility looks uncertain. CUI shows up late, and now the team is rebuilding the scope instead of writing and pricing. Meanwhile, the risk goes up when affirmations or status claims aren’t airtight.

Affirmations are serious. Treat them like a readiness deliverable, not a formality.

 

The 5 Moves That Keep You Eligible in 2026

  • Classify your work: determine FCI vs CUI using markings, deliverables, workflows, and system touchpoints.

  • Tag each target opportunity: Level 1, Level 2 (Self), Level 2 (C3PAO), or Level 3 (rare).

  • Set scope deliberately: decide what’s in-scope and whether an enclave approach is realistic for your environment.

  • Make proof repeatable: keep your SPRS status and annual affirmations on a living calendar with clear ownership.

  • Validate the ecosystem early: if a third-party assessment is required, confirm assessor legitimacy and availability before bid time.

Where USFCR Can Help

CMMC friction usually shows up at the worst time: a live bid, a teaming sprint, or an option exercise. That’s when teams realize the question isn’t “Are we working on compliance?” It’s “Can we prove the right level, right now, the way the solicitation expects?”

USFCR support is most useful when it reduces preventable delays:

  • Sorting FCI vs CUI and mapping your target pipeline to CMMC Level 1 vs Level 2.

  • Building a repeatable status and affirmation cadence so you stay current in SPRS.

  • Helping you scope correctly to avoid expensive rework when CUI appears late.

If 2026 is your year to pursue DoD work, treat CMMC like a readiness gate—not a policy memo. Register or renew with USFCR, so your level decision and proof trail are in place before the next bid window opens—and you can compete with confidence when the CMMC clause shows up.

FAQ

When does CMMC actually start showing up as a contract requirement?

CMMC requirements began flowing into applicable DoD solicitations and awards under phased implementation starting November 10, 2025. It shows up when the solicitation/contract includes the CMMC language.

Is Level 1 a “certification”?

Level 1 is a self-assessment aligned to FAR 52.204-21 safeguarding requirements, supported by an annual affirmation in SPRS. It’s not the same as a third-party certification.

Can an award happen if gaps exist?

Level 1 doesn’t allow POA&Ms, so gaps are a real issue. Level 2 may allow conditional status with a POA&M in limited cases, but closeout must occur within 180 days.

Do subcontractors need CMMC, or only primes?

CMMC follows the data. If a subcontractor’s systems will process, store, or transmit FCI or CUI for performance, requirements can apply at any tier.

How long does CMMC status last?

Level 1 behaves on an annual cycle. Level 2 status can have a longer validity window, but annual affirmations keep it usable as “current” for contracting purposes.

Relevant Articles

SAM Registration Is Free—But Getting Stuck Isn't

2026 8(a) Compliance Update: What Changed and What to Fix

Writing a Winning Capabilities Statement in 2026
View full post