CMMC: What Changes Should Be on Your Radar in 2026?

Jul 2, 2026 10:30:00 AM / by Kyle Hayes

Blog Featured-Jul-01-2026-01-37-30-6450-PM

Quick Answer

CMMC, the Department of Defense's cybersecurity certification program, became a binding contract requirement in late 2025, and 2026 is the year those requirements expand. The change most worth watching is Phase 2, which begins November 10, 2026, and introduces third-party Level 2 certification for many contracts that handle sensitive defense information. Because assessments take time to prepare for, readiness is the practical priority this year.

Key Takeaways

  • CMMC became a binding contract requirement in November 2025 and is rolling out in phases through 2028.
  • Phase 1, underway now, centers on Level 1 and Level 2 self-assessments submitted to SPRS.
  • Phase 2 begins November 10, 2026, introducing third-party certification for many Level 2 contracts that handle controlled unclassified information.
  • Independent assessment capacity is limited, so preparing early is the practical priority for contractors who will need certification.
  • CMMC requirements flow down to subcontractors, so subs that handle covered information are affected too.

Where CMMC Stands Going Into 2026

CMMC, the Department of Defense's cybersecurity certification program, became a binding contract requirement in late 2025, and 2026 is the year those requirements broaden. The single change most worth having on your radar is the start of Phase 2 on November 10, 2026, which brings third-party certification into play for many contracts. For defense contractors and the subcontractors who support them, 2026 is less about one deadline and more about staying ahead of requirements that keep expanding as the program phases in.

What Is Already in Effect

The foundation was set in late 2025. The rule that makes CMMC a contract requirement took effect on November 10, 2025, which moved cybersecurity certification from a policy expectation to a condition of award on applicable Department of Defense contracts. That date started Phase 1, the stage the program is in now.

During Phase 1, applicable solicitations primarily require a Level 1 or Level 2 self-assessment. A contractor evaluates its own systems against the required security controls, submits the resulting score to the Supplier Performance Risk System (SPRS), and provides an annual affirmation that it remains compliant. Level 1 covers basic protection of federal contract information, and Level 2 covers the more sensitive category of controlled unclassified information. Throughout 2026 these self-assessment requirements continue to appear in more solicitations, and in some cases the Department of Defense may require third-party certification on a Phase 1 contract at its discretion.

Third-Party Certification Arrives With Phase 2

The change that defines 2026 is the start of Phase 2 on November 10, 2026. Phase 2 introduces the requirement for third-party certification at Level 2, which means that for many contracts involving controlled unclassified information, a self-assessment is no longer enough. Instead, an authorized independent organization, known as a C3PAO, conducts the assessment and issues the certification.

This is the most significant shift in how compliance is verified. Up to this point, much of the program has relied on contractors assessing themselves. Phase 2 moves a large share of Level 2 work to independent verification, which raises the bar on both the accuracy of the assessment and the evidence behind it. For a contractor that will need Level 2 certification, the practical consequence is direct. The work to be ready has to happen before the requirement appears in a solicitation you want to win, not after.

What to Keep on Your Radar Now

A few realities make early preparation the sensible approach rather than an urgent scramble:

  • Readiness takes time. Reaching Level 2 readiness commonly takes several months to well over a year, depending on where a company starts, because it involves documenting systems, implementing controls, and preparing evidence.
  • Assessment capacity is limited. The number of authorized assessment organizations is small relative to the number of contractors who will need Level 2 certification, so scheduling can take time, and that lead time grows as more contractors prepare for Phase 2.
  • Compliance is continuous. CMMC is not a one-time event. Status has to be kept current, with annual affirmations and certifications that stay valid throughout performance.
  • Requirements flow down. A prime contractor is responsible for ensuring its subcontractors meet the CMMC level required for the work, so subcontractors who handle covered information are affected even when they do not hold the prime contract.

Across the 500,000 businesses USFCR has guided since 2010, the contractors who handle requirements like these best are the ones who treat readiness as a planned project rather than a reaction to a solicitation. USFCR helps defense contractors assess where they stand against CMMC requirements and prepare for the assessment that fits their contracts, so certification timing supports their pursuits instead of holding them up.

Register or Renew Your Business Online

FAQ

Who needs CMMC certification?

Defense contractors and subcontractors whose systems process, store, or transmit federal contract information or controlled unclassified information in the performance of Department of Defense contracts. The required level depends on the sensitivity of the information involved, and companies that only provide commercial off-the-shelf products are generally exempt.

What is the difference between a self-assessment and a C3PAO assessment?

A self-assessment is conducted by the contractor evaluating its own systems and submitting the result to SPRS. A C3PAO assessment is conducted by an authorized independent third party that verifies compliance and issues the certification. Phase 2, beginning November 10, 2026, brings third-party certification into play for many Level 2 contracts.

What actually changes about CMMC in 2026?

Phase 1 requirements continue to appear in more solicitations through the year, and Phase 2 begins on November 10, 2026, introducing third-party Level 2 certification for many contracts that handle controlled unclassified information. The practical effect is that a self-assessment alone will no longer satisfy a growing share of Level 2 requirements.

Does CMMC apply to subcontractors?

Yes. CMMC requirements flow down through the supply chain. A prime contractor is responsible for ensuring that subcontractors handling covered information meet the required level for the work they perform, which is why many subcontractors are being asked to demonstrate compliance ahead of the formal phases.

Next Steps

The most useful step in 2026 is to find out where you stand before a requirement forces the question. Confirm whether the contracts you hold or want to pursue involve federal contract information or controlled unclassified information, identify the CMMC level that applies, and assess your current systems against it so you know the size of the gap and the time needed to close it. For contractors who want help mapping that path, USFCR supports defense businesses in preparing for CMMC, from understanding which level applies to getting ready for the assessment, so cybersecurity certification becomes a planned part of pursuing defense work rather than a last-minute obstacle.

Recent Articles

Independence Day and Patriotic Contracting: Why SDVOSB Certification Matters
How Government RFPs Differ from Commercial RFPs: What Contractors Need to Know
Q3 Assessment: Are You on Track for Your Federal Contracting Year-End Goals?

Tags: Guides, News, cmmc, Federal Spending, Registration & Compliance Management

Kyle Hayes

Written by Kyle Hayes