CMMC, the Department of Defense's cybersecurity certification program, became a binding contract requirement in late 2025, and 2026 is the year those requirements expand. The change most worth watching is Phase 2, which begins November 10, 2026, and introduces third-party Level 2 certification for many contracts that handle sensitive defense information. Because assessments take time to prepare for, readiness is the practical priority this year.
CMMC, the Department of Defense's cybersecurity certification program, became a binding contract requirement in late 2025, and 2026 is the year those requirements broaden. The single change most worth having on your radar is the start of Phase 2 on November 10, 2026, which brings third-party certification into play for many contracts. For defense contractors and the subcontractors who support them, 2026 is less about one deadline and more about staying ahead of requirements that keep expanding as the program phases in.
The foundation was set in late 2025. The rule that makes CMMC a contract requirement took effect on November 10, 2025, which moved cybersecurity certification from a policy expectation to a condition of award on applicable Department of Defense contracts. That date started Phase 1, the stage the program is in now.
During Phase 1, applicable solicitations primarily require a Level 1 or Level 2 self-assessment. A contractor evaluates its own systems against the required security controls, submits the resulting score to the Supplier Performance Risk System (SPRS), and provides an annual affirmation that it remains compliant. Level 1 covers basic protection of federal contract information, and Level 2 covers the more sensitive category of controlled unclassified information. Throughout 2026 these self-assessment requirements continue to appear in more solicitations, and in some cases the Department of Defense may require third-party certification on a Phase 1 contract at its discretion.
The change that defines 2026 is the start of Phase 2 on November 10, 2026. Phase 2 introduces the requirement for third-party certification at Level 2, which means that for many contracts involving controlled unclassified information, a self-assessment is no longer enough. Instead, an authorized independent organization, known as a C3PAO, conducts the assessment and issues the certification.
This is the most significant shift in how compliance is verified. Up to this point, much of the program has relied on contractors assessing themselves. Phase 2 moves a large share of Level 2 work to independent verification, which raises the bar on both the accuracy of the assessment and the evidence behind it. For a contractor that will need Level 2 certification, the practical consequence is direct. The work to be ready has to happen before the requirement appears in a solicitation you want to win, not after.
A few realities make early preparation the sensible approach rather than an urgent scramble:
Across the 500,000 businesses USFCR has guided since 2010, the contractors who handle requirements like these best are the ones who treat readiness as a planned project rather than a reaction to a solicitation. USFCR helps defense contractors assess where they stand against CMMC requirements and prepare for the assessment that fits their contracts, so certification timing supports their pursuits instead of holding them up.
Who needs CMMC certification?
Defense contractors and subcontractors whose systems process, store, or transmit federal contract information or controlled unclassified information in the performance of Department of Defense contracts. The required level depends on the sensitivity of the information involved, and companies that only provide commercial off-the-shelf products are generally exempt.
What is the difference between a self-assessment and a C3PAO assessment?
A self-assessment is conducted by the contractor evaluating its own systems and submitting the result to SPRS. A C3PAO assessment is conducted by an authorized independent third party that verifies compliance and issues the certification. Phase 2, beginning November 10, 2026, brings third-party certification into play for many Level 2 contracts.
What actually changes about CMMC in 2026?
Phase 1 requirements continue to appear in more solicitations through the year, and Phase 2 begins on November 10, 2026, introducing third-party Level 2 certification for many contracts that handle controlled unclassified information. The practical effect is that a self-assessment alone will no longer satisfy a growing share of Level 2 requirements.
Does CMMC apply to subcontractors?
Yes. CMMC requirements flow down through the supply chain. A prime contractor is responsible for ensuring that subcontractors handling covered information meet the required level for the work they perform, which is why many subcontractors are being asked to demonstrate compliance ahead of the formal phases.
The most useful step in 2026 is to find out where you stand before a requirement forces the question. Confirm whether the contracts you hold or want to pursue involve federal contract information or controlled unclassified information, identify the CMMC level that applies, and assess your current systems against it so you know the size of the gap and the time needed to close it. For contractors who want help mapping that path, USFCR supports defense businesses in preparing for CMMC, from understanding which level applies to getting ready for the assessment, so cybersecurity certification becomes a planned part of pursuing defense work rather than a last-minute obstacle.