Quick Answer
CMMC, the Department of Defense's cybersecurity certification program, became a binding contract requirement in late 2025, and 2026 is the year those requirements expand. The change most worth watching is Phase 2, which begins November 10, 2026, and introduces third-party Level 2 certification for many contracts that handle sensitive defense information. Because assessments take time to prepare for, readiness is the practical priority this year.