Blog
Data Security
CMMC Basics: A Practical 2026 Roadmap for CMMC Compliance

CMMC Basics: A Practical 2026 Roadmap for CMMC Compliance

The time to implement the Cybersecurity Maturity Model Certification (CMMC) has finally arrived. Read to learn the timelines and best practices.

Assessment
Audit
CMMC Basics: A Practical 2026 Roadmap for CMMC Compliance

CMMC Nov. 10 deadline has passed, what should you do in 2026?

If your CMMC status isn't confirmed in the Supplier Performance Risk System (SPRS), you may find yourself ineligible for award before the technical evaluation even begins.Brief History of the CMMC

For years, the Cybersecurity Maturity Model Certification (CMMC) was a looming "coming soon" sign on the horizon of the Department of War (Department of Defense) contracting. That horizon has finally arrived. 

While the framework’s core requirements, which are rooted in NIST SP 800-171, have been expected of contractors since 2017, the Department of War (DoW) has lacked a formal mechanism to verify that these security bars were actually being met before awarding a contract. 

Early iterations of CMMC aimed to replace a simple self-attestation model with a robust, third-party validated framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the defense supply chain. After more than half a decade of development and refinement, the Department of War’s (DoW’s) latest CMMC 2.0 rules were formalized in the Defense Federal Acquisition Regulation Supplement (DFARS), with the final 48 CFR rule taking effect on November 10, 2025.

The significance of this rule cannot be overstated. 

For the first time, the DoW now has explicit legal authority to include CMMC requirements in new solicitations and contracts and to require contractors to demonstrate a current CMMC compliance status before an award can be made. 

This is a fundamental shift in how cybersecurity is treated in defense procurement. It’s no longer a policy aspiration, but a contractual and enforceable condition of doing business. As the phased rollout continues, understanding and preparing for these changes will be essential for any organization seeking to compete for government work in the coming years. In this post, we’ll talk about what this November 2025 milestone means for your business, the specifics of the phased rollout, and why the "wait and see" approach is no longer a viable strategy).

Understanding the Phased Rollout

The DoW recognizes that transitioning the entire Defense Industrial Base of over 300,000 companies to a verified compliance model cannot happen overnight. To manage the demand for third-party assessments and give contractors time to budget for upgrades, the DoW has structured a four-phase rollout spanning the three years.

Phase 1: The Self-Assessment Baseline (Now Live)

Starts: November 10, 2025 

In this initial phase, the DoW has the authority to include CMMC Level 1 or Level 2 self-assessment requirements in all new solicitations.

  • What it means: For most contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you must have a self-assessment and a signed affirmation of compliance uploaded to SPRS in order to be eligible for award.
  • The "Discretionary" Clause: Be aware that during Phase 1, the DoW also has the discretion to include Level 2 C3PAO (third-party) certification requirements for certain high-priority programs.

Phase 2: The Shift to Third-Party Verification

Starts: November 10, 2026

One year into the rollout, the "trust" portion of "trust but verify" begins to fade.

  • What it means: The DoW will begin incorporating Level 2 C3PAO certification requirements into nearly all applicable solicitations as a condition of award.
  • The Impact: If your contract involves sensitive Controlled Unclassified Information (CUI), you will likely no longer be able to "self-certify." You will need an assessment from a Certified Third-Party Assessment Organization (C3PAO) on file before you can sign the contract.

Phase 3: Universal Certification & Option Periods

Starts: November 10, 2027

The third phase expands the CMMC compliance requirement beyond just new contract awards, it will also apply to existing/renewing contracts.

  • What it means: CMMC Level 2 C3PAO certification becomes a requirement for the exercise of option periods on existing contracts awarded after the 2025 start date.
  • Level 3 Appears: This phase also introduces CMMC Level 3 (Expert) requirements for the most sensitive defense programs, requiring government-led assessments by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Phase 4: Full Implementation

Starts: November 10, 2028

Three years after the initial launch, the transition to CMMC will be complete.

  • What it means: CMMC requirements will be present in all applicable DoW solicitations and contracts, including option periods on contracts that were awarded even before the rollout began. At this point, CMMC is no longer a "new rule" because it is the standard cost of doing business with the Department of War.

While 2028 feels far away, the timeline for Level 2 readiness is typically 6 to 18 months. Between performing a gap analysis, remediating technical debt, and finding an available C3PAO for an audit, companies that start today are often only just making it in time for Phase 2.

Decoding the CMMC Levels: Where Do You Fit?

The CMMC framework is built on a "tiered" model. This means that instead of a one-size-fits-all approach, your compliance requirements are determined by the sensitivity of the data you handle. 

Each level builds upon the previous one. For example, Level 2 requirements include all those controls cited in a Level 1 self assessment, plus more.

Here is a breakdown of the three levels as defined in the final rule:

Level 1 CMMC Contractors: Foundational

This level is designed for contractors that only handle Federal Contract Information (FCI), data that is not intended for public release but isn't considered "sensitive" in a way that impacts national security (e.g., contract numbers, delivery schedules).

  • Requirements: 15 security practices (derived from FAR 52.204-21).
  • Assessment: Annual self-assessment. A senior company official must affirm compliance in the Supplier Performance Risk System (SPRS) every year.
  • The Bar: Basic cyber hygiene like using antivirus, changing passwords, and limiting physical access to offices.

Level 2 CMMC Contractors: Advanced

This is the level where many defense contractors will live. It applies to any company that handles Controlled Unclassified Information (CUI), such as technical drawings, blueprints, or ITAR-regulated data.

  • Requirements: 110 security practices (aligned exactly with NIST SP 800-171).
  • Assessment: Dual-track. For prioritized acquisitions, you must undergo a third-party assessment by a C3PAO every three years. For non-prioritized programs, a self-assessment may suffice (subject to the contract wording).
  • The Bar: Documented policies, multi-factor authentication (MFA), advanced encryption, robust incident response capabilities, etc.

Level 3 CMMC Contractors: Expert (High-Value Programs)

Level 3 is reserved for the most critical programs. If you are working on a major weapons system or cutting-edge satellite tech, this likely applies to you.

  • Requirements: 130+ practices (all 110 from Level 2, plus 24 enhanced requirements from NIST SP 800-172).
  • Assessment: Government-led assessment. You must be audited directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) every three years.
  • The Bar: Proactive threat hunting, sophisticated system monitoring, and defense against high-level cyber espionage.

The "Flow Down" Ripple Effect: Managing Subcontractors

CMMC is not just a you problem; it is a supply chain solution. Under the final rule, prime contractors bear the legal responsibility for ensuring that every subcontractor in their supply chain, even the smallest shop or consultant, meets the required cybersecurity standards before any sensitive data is shared.

This obligation is known as "Flow Down," and it transforms the prime contractor into a quasi-auditor for their own partners.

Responsibilities as a Prime Contractor

As a prime, the DoW now holds you accountable for three specific actions regarding your supply chain:

  1. Determine the Level: You must assess what kind of data you are "flowing down" to the sub. 
    1. If they only receive contract numbers or schedules (FCI), you must mandate Level 1. 
    2. If you are sending blueprints, specs, or technical data (CUI), you must mandate Level 2.
  2. Verify Status Before Award: You are legally prohibited from awarding a subcontract or sharing sensitive data until you have verified the subcontractor has a current status in the Supplier Performance Risk System (SPRS).
  3. Ensure Annual Affirmation: You must confirm that your subcontractors have a senior official sign an annual affirmation of continued compliance. A "one and done" certificate is no longer enough.

The “hard part” of this flow down task is that many primes, especially the largest ones, may not even know all the subcontractors that make up a complete list of companies that will be working on a specific contract award. 

They may know the first few levels, but they will rely on sub-prime contractors to track their flow down as well as expecting the smallest level 1 subcontractor to report their CMMC compliance status. 

Currently, the SPRS system is the only potential source of CMMC compliance data. In addition, with the exception of Primes, SPRS does not allow you to look up companies other than your own. 

The next two years will be critical to the DIB for the collection and organization of these flow down relationships.

Another problem in the industry is that each prime contractor will be trying to develop their own way of tracking this flow down. If you are a subcontractor that works with a number of primes, you will be required to report to each of those primes and the data will be stored in their unique tracking system.  

About SecurityMetrics’ CMMC Solutions for Prime Contractors

SecurityMetrics offers prime contractors a compliance management portal that makes it easy to track and verify the CMMC status of all sub-contractors, making what could be the most tedious part of your CMMC experience simple to organize and manage. 

We currently have 180,000 DoD subcontractors in our database that we’re tracking CMMC compliance on. We also have a large technical support team that will help Level 1 subcontractors complete their CMMC self assessment questionnaire. 

Get started on CMMC here.

2026 Strategy: The "Self-Assessment First" Rule

For the 2026 calendar year, the DoW is in Phase 1, which means the immediate priority for both Level 1 and Level 2 entities is the formal Self-Assessment.

Even if you aren't yet required to undergo a third-party audit, you cannot legally bid on new contracts unless your self-assessment results are recorded in the government’s Supplier Performance Risk System (SPRS).

For Level 1 CMMC Entities: The Annual Requirement

If you only handle Federal Contract Information (FCI), your 2026 goal is to achieve a perfect score on the 15 basic practices.

  • No Plan of Action and Milestones (POA&Ms) Allowed: Unlike higher levels, Level 1 is pass/fail. You cannot submit a "Plan of Action" to fix things later; all 15 controls must be fully implemented before you self-certify.
  • A senior executive must now digitally sign an affirmation in SPRS. This makes the executive personally and legally responsible for the accuracy of the assessment, increasing the stakes for pencil-whipping the results.
  • This must be repeated annually. If your last self assessment was in early 2025, you are likely due for a 2026 update.
  • You may want to enlist the help of a CMMC Registered Practitioner Organization (RPO) to guide you through compliance tasks for a Level 1 self assessment.

For Level 2 CMMC Entities: The NIST 800-171 Baseline

For those handling Controlled Unclassified Information (CUI), 2026 is the year of the "gap closure."

  • Calculate Your Score: Use the DoD’s official assessment methodology. Scores range from -203 to +110. Primes are increasingly looking for subcontractors with a minimum score (often 88 or higher) before they will even consider them for a bid.
  • The 180-Day Clock: If you have gaps (a score below 110), you can use a POA&M, but the new rule is strict: you must remediate those gaps within 180 days of the assessment date or your "Conditional" status will expire.
  • Prepare for Phase 2: Remember that starting November 10, 2026, the DoD will begin mandating third-party C3PAO audits for Level 2. If you don't have a solid self-assessment on file now, you will be at the back of a very long line when the mandatory audits begin next year.
  • You may want to start working with a CMMC Third-Party Assessor Organization (C3PAO) in a consulting role to help you conduct these detailed gap assessments.

How can SecurityMetrics Help?

SecurityMetrics is a CMMC Registered Practitioner Organization (RPO). As such, we help organizations seeking CMMC compliance by providing the following services:

  • Level 1 CMMC Self Assessment Guidance: We offer Level 1 contractors the ability to begin CMMC with no previous understanding of data security frameworks, guiding you from start to finish, and helping you report your compliance in the SPRS system and up the chain to the Prime contractor. 
  • Level 2 CMMC: We offer a CMMC Readiness Assessment to efficiently scope your CMMC environment and conduct a thorough Gap Analysis. This ensures you are prepared to confidently pass your assessment. Mock Assessment
  • Prime Contractors: We offer Prime contractors a compliance management portal that makes it easy to track and verify the CMMC status of all sub-contractors, making what could be the most tedious part of your CMMC experience simple to organize and manage. 

About SecurityMetrics

SecurityMetrics has been working in the cybersecurity compliance industry now for more than 25 years. Over 800,000 businesses have secured their data with us using the various kinds of cybersecurity frameworks we specialize in like  PCI DSS, HIPAA, HITRUST, CIS, and more. 

We help large complex organizations meet compliance guidelines and provide compliance services to small businesses with currently over 300,000 organizations currently partnered with us. We will help you simplify your compliance efforts, especially if you don’t know where to start.

Get started on CMMC here.

Related Posts
What to Do If Your Identity is Stolen in 2025: Essential Steps
Four Cybersecurity Practices That Stop Most Breaches Before They Start
What is a Brushing Scam and Why Should I Care?
Join thousands of security professionals.
Subscribe Now
Get the Guide To PCI Compliance
Download
Get a Quote for Data Security
Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart InspectShopping Cart Monitor (PCI 6.4.3 & 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
CMMC Compliance
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2001–2025 SecurityMetrics, Inc.
All rights reserved.
Privacy Policy
|
Terms and ConditionsAbout us
|
Your IP Address is:
000.000.000.000