CMMC Certification Timeline in 2026: What Defense Contractors Need to Know Now

Get a break down the 2026 certification timeline, DFARS 7021 changes, and why self-attestation is no longer an option.

Are you a defense contractor counting on a CMMC assessment before the November 2026 deadline? The numbers say you should already be in line. In this episode of the Practical Cybersecurity Podcast, Jen Stone sits down with Brett Cox — CMMC Lead Certified Assessor, CMMC Provisional Instructor, and CMMC Program lead at The Boeing Company — to break down what CMMC Phase 2 actually means for the defense industrial base, and why the assessor shortage is the real story. 

In this episode: 

- What CMMC is, and why the DFARS 7021 clause changes everything 

- Why self-attestation is over and third-party (C3PAO) assessment is now mandatory 

- The capacity gap: 118,000+ companies need assessing, ~100 firms can do it 

- How the tiered supply chain flow-down makes your subcontractors your problem 

- Why COTS is the only exemption — and how a custom bolt loses that status 

- How prime contractors are already demanding readiness before award 

- The first three steps to take today if you haven't started 

Podcast Chapters

  • 00:00 The CMMC Assessor Bottleneck
  • 00:36 Welcome & Meet Brett Cox
  • 01:08 What is CMMC?
  • 01:59 Why this year?
  • 03:32 The New Rule: You Verify Your Own Supply Chain
  • 04:29 The Readiness Gap & the Assessor Bottleneck
  • 07:44 Why Primes Already Expect CMMC
  • 09:55 COTS Exemptions (more narrow than you think)
  • 10:41 Tiers/Subcontractors Explained
  • 11:55 Finding Help & Avoiding "Snake-oil"
  • 14:23 A Lesson from Boeing: Be a Little Hard On Yourself
  • 16:10 Your First Step Today

Resources Mentioned

- DoD CIO CMMC documentation  scoping & assessment guides: https://dodcio.defense.gov/CMMC/Documentation/ 

- Cyber AB Marketplace — find a C3PAO or consultant: https://cyberab.org/marketplace 

- NIST SP 800-171 — the 320 assessment objectives (search at csrc.nist.gov) : https://csrc.nist.gov/Pubs/sp/800/171/r3/final

- SecurityMetrics CMMC services: https://www.securitymetrics.com/product/cmmc

About the Guest

Brett Cox is a lead CMMC Certified Assessor and CMMC provisional instructor, and the principal and team lead for the DFARS CMMC Program Management Office at The Boeing Company. He teaches the CMMC Certified Professional (CCP) and CMMC Certified Assessor courses. LinkedIn: https://www.linkedin.com/in/brett-r-cox/

About the Show

Practical Cybersecurity is a SecurityMetrics podcast that turns dense security and compliance topics into clear, practical guidance you can act on. 

#CMMC #DefenseContractors #Cybersecurity #NIST800171 #DFARS #SupplyChain 

CMMC Certification Timeline in 2026: What Defense Contractors Need to Know Now Transcript

Jen Stone: So let's say an organization has done self-assessments — they feel they're ready on paper, they're ready to go. Does that mean they're actually going to be able to get assessed by the deadline?

Brett Cox: And that's the question, because there are just over 100 companies that are capable of performing the assessment, and the DoD estimates there's 118,000+ companies that need to get the assessment.

Jen Stone: Hello, and welcome back to the Practical Cybersecurity Podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Today I have with me Brett Cox. Brett is a lead CMMC Certified Assessor and CMMC provisional instructor. He is the principal and team lead for the DFARS CMMC Program Management Office within the Quality, Risk Management and Compliance organization of The Boeing Company, specializing in U.S. government regulatory compliance.

Brett Cox: And CMMC is on the tips of everyone's tongues these days.

Jen Stone: It really is. A lot of our listeners are unfamiliar with CMMC, so can you give an overview? What is CMMC, and why is this year the year that everybody's talking about it?

Brett Cox: We are talking about the Cybersecurity Maturity Model Certification, or better known as CMMC. It's the DoD's effort to introduce third-party affirmation that a company — a defense contractor — and the members of their supply chain are meeting all the cybersecurity requirements that are in the DFARS, or the Defense Federal Acquisition Regulation Supplement, clauses. We'll just call them the DFARS 7012 and 7021 clauses from here on out. The DFARS 7021 clause is the CMMC clause.

Last year, on the 10th of November, is when the 48 CFR — or Code of Federal Regulations — was put into effect, on 10th November of 2025. So that 48 CFR Part 204 is what gave the DoD the authority to put CMMC requirements in contracts. Now, that's in a four-phased rollout, and the first phase was all about self-assessments: the CMMC Level One self-assessment, which was focused on federal contract information, and Level Two, which is focused on controlled unclassified information, or CUI.

So the DoD, in January of 2025, released a memo. They said anybody who's dealing with controlled technical information, or anything that is in what's called the defense index grouping of the NARA — the National Archives and Records Administration's CUI registry — would have to require a Level Two C3PAO, having the third-party requirement. But to get everybody, you know, to get the ecosystem working, they said for this first year they'll allow self-assessment.

So now — what is unique, to get to your question about this year — this year is when phase two goes into effect, on November 10th, and that will require a C3PAO. Now, we do have a challenge, and that's building a complete supply chain. Because one of the things that's unique about CMMC versus the DFARS 7012 clause: we had a mandatory flow-down of the DFARS 7012 clause before, but that created a relationship between the contractor and the Department of Defense — Department of War. Now it creates a relationship between the subcontractor and the next level up. So in other words, each one of us has to validate that the tier down has the proper CMMC level required by the CFR, by the contract, before we can award them work.

Jen Stone: But they didn't have a third party before, right?

Brett Cox: It was all self-attestation. The DoD found out over the years, with the DFARS 7012 clause, that — well, not everybody was as compliant as they said they were. And so requiring a third party to come in and validate that is the future of defense contracting.

Jen Stone: Phase two — which is that third-party assessment, the C3PAO — goes live this November, 2026. I think that kind of lands us into the territory of: what's the readiness gap? Are people ready for November? How long does it actually take? Where should people be in this third-party assessment process in order to meet that?

Brett Cox: Well, the old adage is that if you haven't started, you're too late. Oh — no, you're never too late. You know, the time to get started is now. If you haven't already started getting ready for it, it is going to take some time. So there's 320 objectives of NIST 800-171 that have to be met. There's a lot of complexities in there — everything from access control to even just protecting your media. So, looking at each one of the requirements and performing an honest self-assessment of where you are today, where your gaps are, and what your plan to complete that is. But the bad news is that if you haven't started already and you're just getting started, you might miss out on some of the early contracts, because you will not be able to be awarded those contracts until you have the required level of CMMC.

Jen Stone: So let's say an organization has done self-assessments — they feel they're ready on paper, they're ready to go. Does that mean they're actually going to be able to get assessed by the deadline?

Brett Cox: And that's the question, because there are just over 100 companies that are capable of performing the assessment. And the DoD estimates there's 118,000+  companies that need to get the assessment. Take the easy numbers and say that it's 120,000 companies that need a CMMC Level Two C3PAO assessment. Then you divide that by three, because the certification is good for three years. That means we have to assume that 40,000 companies are going to get assessed every year. Well, right now, even at that pace, that means — the existing number of teams that are available, and the number of companies — you have to finish more than one per day to get that done. And it's, unfortunately, not an everyday type of assessment to get done. And it's also not going to be broken down evenly into 40,000 companies per year — right now, you know, the estimate is that we'll have about 2,500 companies, maybe a few more, that are ready by 10th November, out of the 120,000, just using those easy numbers. Does that mean we're going to have to do 60,000, 70,000, 80,000 assessments next year in this ecosystem? That's going to be very challenging. So right now, you could expect anywhere from — I would say, from a C3PAO side — probably a few months to several months, you know, maybe not quite a year, to get into that queue to be assessed.

Jen Stone: So we've talked about the DoD's timeline, but from what I've heard, some of the major primes are already asking their suppliers to be CMMC compliant — to already have been assessed. Can you offer some insight into that? 

Brett Cox: Part of the rollout of CMMC is also the addition of the DFARS 7025 clause. So the DFARS 7025 clause is the provisional clause that says that you will have a CMMC requirement. That means you will get the 7021 clause, and it'll tell you what your level is. Now, that level — once you get that in your proposal, in your RFI, RFP, or RFX — that should give you time to build a compliant supply chain. So a prime contractor, of course, would want to know who's ready, who's ready to go. Now, you don't have to have the certification in place until you actually are being awarded the work. But a lot of prime contractors, in my estimation, would want to know ahead of time: who's ready, who can I award this work to? And then, what does their supply chain look [like] as well? Because it's not just the prime and their relationship to their tier one suppliers — it's the relationship of the tier four to the tier five supplier that has to be taken into account as well. Because otherwise, we as a prime would not be able to be compliant with the DFARS 7021 clause, because we couldn't execute on it, because we wouldn't have a completely compliant supply chain.

And, you know, we're not always getting the 7025 provisional clause in the contract, in the proposal. We sometimes are seeing that the Department of War is putting in a requirement for the 7021 clause before contract award. Well, that doesn't give anybody time to assemble a compliant supply chain. So it's a very challenging environment right now, with that understanding of where the primes are, where the subcontractors are, and how far down that tiered contractor / subcontractor / supplier infrastructure that goes.

Because the only thing that's exempt is COTS — and that is purely commercial off-the-shelf, whether it's software, whether it's hardware, etc. And if you think about COTS in that exemption: if I am buying, you know, a thousand bolts, and they're colored blue, but I want them colored red, so they have to be modified — it's no longer COTS now. It's commercial. Commercial requires CMMC. Literally, COTS is the only exemption. There's no minimum purchase threshold on this either — even if it's four parts that are 38 cents apiece, the requirement could still apply.

Jen Stone: Interesting. So can you talk a little bit more about what the tiers are, and how that affects what they're responsible for in terms of requirements?

Brett Cox: Sure, absolutely. So if we take it from a prime like Boeing, right — the prime contractor is whoever wins the contract directly from the DoD. So think of it like someone who's building a house. You bought some land, and now you want to build a house, so you hire a general contractor, right? So the general contractor — call them the prime. They're the prime; they're the ones who won. They hire the engineering firm to design the house — but that would be a tier one supplier. Another tier one supplier would be the people who pour the foundation. Then another tier one would be the carpenters. But the carpenters that frame the house don't do everything on their own; they hire other carpenters. So they may be short-staffed, they may have a specific expertise like erecting structures, and they have to subcontract to that. So the tier one is our general contractor, the tier two would be the carpenter, the tier three would be the carpenters who are doing the erecting of the walls.

Jen Stone: Okay. So people are out there going, "Yes, I have to do this, I'm feeling behind." What's out there to help them get ready for the assessment — what's that path look like, and what are the tools and/or services that they can use to get ready?

Brett Cox: Your prime — especially if you typically work for large primes — is going to have resources available for you. But the DoD also has resources available, so make sure you check out dodcio.defence.gov and go to CMMC resources and documentation. There's a lot of great links out there that'll take you to resources that will help you. But I also would recommend that, especially if you need a lot of help, getting somebody on contract to help you — getting a consultant. And if I'm making a recommendation, I'm going to recommend somebody who's in the CMMC ecosystem, so that they're available on the Cyber AB's marketplace, because they have had background checks completed on them, they have signed the Code of Professional Conduct, and they have to have a certain number of registered or certified professionals associated with them to keep that designation. So if you go to the cyberab.org go to the marketplace, you can find the C3PAOs, which can either be used for doing assessments or consulting — you just can't use the same company for both. There's a lot of different options available, but I would absolutely try to pick somebody who has signed the Code of Professional Conduct. And that means they are going to meet a minimum set of ethical guidelines, and that they've had background checks completed on them — that you're not going to find any, “snake-oil salespeople” out there that say, you know, "Hey, give us $1,000 and we'll have you CMMC compliant by tomorrow."

Jen Stone: People are under pressure, and they need help right now, and so they might be swayed to go in a direction that maybe isn't in their best interest in this readiness. As an aside, SecurityMetrics is offering this service. And I know, just from internal conversations, how important that is — to make sure that they're getting it right. And especially when anything new launches — and this is new, even though it's been in the pipeline for a long time — when you start saying, "Okay, now we're going to do this in this way," that's a new approach, and it takes time to get that right.

Brett Cox: Absolutely. This is every company out there. I mean, we've had a lot of great experience over the years with the DCMA — the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center, DIBCAC — who went out to companies, and still is going out to companies, doing what's called a high-confidence, on-site assessment against NIST 800-171. You know, we were one of the first companies to have that done, back in 2019, and we've actually gone through four of them. So that gave us a lot of experience between the Boeing enterprise and our subsidiaries. So, you know, going into CMMC wasn't a huge lift, because we had already been working on it since 2019. So it was something that we had already planned for, had already started working on, because of the DCMA DIBCAC  assessments. But if you've never had one, this could be a very unique and challenging experience for you. And that's why that self-assessment of judging where you are — you know, be a little hard on yourself. That's why I teach all my CMMC students — because I do teach the CMMC Certified Professional and the CMMC Certified Assessor classes. And, you know, if you're ever interested in taking classes, I highly recommend it. You don't have to take the exam, you don't have to become certified, but at least take the CCP class. That way you get the full breadth of what CMMC is.

Jen Stone: If there is someone out there that's like, "I know that I have to get this done," but they just haven't started yet — what's their first step today, to go get started?

Brett Cox: The first thing they have to do is determine what level of CMMC they want. Where do they want to compete? Do they just want to compete for FCI contracts, or do they want to compete for CUI contracts? And you can find out what that model looks like on the DoD CIO's website. Go to the resources and download the appropriate scoping guide. Do not pass go. Do not collect $200.

Jen Stone: Okay. Well, before I let you go — any last piece of advice?

Brett Cox: I think my biggest piece of advice is: get started. Because this is not easy. This is not something that you're going to be able to do overnight. But if you don't get started, you don't know where you are. Do that gap analysis. And then, if you need other subject-matter expertise, go out and get it. Go find it.

Jen Stone: Thank you so much for your time today. It's been dense information, and I think it's going to be very useful to the people who need to care about CMMC.

Get Price Range for Compliance
Access Calculator
Get Quote for CMMC Compliance
Request a Quote