CMMC Requirements Are Already in Contracts

I've heard every version of "CMMC will never actually happen" over the past three years. They'll delay it again. It's just for the big primes. Nobody's really going to enforce it.

As of February 2026, that debate is over. I spent an evening reviewing active solicitations on SAM.gov, the official federal procurement system. What I found should end the discussion permanently.

The Evidence Is on SAM.gov

In the past three weeks alone, at least 13 Department of Defense solicitations have been posted on SAM.gov with explicit CMMC Level 2 requirements. These aren't draft documents. These aren't policy memos. These are real contracts, with real money, that you cannot win without CMMC certification.

Navy — NAVSEA Submarine IDIQ MAC

"Have the ability to meet Cybersecurity Maturity Model Certification (CMMC) Level 2 via independent assessment by an authorized CMMC Third Party Assessment Organization (C3PAO) every three years."

This indefinite-delivery contract for submarine maintenance requires C3PAO-assessed Level 2 — not self-assessment. This is the highest bar currently being applied.

Army — Prototype Integration Facility 2027

"Cybersecurity Maturity Model Certification (CMMC) Level 2 is required before the award date."

No ambiguity. No conditional language. Level 2 before award. If you don't have it, you can't bid.

Navy — NAVFAC Transformer Stations (Japan)

"The government will check the Supplier Performance Risk System (SPRS) for each CMMC Unique Identifier (UID) to verify the offeror's CMMC status and SHALL NOT award a contract to an Offeror that does not have a current CMMC status posted in SPRS at the specified CMMC level or higher."

Read that again. "SHALL NOT award." Not "may consider." Not "preferred." Shall not.

Air Force — Global Strike Command

"Vendors must be up to date (within 3 years) and have a score of 110 on NIST SP 800-171 Assessment (or CMMC Assessment Level 2) in the SPRS module of PIEE to be considered capable."

A perfect SPRS score of 110 — or CMMC Level 2. For a site lighting replacement at missile launch facilities. Even "small" contracts at sensitive installations require full compliance.

Army/USACE — SOF Tactical Equipment Maintenance

"CMMC Certified, Level 1 certification is currently required. This will increase to Level 2 by October 1, 2026, and Level 3 by October 1, 2027."

This is the escalation roadmap written directly into contract language. Level 1 today. Level 2 by fall 2026. Level 3 by 2027. If you're planning for Level 2 alone, you may already be behind.

The DFARS Regulatory Shift

What most contractors haven't caught yet: as of February 1, 2026, DFARS 252.204-7019 has been deleted and DFARS 252.204-7020 has been renumbered to 252.240-7997.

The old self-assessment and SPRS upload framework — the one many contractors treated as the entire compliance requirement — is being replaced by CMMC. The regulatory transition is happening in real time, and the new clauses carry significantly more enforcement weight.

What This Means for Subcontractors

If you're a subcontractor thinking "this only affects primes," you're wrong. Major defense primes are already flowing down CMMC requirements to their supply chains. Subcontractors face double pressure — from the Department of Defense directly and from their prime contractors.

Multiple solicitations now include language requiring primes to verify subcontractor CMMC status. The flow-down isn't optional. If your prime is bidding on a contract that requires Level 2, you need Level 2 too.

The C3PAO Queue Is Growing

Here's the math that should keep every defense contractor's CISO awake at night:

• 80,000+ defense contractors will eventually need CMMC Level 2 certification
• Fewer than 100 authorized C3PAOs exist in the entire country
• Each assessment takes weeks of preparation, on-site evaluation, and reporting
• C3PAO capacity: estimated 3,000-5,000 assessments per year at full utilization

Even in the most optimistic scenario, the queue extends well into 2028. Companies that wait until Q3 2026 to begin their CMMC journey will be looking at assessment wait times that extend past the November 2026 deadline. And as we've now seen — contracting officers aren't waiting for Phase 2 to start requiring compliance.

Five Things to Do This Week

If you're a defense contractor who hasn't started CMMC preparation, here are five things to do before Friday:

1. Check your SPRS score. Log into PIEE and verify your current submission. If you don't have one, or don't know what this means — that tells you everything about your readiness.
2. Identify your CUI boundary. Every system that processes, stores, or transmits Controlled Unclassified Information is in scope for CMMC Level 2. Every one. If you haven't defined this boundary, your scope is undefined — and so is your compliance path.
3. Start your System Security Plan (SSP). The SSP is the foundational document for CMMC. It describes how your organization meets each of the 110 NIST 800-171 controls. No SSP means no assessment.
4. Get on a C3PAO's calendar. Not next month. Not next quarter. This week. Assessment slots are filling. The organizations that schedule first will certify first.
5. Engage a Registered Provider Organization (RPO). An RPO can conduct a gap assessment against all 110 controls and give you an honest picture of where you stand and what it takes to close the gap.

The window isn't closing. For 13+ contracts on SAM.gov, it's already closed.