GovCon CMMC Readiness Index — Q2 2026

The Cybersecurity Maturity Model Certification (CMMC) is DoD's framework for assessing and certifying cybersecurity posture across the Defense Industrial Base. It applies to contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on DoD work.

CMMC has three levels. Level 1 is annual self-assessment for FCI-only contractors. Level 2 requires C3PAO third-party assessment every three years for CUI-handling contractors. Level 3 requires DIBCAC government assessment for the highest-priority CUI contracts.

The 32 CFR Part 170 final rule incorporates CMMC into DFARS clause [252.204-7021](/far/252-204-7021). Phased contract clause incorporation runs through 2027-2028, but the practical effect is already visible: DoD contracting officers are conditioning task order awards on SPRS scores and stated CMMC posture, even when the explicit clause has not yet been incorporated.

For contractors handling CUI, Level 2 certification is rapidly becoming a contractual prerequisite for DoD work. Firms that delay risk losing recompete eligibility as their current contracts expire under updated DFARS clause incorporation.

The arithmetic of CMMC adoption is sobering. Our DIB population estimate is approximately 80,000 entities required to certify at Level 2. As of Q2 2026, our analysis suggests approximately 3,400 are certified or in active assessment — roughly 4.2%.

At the current sustained C3PAO assessment completion rate of approximately 210 per month, full DIB Level 2 certification would require 30+ years. This is clearly infeasible given DoD's stated 2027-2028 contract clause incorporation timeline.

Three things must happen for the math to work: (1) C3PAO capacity must expand dramatically — CyberAB is authorizing additional assessors but capacity growth is rate-limited by the assessor training and certification pipeline; (2) some portion of the DIB will exit DoD work rather than certify, particularly small commercial firms whose DoD revenue is modest relative to certification cost; and (3) self-assessment pathways or phased certification options may emerge for lower-risk CUI categories.

The implication for contractors: certification timing is competitive advantage. Firms that complete Level 2 in 2026-2027 will face significantly less competition for CUI-handling contracts as DoD's contracting officer pool tightens the SPRS and CMMC posture filters. Waiting until 2028 to begin readiness work will likely mean losing eligibility for the recompete cohort expiring in that window.

Aggregating findings from Aliff Solutions CMMC readiness engagements and publicly disclosed assessment outcomes, the most consistently weak NIST SP 800-171 controls fall into four clusters:

**Access Control (AC family)** — AC.L2-3.1.20 (Limit connections of external information systems) leads the deficiency list, followed by AC.L2-3.1.12 (Monitor and control remote access sessions) and AC.L2-3.1.16 (Authorize wireless access prior to allowing connections). These reflect DIB-wide weakness in third-party connection inventory, remote-work governance, and wireless network hygiene — all amplified by the post-2020 distributed-work shift.

**Configuration Management (CM family)** — CM.L2-3.4.1 (Establish baseline configurations) and CM.L2-3.4.6 (Employ least functionality) appear frequently in remediation backlogs. The root cause is typically inadequate IT asset management — contractors don't have authoritative inventories of devices, software, or configuration baselines.

**Incident Response (IR family)** — IR.L2-3.6.1 (Establish operational incident-handling capability) and IR.L2-3.6.3 (Test the organizational incident response capability) are common gaps for smaller firms. Many DIB contractors have written incident response plans that have never been tested.

**System & Communications Protection (SC family)** — SC.L2-3.13.11 (Employ FIPS-validated cryptography) is technically demanding for smaller firms. Cryptographic implementation requires both the right technology and the documentation showing FIPS validation status of each component.

These four families collectively account for approximately 55% of identified deficiencies in our engagement data. Firms preparing for assessment should prioritize gap analysis and remediation in these areas first.

The economics of CMMC certification are not subtle. Typical cost components for first-time Level 2 certification:

**C3PAO assessment fee** — $45K-$180K depending on enclave size, scope, and assessor. The middle of the range ($75K-$120K) is most common for small to mid-size firms with focused CUI scope.

**Pre-assessment readiness consulting** — $30K-$200K depending on starting posture. Firms with mature ISO 27001 or SOC 2 controls need substantially less; firms with no formal cyber program need substantially more.

**Technology remediation** — Variable, often $50K-$500K. Endpoint detection, log aggregation, identity governance, and FIPS-validated cryptography are common investments.

**Ongoing compliance** — $20K-$80K annually for SSP/POA&M maintenance, training, monitoring, and the next 3-year re-assessment cycle preparation.

**Total first-cycle cost** — Realistically $150K-$900K, with $200K-$400K being typical for small to mid-size CUI-handling DIB firms. For firms whose DoD revenue is below $1M annually, the certification cost can exceed annual gross margin from federal work — driving the exit-from-DIB pattern noted earlier.

Combining the current assessment rate, projected C3PAO capacity additions, and observed DIB demand patterns, our projection for cumulative Level 2 certifications through 2028:

**End of 2026**: ~6,500 cumulative certifications (~8% of DIB Level 2 population)

**End of 2027**: ~13,000 cumulative certifications (~16% of population)

**End of 2028**: ~22,000 cumulative certifications (~28% of population)

This is a substantial shortfall against the implied requirement. The most likely policy response is some combination of (1) extended phase-in periods for clause incorporation; (2) acceptance of high-quality self-assessment + SPRS posting as an interim equivalent for lower-risk CUI categories; (3) targeted assessment subsidies for small business contractors; and (4) consolidation of small DIB firms into larger primes who can amortize certification costs across multiple contract awards.

For individual contractors, the strategic implication is unchanged: early certification is competitive advantage. Delaying to wait for policy relief is unlikely to produce a better outcome than initiating readiness work now.

For contractors handling CUI on DoD work, the practical sequence:

**Step 1 (next 30 days)**: Update SPRS score using the current NIST SP 800-171 DoD Assessment Methodology. Even a low score posted is better than no score; missing scores are increasingly used as an automatic disqualifier on CUI task orders. See [DFARS 252.204-7019](/far/252-204-7019).

**Step 2 (next 60-90 days)**: Conduct a gap analysis against all 110 NIST SP 800-171 controls. Prioritize remediation in the four high-deficiency families (AC, CM, IR, SC).

**Step 3 (next 6 months)**: Implement remediation. Update the System Security Plan (SSP) and Plan of Action & Milestones (POA&M) to reflect closed gaps.

**Step 4 (months 6-12)**: Engage a C3PAO for pre-assessment readiness review. This is not the formal assessment — it's a paid dry run that surfaces gaps before the formal assessment counts against you.

**Step 5 (months 12-18)**: Complete formal Level 2 assessment. Plan for 6-12 weeks of assessor on-site/remote engagement plus reporting time.

Firms whose Level 2 certification is more than 18 months out should expect to lose eligibility for some CUI-handling task orders in the interim. Plan accordingly: deprioritize pursuits where CMMC posture will be a discriminator; double down on FCI-only and non-DoD work in the meantime.