CMMC 2.0 has been described as imminent for so long that many defense contractors stopped tracking the actual milestone schedule. 2026 is the year when the program transitions from "pending" to "mandatory in flight contracts," and the gap between what is required and what most contractors have actually built is exposed. The deadlines are not a single cliff edge, they are a phased rollout with sequenced contract clause inclusion, assessor capacity constraints, and reciprocity decisions that shape what each contractor needs to do, and when.
What is the actual phasing of CMMC 2.0 enforcement?
The Department of Defense finalized the CMMC 2.0 program rules through 2024 and 2025, and the contractual rollout phases through 2026 and 2027. Phase one allows DoD program offices to include CMMC requirements in solicitations as the program ramps up. Phase two expands inclusion across more contracts and adds requirements for subcontractors. Phase three is full enforcement, where most DoD contracts that involve Federal Contract Information or Controlled Unclassified Information require CMMC certification at the appropriate level.
The dates of each phase have been adjusted multiple times, and the specific contract clauses that trigger each requirement vary across program offices. The pragmatic answer for contractors is that 2026 is the year where opportunistic adoption ends. Contractors who have not yet started building toward CMMC are losing competitive position on new work, and the gap is widening rather than closing.
The phasing is also asymmetric across levels. Level 1 self-assessment, for contractors handling only Federal Contract Information, has the lightest burden and the earliest practical deadlines. Level 2 third-party assessment, for contractors handling Controlled Unclassified Information, has the heavier burden and a longer ramp because of assessor capacity. Level 3 government-led assessment, for the highest-sensitivity programs, has the smallest population but the longest path to certification.
Where is assessor capacity actually constrained?
C3PAOs, the certified third-party assessment organizations authorized to perform Level 2 assessments, have been ramping up capacity since 2023 but remain a constraint. The number of authorized C3PAOs is finite, the pipeline of trained assessors is finite, and the assessment process for a mid-size contractor takes weeks of assessor time. The contractors moving fastest to certification are the ones who reserved assessment capacity early, ideally as part of a multi-year compliance program.
The capacity constraint shapes the rollout dynamics in important ways. Even contractors who are technically ready cannot get certified faster than assessor scheduling allows. Program offices issuing solicitations with CMMC requirements know this, and most are accommodating phased certification rather than demanding instant compliance. The risk for contractors is that this grace period will not last forever, and waiting for capacity to free up is a worse strategy than getting in line.
Self-assessment paths at Level 1 and at the Level 2 self-assessment subset have no capacity constraint, but they have credibility constraints. A self-attested certification is real but is treated with appropriate skepticism by program offices, and several major prime contractors are now requiring third-party Level 2 assessment from their subcontractors regardless of what the DoD baseline allows.
What are assessors actually looking for in 2026?
Assessors are focused on operational evidence, not just policies. The early days of CMMC 2.0 saw extensive policy documentation prepared and uploaded into System Security Plans. Assessors now ask to see the policies in operation, with tickets, logs, and outputs that demonstrate the controls actually function on production systems handling CUI.
Specific areas of intense scrutiny include access control, audit logging, configuration management, identification and authentication, and supply chain risk. Access control assessments look for evidence that least privilege is enforced through technical controls, not just declared in documents. Audit logging assessments look for centralized log aggregation, retention that meets the policy, and active review of high-priority events. Configuration management looks for baseline tracking, change control, and the ability to demonstrate that production systems match the documented baseline.
Supply chain risk has emerged as one of the most consistently weak areas across pre-assessments. NIST SP 800-171 and the supply chain enhancements expect contractors to know what software is running, where it came from, and what its vulnerability state is. Many contractors have asset inventories that cover hardware but stop at "we use Microsoft Office," which is not a software inventory in the sense the controls require. This is the area where contractors are most likely to fail an initial assessment.
How do supply chain controls fit into the certification path?
The supply chain controls in CMMC 2.0 derive from NIST SP 800-171 and the SP 800-172 enhancements. They require contractors to identify, assess, and monitor the supply chain for the systems handling CUI. The practical implementation includes maintaining an inventory of software components, evaluating supplier security postures, monitoring for component vulnerabilities, and having a process for supply chain incident response.
For most contractors, the right operational implementation is to treat SBOMs as the inventory and to wire SBOMs into the broader vulnerability management program. SBOMs make the inventory machine-readable, support automated vulnerability matching, and provide assessor-ready evidence with minimal manual work. Contractors who relied on spreadsheet-based inventories struggle to keep them current and tend to fail the operational evidence portion of the assessment.
Supplier risk assessment is the harder piece. Contractors need to evaluate the security of upstream suppliers whose software lands on CUI systems, which is hard for closed-source vendors and harder for open-source maintainers. The pattern that satisfies assessors is a tiered approach: critical suppliers get questionnaires and contractual commitments, important suppliers get periodic review, and less critical suppliers are monitored through automated tooling.
What are the most common gaps in pre-assessment reviews?
Three gaps recur across pre-assessment work. First, evidence is scattered across systems. Logs are in one platform, tickets are in another, configurations are in a third, and the assessor cannot trace a control from policy to implementation to evidence in a reasonable timeframe. Contractors who passed assessment had consolidated evidence repositories, often built as part of a compliance program, that let assessors see policy-to-evidence chains in minutes.
Second, the System Security Plan and the operational reality drift apart. SSPs get written, get approved, and then get neglected as systems evolve. By the time of assessment, the SSP describes a system that no longer exists. Assessors notice. The fix is to treat the SSP as a living document with the same change control rigor as code.
Third, supply chain controls get acknowledged but not implemented. Contractors describe an inventory program that does not exist, a supplier review process that has never been exercised, and a vulnerability management workflow that does not include third-party software. This is consistently the weakest area across pre-assessment populations and is where contractors lose the most time in remediation.
What changes through the rest of 2026?
The C3PAO pipeline will keep expanding through 2026, which gradually loosens the assessment capacity constraint. Several major systems integrators are establishing internal assessment readiness teams that essentially operate as embedded pre-assessors for their subcontractor base, which compresses the ramp-up time for smaller contractors.
The supply chain control set is expected to deepen. The DoD has signaled interest in tighter alignment with the CISA Secure-By-Design pledge and with the federal SBOM expectations, which means the version of CMMC that lands fully in 2027 may include sharper supply chain provisions than the 2024 baseline. Contractors building toward the current standard should design for this likely evolution.
Reciprocity discussions are also active. CMMC's relationship to FedRAMP, ISO 27001, and international defense procurement standards is being clarified, and reciprocity decisions through 2026 will reduce duplicative compliance work for vendors with unified compliance programs.
How Safeguard Helps
Safeguard fills the operational gaps that most often cause CMMC pre-assessment failures. The platform maintains a continuously-updated software inventory across every CUI-touching system, generated from real artifacts rather than spreadsheets, with full SBOM coverage and supplier provenance. Lino compliance maps the inventory and the supporting telemetry directly to NIST SP 800-171 and SP 800-172 controls, generating SSP-aligned evidence packs that an assessor can trace from policy to implementation in minutes. Griffin reachability analysis prioritizes the supply chain vulnerabilities that are actually exploitable on production systems, so vulnerability handling SLAs apply where they matter, and integrations with ServiceNow, Jira, and Teams keep the operational workflow tied to evidence assessors will look for. The result is a pre-assessment posture that holds up under scrutiny instead of one that falls apart in the first week.