CMMC 2.0. Is Your DoD Contract Ready?

Mandatory certification kicks in November 10, 2026. We can help you get compliant before the deadline.

Image

Starting November 10, 2026, every company working on Department of Defense contracts must hold a valid CMMC certification, primes & subcontractors alike.

If your firm handles DoD Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and has not completed the required assessment posted to the Supplier Performance Risk System (SPRS), you risk disqualification from new DoD awards, renewals, & option exercises.

This is not a voluntary target. It is a DoD contractual mandate.

Image

What's at Stake for Your DoD Work?

Contract Ineligibility

Contract Ineligibility:

DoD contracting officers cannot award new contracts to vendors lacking required CMMC certification.
No Option Extensions

No Option Extensions:

Your current DoD contracts may not be renewed & option periods may not be exercised.
Supply Chain Cutoff

Supply Chain Cutoff:

DoD prime contractors will terminate or pause work with uncertified subcontractors to protect their own standing.
C3PAO Backlog

C3PAO Backlog:

Thousands of DoD contractors are waiting. Booking an assessment could take months.
False Claims Liability

False Claims Liability:

Submitting DoD proposals without certification could trigger serious legal consequences.

Do You Need CMMC Level 2?

You likely need a Level 2 C3PAO assessment if any of the following apply:

  • Your DoD contracts reference DFARS 252.204- 7012 or 252.204-7021.
  • You process, store, or transmit CUI, such as technical specifications, schematics, or ITAR data, for DoD programs.
  • A DoD prime contractor is flowing down NIST SP 800-171 requirements to you.
  • Your DoD contract requires compliance with all 110 controls of NIST SP 800-171.
  • You are a subcontractor handling CUI on any DoD program.

The assessment is required every three years, applies to both DoD primes and subcontractors, and results must be posted to SPRS.

Your 5-Step Action Plan:

    1.
    Check your DoD contracts
    Review solicitations & existing contracts for DFARS 252.204-7021 or 252.204-7012.
    2.
    Define your scope
    Determine whether you require Level 1 (FCI only) or Level 2 (CUI) certification.
    3.
    Run a gap analysis
    Evaluate your current posture against all 110 NIST SP 800-171 controls.
    4.
    Book a C3PAO now
    Schedule your third-party assessment immediately. The queue is growing fast.
    5.
    Update SPRS
    Upload your self-assessment, affirmation, & certification status to the SPRS.
    CMMC Readiness Self-Assessment.
    Starting November 10, 2026, the Department of Defense will require CMMC Level 2 certification — verified by an accredited C3PAO — for contractors handling Controlled Unclassified Information (CUI). This checklist helps you determine whether your organization is affected and how prepared you are. Answer each question honestly. Every "No" or "Not Sure" represents a potential gap that could affect your ability to compete for or retain DoD contracts.
    Step 1 of 3
    Name: