If you hold a DoD contract or want one, your cybersecurity posture is now a legal requirement, not a checkbox to exercise.
CMMC Rev 3 compliance is live. The phased rollout is already in motion, and November 2026 is the date most contractors handling Controlled Unclassified Information (CUI) will stop being able to self-certify. After that, you’ll need a third-party audit. No audit, no contract. The DoD isn’t sending reminders.
Here’s what that means for your business, and what you should be doing right now.
What actually changed with CMMC Rev 3
The current CMMC framework is built on NIST SP 800-171 Revision 2, which covers 110 security controls for protecting CUI. Most defense contractors have been familiar with these since the earlier days of DFARS 252.204-7012.
Revision 3 of that same NIST standard was published in May 2024. It adds three new security control families to the existing eleven, covering supply chain security, incident response, and protection against advanced threats. The DoD has already defined the organization-specific parameter values for Rev 3, which tells contractors exactly how tight the controls need to be. For example, under Rev 3, you’re limited to five consecutive failed login attempts within a five-minute window, and user identifiers cannot be reused for ten years.
A formal CMMC 3.0 rule hasn’t been issued yet. But the DoD published these parameter values in April 2025 as a clear signal that the update is coming, likely within 12 to 18 months. If you’re finishing Rev 2 compliance now, treat Rev 3 preparation as the next phase, not a future problem.
The Hard Deadline You Can’t Ignore
The DoD is phasing in CMMC Rev. 3, but don’t let the word phased fool you.
| Phase | Timeline | What it means for you |
|
Phase 1 |
Now through Nov 2026 |
Self-assessment allowed for Level 2 (CUI) contracts. But the DoD can require a full third-party audit at any time. |
| Phase 2 | Starts Nov 10, 2026 |
|
| Phase 3 | 2027 onward |
|
Why this matters right now. A typical CMMC Level 2 readiness journey takes 12 to 18 months. If you start in late 2026, you’ve already lost.
Level 2 Is the New Baseline (And It’s Tough)
Have you been self-certified for NIST SP 800-171 and resting easy? Not anymore. In CMMC Rev. 3, Level 2 necessitates an independent assessment for all 110 control sets. No more, we are in the works of it here. It needs to be supported by:
- Logged audit trails
- Configuration screenshots
- Documented policies with signatures
- Evidence that MFA is mandatory for all those with access to CUI
- Encryption per FIPS 140-2 standards
No POA&M’s will save your sorry hide either. You are permitted to take fewer than 10 risk-based assessments that need to be remediated within 180 days.
Who needs Level 3, and what it involves
Level 3 is for a smaller group, roughly 1% of the Defense Industrial Base, according to DoD estimates. It applies to contractors working on programs where CUI needs to be protected against advanced persistent threats, meaning nation-state level adversaries.
Getting to Level 3 is a two-step process. First, you need a final Level 2 certification from a C3PAO with no open POA&Ms. Then, you go through a DIBCAC assessment, which is conducted by the Defense Contract Management Agency.
Level 3 assessments cover 134 controls in total: the 110 from NIST SP 800-171 Rev 2, plus 24 selected controls from NIST SP 800-172. You need a minimum score of 80% to pass. Certification is valid for three years, with an annual senior-official affirmation required every year in between.
Note that seven specific SP 800-172 controls cannot be placed on a POA&M at all. Those must be fully implemented before you can initiate the assessment.
Phase 2 (November 2026) is when Level 3 requirements can begin appearing in solicitations. If your programs involve advanced threat protection, don’t assume Level 3 is a 2027 concern.
The real cost of non-compliance
This isn’t just about missing a bid. The DoJ and DoD are now actively pursuing contractors who misrepresent their cybersecurity posture.
A defense contractor recently settled for $4.6 million under the False Claims Act after being found to have inadequate CUI protections. A whistleblower in that same case received $851,000. These enforcement actions are increasing, not tapering off.
The math is straightforward. Compliance requires time and investment up front. Non-compliance risks losing all DoD contracts, absorbing legal liability, and the kind of reputational damage that’s very hard to recover from in the federal contracting space.
A realistic 90-day starting point
You don’t need to panic. You do need to move. Here’s a realistic timeline:
Month 1: Find Your CUI
You can’t protect what you can’t find.
- Audit every device, cloud drive, email account, and server
- Identify exactly where CUI and Federal Contract Information (FCI) live
- Smart move: Isolate CUI into a secure enclave to reduce audit scope (saves time and money)
Month 2: Close the Gaps
Compare your current security to the 110 NIST controls. Common failures include:
- Missing MFA
- No audit logging
- Outdated incident response plan
- Weak encryption
- Focus on getting your SPRS score as high as possible, ideally with zero unmet controls.
Month 3: Document Everything
C3PAO auditors don’t take your word for it. They want evidence.
- Finalize your System Security Plan (SSP)
- Draw an accurate network diagram
- Start an evidence log (e.g., “User X logged in with MFA on Date Y at Time Z”)
How CyberX Gov Solutions helps
At CyberX Gov Solutions, we work with government contractors across the federal marketplace to prepare for compliance requirements before they become contract-blocking problems. Whether you’re still in the gap assessment stage, building toward your first C3PAO audit, or trying to understand what a CMMC requirement in a new solicitation actually means for your business – we’ve seen it before.
Our Get Fed Ready program is built for exactly this situation: contractors who need to compete on federal work but need support getting the compliance and documentation side right. We also help with proposal development, so when you are compliant and ready to bid, your response reflects that.
Ready to talk through where you stand? Schedule a strategy call with our GovCon experts.
Frequently asked questions
What is CMMC Rev 3, and is it required now?
CMMC Rev 3 refers to an expected update to CMMC that aligns with NIST SP 800-171 Revision 3. The current CMMC 2.0 rule still assesses against Rev 2. Rev 3 requirements are not formally mandatory yet, but the DoD has signaled they’re coming within 12 to 18 months. Contractors should prepare now rather than wait for a formal deadline.
When does the Phase 2 CMMC deadline kick in?
Phase 2 starts November 10, 2026. After that date, self-attestation ends for most contracts involving CUI. The majority of contractors at Level 2 will need a third-party assessment from a C3PAO before they can bid on covered contracts.
Do small businesses need CMMC certification, too?
Yes. If your business handles CUI or FCI as part of a DoD contract or subcontract, CMMC requirements apply regardless of company size. Small subcontractors are not exempt.
How long does CMMC Level 2 certification take?
Most organizations take 12 to 18 months to get fully ready for a C3PAO assessment, depending on their current security baseline. Scheduling the assessment itself adds additional lead time as demand for assessors increases closer to the November 2026 deadline.
How can CyberX Gov Solutions help Defense Contractors?
We help defense contractors understand their compliance requirements, prepare documentation, and position themselves to compete on federal contracts. Our Get Fed Ready program covers the groundwork you need, and our proposal development team ensures your bid reflects your compliance status.