Skip to content
Close
Contact Sales
Contact Sales
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipalities

VC3 has spent the last 29 years making IT
personal, making IT easy, and getting IT
right for over 1,100 municipalities.

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

All Resources
Get Started
5 min read

Navigating CMMC Changes in 2026: What You Need to Know

Subscribe

In 2026, CMMC is getting real. 

Until November 2025, CMMC always seemed to be on the horizon—coming soon, something to put off, nothing to worry about right now. While certain CMMC phases are still far off, CMMC Phase 1 is already here—with Phase 2 taking effect November 10, 2026. 

What does that mean for your organization in 2026? Documentation rigor, continuous compliance attestation, and requirements for tighter enforcement of CMMC controls all intensify this year—especially if Level 1 or Level 2 requirements apply to you. 

This article takes you through the most important CMMC changes in 2026 that will impact your organization’s ability to do business with the DoD. 

🔎Need a CMMC refresher? Check out our CMMC guide. 

CMMC Phase 1 Already in Effect 

The biggest change to CMMC requirements in 2026 is the launch and full implementation of Phase 1 (which took effect November 10, 2025). If you are a Level 1 or Level 2 contractor, a self-assessment is now required to do business with the DoD. Your self-assessment results must be submitted in the Supplier Performance Risk System (SPRS) and you must also submit an annual executive affirmation. 

You might think, “Whew! I’m off the hook for third-party audits.” However, contracting officers may still mandate third‑party assessments for high-risk CUI programs in select contracts—so be prepared if you suspect this requirement may apply to you. 

Some Phase 1 activities you must complete in 2026 include: 

  1. Determining your CMMC level: It’s important to understand your requirements and accurately share your SPRS status with prime contractors. 
  2. Accurately scoping your environment: Clearly identify all systems and users that handle FCI or CUI. If you are Level 2, then you need to capture complete evidence sets including policies, configurations, logs, user roles, etc. 
  3. Conducting your self-assessment ASAP: This will help you uncover and address any critical gaps. Otherwise, you risk ineligibility for important contracts. Your self-assessment should include a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M). 
  4. Submitting your SPRS entry and affirmation: Log in to SPRS, complete the required fields, and have an authorized official affirm the accuracy of your submission. Remember, SPRS status is required to bid and be awarded (or maintain) contracts under Phase 1. 
  5. Preparing for a potential C3PAO assessment: While not mandatory, prime contractors such as Lockheed Martin and Boeing are already pushing Level 2 suppliers toward third-party certification, especially if handling CUI. 

If you fail to stay on top of these requirements, you risk: 

  • Losing eligibility for winning and renewing contracts if you don’t have an up-to-date SPRS entry.
  • Scrambling too late to win contracts this year—considering that Level 2 implementations, including NIST control alignment and documentation, usually require 6–12 months of work if you haven’t already started.
  • Losing contracts to your competitors—which is a shame because a shockingly low number of DoD contractors are currently CMMC compliant.  

…And Phase 2 Is Coming Faster Than You Think 

On November 10, 2026, Level 2 CMMC certification by a C3PAO will become mandatory for contracts handling CUI. While that date may seem far away, it’s really not when you consider all the work that must take place to ready yourself for a C3PAO audit. A self-assessment won’t be enough after that date. 

As with Phase 1, pre-award submissions during Phase 2 must include your current CMMC status posted in SPRS. That means your SPRS profile must reflect your Level 2 certification, including expiration dates and the affirming official. Otherwise, your bids may be rejected.  

Note that some Level 2 certifications may be conditional, allowing POA&Ms for minor deficiencies. These must be closed within 180 days or your certification will expire. 

If you don’t plan ahead to address these Phase 2 requirements, you risk: 

  • Missing the Phase 2 deadline—because it can take some contractors up to 18 months to fully prepare for a C3PAO audit.
  • Failing an evaluation that’s required by end of year to win a contract.
  • Prime contractors excluding you from contracts.
  • Falling too far behind to catch up, affecting your ability to compete for DoD contracts over the next few years.

 

Common Questions About 2026 CMMC Changes 

What are the new CMMC requirements in 2026? 

Phase 1 is already in effect (as of November 10, 2025), requiring all Level 1 and Level 2 contractors to complete a self‑assessment. Phase 2 begins on November 10, 2026, and introduces mandatory third‑party Level 2 certification for any contracts involving Controlled Unclassified Information (CUI). 

When is Level 2 CMMC certification required? 

Mandatory Level 2 certification by a C3PAO is required starting November 10, 2026 for any new DoD contract that includes CUI. 

How long does it take to prepare for a Level 2 audit? 

It typically takes 6–12 months to implement or remediate the NIST 800‑171 controls required for Level 2. 

What documentation do I need for CMMC Level 2? 

A complete System Security Plan (SSP), a Plan of Action & Milestones (POA&M) for any incomplete controls, and evidence showing implementation of each control. 

What is SPRS, and why is it required? 

The Supplier Performance Risk System (SPRS) is the DoD system where contractors must submit their CMMC self‑assessment scores and annual executive affirmations. 

--- 

2026 marks a crucial shift with CMMC requirements. Level 1 self-assessments are already here, Level 2 third-party certification will become mandatory, and documentation will intensify. If you need one takeaway from this article, it’s this: If your organization handles CUI, you need to start (or finish) your Level 2 readiness now. 

Ultimately, organizations that treat CMMC as an ongoing risk management program—not a one‑time audit—will be better positioned for awards and renewals through 2026 and beyond. Now is the time to position your organization not only for compliance but also as a cybersecurity leader in the defense industrial base. 

TL;DR

In 2026, CMMC enforcement accelerates. Phase 1 (already in effect) requires Level 1 and Level 2 contractors to complete and submit self‑assessments, SSPs, and SPRS affirmations. Phase 2 (November 10, 2026) will mandate third‑party Level 2 certifications for CUI environments. Contractors who do not begin preparation now risk losing eligibility for new DoD contracts and renewals. 
Jan 26, 2026

Kevin Howarth

Let's talk about how VC3 can help you AIM higher.