CMMC 2.0 Requirements in 2026: Quick Guide

CMMC 2.0 Requirements in 2026: Quick Guide for Small Manufacturers and Suppliers

If you're a small manufacturer or supplier in the defense supply chain, you've probably seen "CMMC 2.0 requirements" popping up everywhere. As of January 2026, Phase 1 is live: the DoW started including CMMC clauses in new contracts back on November 10, 2025. Miss this, and you risk losing subcontracts.

The Three Levels – What Applies to You?

Most small suppliers end up at Level 1 or Level 2.

• Level 1 (Foundational) – Handles Federal Contract Information (FCI) only. Requires 15 basic safeguards from FAR 52.204-21. Do an annual self-assessment, submit score to SPRS, affirm compliance yearly. Low bar, but still mandatory for FCI work.

• Level 2 (Advanced) – Handles Controlled Unclassified Information (CUI). Requires all 110 controls from NIST SP 800-171 Rev 2. In Phase 1 (now through Nov 9, 2026), many contracts allow self-assessment + annual affirmations. Starting Phase 2 (Nov 10, 2026), prioritized CUI contracts demand third-party certification from a C3PAO every 3 years. This is where most small businesses feel the pain.

• Level 3 – Rare for small suppliers; high-risk programs only, adds NIST 800-172 extras assessed by DoD (DIBCAC).

2026 Timeline – Where We Stand

We're in Phase 1 (Nov 2025 – Nov 2026): Level 1 and Level 2 self-assessments in new solicitations. Affirm in SPRS.

Phase 2 hits Nov 10, 2026: Level 2 third-party certs required for more contracts (especially CUI). Backlogs for C3PAOs are already building, so plan now or wait months.

Full rollout wraps by late 2028.

Quick Action Steps for Small Manufacturers

1. Determine if you handle CUI (ask your prime or review contracts/data markings).

2. Run a gap assessment against NIST 800-171 (free self-scan tools exist; paid consultants speed it up).

3. Document your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).

4. Complete self-assessment if Level 2 applies now, submit to SPRS, affirm annually.

5. Budget for potential C3PAO costs in 2026-2027 (tens of thousands, depending on size).

The DoW isn't budging and compliance is now a contract condition. Small businesses get some relief (lower affirmation costs, phased entry), but the clock is ticking.