You just heard about CMMC. The conversation before the certification.

If you’re reading this, someone has probably just told you that your business needs to do something about CMMC. Maybe a prime contractor asked about your status. Maybe a bid came back marked non-responsive. Maybe your IT manager or MSP has been raising it with a slightly panicked tone. Maybe you read a headline about a defense contractor settling False Claims Act cases for millions and thought: could that be us?

What you’re hearing is real, and it matters. The single most important date on your calendar is 10 November 2026. That’s when Phase 2 of the CMMC program begins, and the eight-year honour system that governed defense cybersecurity ends. From that day forward, contracting officers will require independently-verified Level 2 certification by default for any new DoD contract involving Controlled Unclassified Information. Self-attestation will no longer be enough. The DoD estimates more than 76,000 contractors need Level 2 certification. As of February 2026, fewer than 1,100 had completed it.¹⁹

That’s roughly seven months from now. A typical readiness journey takes 12 to 14 months from gap analysis to C3PAO certification. C3PAO scheduling lead times are already 6 months and growing, with some hubs already booking into 2027. The arithmetic, if you do it in your head, is uncomfortable. It’s meant to be.

But Phase 2 isn’t the end of the world for any individual contractor — not yet. The phased rollout means existing contracts don’t get canceled overnight; the squeeze comes through option exercises, recompetes, and new awards. The decisions you make in the next 30 days — not the next seven months — are what determine where your business sits when the squeeze starts.

What you’re being told about CMMC is often confused, vendor-tinted, or selling something. This article exists for one reason: to give you a calm, well-sourced, plain-English picture of where CMMC sits, why it exists, what happens if you don’t comply, and the most important question nobody else will ask with you — whether it makes sense to stay in the defense supply chain at all.

We’ve walked this conversation with CEOs and CFOs at companies ranging from 20-person engineering shops to 300-person systems integrators. The pattern is the same. The first 30 minutes are confusion. The next 30 minutes are quiet alarm. Then come the questions that should have been asked first — the ones this article tries to answer.

What CMMC actually is, in plain English.

CMMC is the US Department of Defense’s cybersecurity certification program for any contractor that handles defense information. Three levels, mapped to the sensitivity of the data:

Level	Who it applies to	What’s required	Who assesses
Level 1 — Foundational	Contractors handling Federal Contract Information (FCI) only — basic contract paperwork, low-sensitivity work product	15–17 basic cyber hygiene practices from FAR 52.204-21	You. Annual self-assessment in SPRS1
Level 2 — Advanced	Contractors handling Controlled Unclassified Information (CUI) — technical drawings, specs, anything sensitive. ~98% of CMMC certifications happen at this level.2	110 controls from NIST SP 800-171, scored out of a possible 110 in SPRS	A C3PAO — an independent CMMC Third-Party Assessor Organization. Re-assessed every three years.
Level 3 — Expert	Contractors on the highest-risk DoD programs — advanced persistent threat targets	110 NIST 800-171 controls + 24 enhanced controls from NIST 800-172 (134 total)	The DoD itself, via DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center)

The most important thing to take from this section:

CMMC is not a new set of rules. The 110 controls it verifies (NIST SP 800-171) have been a contractual requirement on DoD work since 2017 via DFARS 252.204-7012. CMMC is the verification of rules you were already supposed to be following.

That reframing matters. The defense industry has been operating on an honour system for eight years. Contractors self-attested that they were implementing NIST 800-171. When the DoD eventually started auditing those claims through its assessment arm (DIBCAC), the picture wasn’t pretty — many contractors couldn’t demonstrate the compliance they had claimed.³ CMMC formalises a verification regime that the original DFARS clause assumed would happen voluntarily and didn’t.

FCI vs CUI — the only acronyms you need today

You’ll hear these two terms constantly. Here’s what they actually mean:

FCI (Federal Contract Information) is information not for public release, provided by or generated for the government under a contract. Basic contract paperwork, low-sensitivity stuff. If you do any DoD work at all, you almost certainly handle FCI — it’s the broader category. FCI gets Level 1.

CUI (Controlled Unclassified Information) is the narrower, more sensitive category. Engineering drawings, technical specifications, military test data, export-controlled component designs, source selection information. If your contracts include the clause DFARS 252.204-7012, you almost certainly handle CUI. CUI gets Level 2.

All CUI is FCI. Not all FCI is CUI. The vast majority of small and mid-sized defense contractors fall into Level 2.

Three quick checks before you assume you’re out of scope

Three patterns we see repeatedly. If any of them describes your situation, you’re in scope — even if you assumed you weren’t.

1. You’re a subcontractor. The prime is certified. Are you covered? No. CMMC requirements flow down independently. If your prime passes CUI to your business, you must meet the same level the prime’s contract required — you can’t inherit the certification. This is the most common compliance gap we see. Primes are now actively auditing their sub-tiers and dropping subs who can’t show readiness.²⁰

2. You think CMMC is “just an IT problem.” Is it really? Probably not. Any system that processes, stores, or transmits CUI is in scope. That includes your CRM if it ingests email from government contacts. Any AI tool you use to write proposals, if CUI ends up in the prompt. Your file-sharing platform. Every laptop a CUI-handling employee uses. Most CEOs assume “scope” means “our IT infrastructure” — in reality, scope is wherever the data goes. Decisions you make here will drive your costs for the next 12 months.²¹

3. You sell commercial off-the-shelf products. Does that exempt you? Mostly no. Contracts exclusively for COTS items are exempt, and contracts below the micro-purchase threshold are exempt. But there’s no general exemption for FAR Part 12 commercial product or service contracts. If your commercial-item contract involves FCI or CUI, CMMC still applies.²²

Why the government is doing this now.

If a regulation feels arbitrary, the rest of the conversation gets harder. So it’s worth a paragraph on the why, because it’s not actually arbitrary.

Three things drove this:

First, the honour system didn’t work. Between 2017 and 2020, contractors self-attested NIST 800-171 compliance. When DIBCAC started auditing, they found scores being reported at +100 with actual scores in the negative.³ The DoD’s own Inspector General confirmed in DODIG-2023-078 that compliance verification was systematically absent.⁴

Second, the cyber attacks on the supply chain are real and constant. The largest US defense systems have been routinely targeted by nation-state actors — principally Chinese state-affiliated groups — through the smallest, least-secure links in their supply chains. The 2020 SolarWinds breach, the breaches of multiple US Navy submarine contractors, the 2024 incidents involving cleared contractors and stolen weapons systems data — each was made possible by the security posture of the contractor, not the prime.

Third, the Department of Justice operationalised enforcement. In October 2021, then-Deputy Attorney General Lisa Monaco launched the Civil Cyber-Fraud Initiative, explicitly tying the False Claims Act — a 1863 Civil War statute — to cybersecurity misrepresentations.⁵ If you certify compliance to win a contract and the certification is materially false, that’s a false claim. Treble damages, per-claim penalties, individual liability.

By FY2025, the Initiative had matured. The DoJ recovered over $52 million across nine cybersecurity False Claims Act settlements in that fiscal year, more than triple the prior year.⁶ The cases section below walks through five of the most consequential.

What happens if you don’t comply.

This is the section where most CEOs sit up. We’ll handle it in three layers, in order of how immediately you’ll feel each one.

Layer 1 — The contract layer (immediate)

This is the simplest layer to understand. If you don’t have the right CMMC level, you cannot bid on DoD contracts that require it. Existing contracts at recompete or option exercise are out too. There’s no grace period after the relevant phase boundary.

Phase 1 began on 10 November 2025. Self-assessments at Levels 1 and 2 are now appearing in solicitations.⁷ Phase 2 begins on 10 November 2026, when most Level 2 contracts will require C3PAO certification, not self-attestation. By Phase 4 (10 November 2028), CMMC requirements will be in every applicable DoD contract.

The primes aren’t waiting for the phase boundaries. Lockheed Martin, Boeing, Raytheon, and Northrop Grumman are already auditing their sub-tiers and asking for documented SPRS scores. Some are color-coding suppliers green, amber, red. Some are restricting CUI flow-down to non-certified subs. The contract pressure is here, not coming.

And the assessor capacity isn’t there. There are around 100 fully-authorised C3PAOs serving an estimated 76,000+ Level 2 contractors, with roughly 750 certified CMMC assessors across the whole ecosystem.¹⁹ Even if every authorised assessor worked nonstop, the pipeline cannot absorb the demand about to hit it. Aerospace and defense hubs — Maryland, Northern Virginia, Southern California, Massachusetts — are already booking into late 2026 and 2027. If you wait until your contract forces you to certify, the certification capacity will not be there.

Layer 2 — The legal layer (the wake-up)

This is the layer most CEOs hadn’t considered before. The False Claims Act is the federal government’s primary anti-fraud statute. Under 31 USC § 3729, knowingly making a false claim — or being recklessly indifferent to whether a claim is true — carries:

• Civil penalties of $14,308–$28,619 per false claim (figures as adjusted for inflation by the DoJ in July 2025)⁸
• Treble damages — three times the actual damages to the government
• Plus the relator’s (whistleblower’s) attorney fees and costs

The mechanism: every invoice you submit on a contract that requires CMMC compliance is — legally — a “claim.” If the underlying compliance is false, every one of those invoices is potentially a false claim.

And the whistleblower mechanic matters. The False Claims Act’s qui tam provisions allow private individuals to file suits on the government’s behalf and receive 15–30% of the recovery. In the MORSE Corp case below, the whistleblower received $851,000.⁹ Most of the cybersecurity cases the DoJ has settled started with a former employee.

Here are the five enforcement cases that most define the current landscape:

Layer 3 — The personal layer (the Affirming Official)

Under 32 CFR § 170.22, an “Affirming Official” must submit an annual affirmation in SPRS that the organization has implemented and continues to maintain all applicable CMMC security requirements. At small and mid-sized contractors, that’s almost always the CEO or CFO.¹⁵

If that affirmation turns out to be wrong, exposure isn’t limited to the company. Under 18 USC § 1001, materially false statements to the federal government carry up to five years in prison for the individual making them. Under 31 USC § 3729, the company faces the FCA exposure. The two run in parallel.

The Hillmer indictment is the first time the DoJ has used these statutes against an individual on cybersecurity compliance grounds. It will not be the last. Industry analysts now expect personal indictments to become routine through 2026.¹⁶

The decision before the decision.

Here’s where most articles in this space lose their nerve. They tell you what CMMC is, list the penalties, and move straight to here’s how to comply. That’s a vendor pitch. The actual first decision is whether your business should stay in the defense supply chain at all.

For some contractors, the answer is unambiguously yes. For others, it isn’t. The maths is genuinely different depending on six factors:

1. What percentage of your revenue is DoD work?
2. What’s the margin on that work, and how much room does it have to absorb compliance overhead?
3. How quickly can your civilian / non-defense market grow if you redirect?
4. Where is your current cybersecurity posture relative to NIST 800-171? Closer to the standard = cheaper journey. The Readiness Assessor gives you a rough first read in five minutes; a proper Gap Assessment gives you a defensible number scored against all 110 controls.
5. What’s your time horizon as the owner? Looking to exit in 24 months changes the calculus.
6. What capability do you offer that the DoD specifically needs? A niche capability is harder for the DoD to lose; you have more leverage.

We’ve grouped the contractors we’ve spoken with into three positions. Yours probably resembles one of them.

The strategic insight worth holding onto: the contractors who exit can’t easily come back. Once you’ve let your DoD relationships go and stopped bidding, re-entry in 2028 will be effectively impossible — certification still required, but now competing against fully-certified incumbents who’ve had two years of less competition.

And on the other side: the 15–20% of the DIB that does exit is concentrated in Tiers 2 and 3. The contractors who stay will be bidding against a smaller pool. That’s not a marketing claim — it’s the direct consequence of the StrikeGraph attrition forecast and PreVeil’s $116K median first-year cost figure colliding with thin-margin sub-tier business.¹⁷

What’s actually in it for you.

If you decide to stay and certify, the upside is more than just “you keep your DoD revenue.” Four things worth knowing:

A competitive moat. If 33,000–44,000 contractors exit the DIB through 2027 (roughly 15–20% of the 220,000 total), certified firms will be bidding against a meaningfully smaller pool. Early certifiers win disproportionately in 2026–2027 because the supply of qualified bidders is shrinking faster than the demand. That moat narrows again by Phase 4 (late 2028) as more contractors complete certification, so the window matters.

An acquisition premium. Investment banks and private equity buyers active in the DIB now treat CMMC certification as table stakes for acquisition targets. Acquirers don’t want to inherit compliance debt or FCA exposure. Certified contractors trade at meaningfully higher multiples than non-certified peers, and the premium should widen through 2027.

Commercial cross-over. CMMC Level 2 implementation gets you roughly 80% of the way to ISO 27001 or SOC 2 Type II — the credentials that unlock larger enterprise commercial customers (Fortune 500 buyers, regulated industries, financial services).¹⁸ If you’re trying to diversify away from defense dependency, the controls you build for CMMC pay for themselves a second time on the commercial side.

Genuine security. The 110 controls aren’t bureaucratic theatre. They’re the practical floor on what protects a small business from ransomware, business email compromise, IP theft, and the kind of nation-state-led attacks that targeted the DIB in the first place. Most of our clients tell us, after the fact, that the controls would have been worth implementing even without the DoD context.

Where you are vs where you need to be.

The CMMC program has a phased rollout. Knowing exactly where the calendar is today helps frame how much time you actually have.

The maths most CEOs need to do is simple. Count backwards from when your next major DoD contract goes to bid, or your next option exercise comes due. Subtract 12–14 months of preparation. Subtract another 6 to 12 months for C3PAO assessment lead time. That gives you the latest possible date to start. For most contractors looking at 2027 bids, that date was last year.

If you’re staring at the calendar thinking we can’t possibly hit this, you’re not wrong. 1% of contractors feel fully prepared.¹⁹ You’re in the 99%. The first job is to know honestly where you stand, then work backwards from a realistic target date.

The first three decisions that matter.

If you do nothing else this week, do these three things in order. Each takes a few hours. Together they get you from “we just heard about CMMC” to “we have a defensible plan.”

If you’ve done these three things, you’re already ahead of the median DIB contractor. From here, the path forward depends on which tier you’re in — and that’s the conversation we’re built to have.

Free resources to start with.

You don’t need to pay anyone to get started. The resources below are ungated — no email required — and combined, they give you about a working day’s worth of useful self-education before you bring in anyone external.

What we’d do if we were you.

If you’ve read this far, you’re in the first 5% of CEOs who actually engage with this material. Most stop at the first jargon-heavy article they encounter and put the question off. Don’t be that CEO — not because we want your business, but because the people who let this drift are the ones who run out of runway in 2027 and discover their options have narrowed considerably.

Here’s the six-step path we’d walk if we were sitting across the table from you. Each step has a clear next action, and each maps to a specific stage of the implementation journey we’ll cover in the rest of this series.

Step 1 — Take 5 minutes today to know where you stand.

The Readiness Assessor asks six questions about your contracts, your current cybersecurity posture, and your DoD revenue share. You get back which tier you’re closest to and an honest first read on your timeline. Free, no email required. Do this before reading anything else.

Step 2 — Have the stay-or-go conversation with your CFO this week.

Work through the six factors in the stay-or-go section above. Model the maths properly. If you can’t do that in one afternoon, bring in someone who can — a fractional CFO who knows government contracting, or a CMMC-aware advisor who can run a costed scenario analysis. Don’t skip this step. The contractors who run out of runway in 2027 are the ones who never had this conversation. For the funding side of the maths, see our piece on who actually pays for CMMC.

Step 3 — If you’re staying, commission a proper gap assessment.

Self-quizzes are systematically optimistic. A real gap assessment by an independent RPO gives you a defensible starting SPRS score, a remediation roadmap with realistic timelines, and the leverage you need in vendor conversations. Without one, you’re shopping blind. Our Gap Assessment runs 4–6 weeks, fixed fee, and is independent of any implementation work — so the findings stay honest.

Step 4 — Make the partner decision before you commit to implementation.

The MSP question is the single most expensive decision after stay-or-go. Three viable models exist, and the one that fits depends on whether your current MSP has the credentials and the experience — or doesn’t. Don’t sign a long-term MSP CMMC contract before reading our next article in this series, “The 8 stages of CMMC compliance — and the MSP decision that will cost you the most if you get it wrong” (publishing in two weeks). When you’ve decided on the model, our CMMC Implementation service is principal-led, fixed-fee, and works inside your tenant alongside your existing MSP — or replaces them, if that’s the right call.

Step 5 — Plan for continuous compliance from day one.

CMMC Level 2 isn’t “certify once every three years.” It’s a triennial assessment with an annual affirmation, 180-day POA&M closeout windows, and continuous evidence collection in between. Every degraded control between assessments becomes potential FCA exposure for the next annual signature. The contractors who treat this as a one-time project regret it at re-assessment. Our Continuous Compliance service handles the annual affirmation prep, evidence collection, POA&M maintenance, and triennial re-assessment as an ongoing program rather than a fire drill.

Step 6 — Use the resources above before you talk to anyone selling you anything.

The free resources section above gives you about a working day of useful self-education. Take the DoD CUI training. Look up your CUI categories on the National Registry. Verify any vendor’s credentials on the Cyber AB Marketplace. The contractors who do this homework have better conversations with vendors and pay less for better work. The ones who skip it end up paying more for worse work, and finding out at the C3PAO assessment.