Research · Issue 01
The Assessment Queue
Why CMMC Level 2 certification is running years behind demand — and what it means for your next solicitation.
TL;DR
- Phase 1 enforcement is live. Since November 10, 2025, contracting officers can insert DFARS 252.204-7025 into solicitations, making CMMC Level 2 (C3PAO) a go/no-go award criterion. If your CMMC UID is not in SPRS at the required level before bid close, the contracting officer cannot award the contract. No grace period, no exception. [DFARS 252.204-7025, Nov 2025]
- 99% of contractors still need certification. As of February 2026, 896 final Level 2 certificates had been issued out of an estimated 76,598 organizations requiring C3PAO certification — 1.2% completion after enforcement began. [Cyber AB Town Hall, Feb 2026]
- 103 C3PAOs are serving 80,000+ contractors. Booking slots are six to nine months out. Organizations that begin their C3PAO search in mid-2026 face late Q3 or Q4 availability — after Phase 2's mandatory C3PAO requirement kicks in on November 10, 2026. A prime's solicitation will not wait. [Cyber AB Marketplace, March 2026; CyberSheath, 2025]
- Your IT MSP is not an RPO and cannot certify you. 74% of the defense industrial base relies on outsourced MSPs whose service agreements do not cover the 110 controls and 320 assessment objectives required for Level 2. Only Registered Practitioner Organizations can represent your posture; only C3PAOs can certify it. MSPs are neither unless specifically authorized on the Cyber AB Marketplace. [Summit7, 2025]
- False Claims Act exposure is accelerating. In 2025, DOJ settled seven cybersecurity FCA cases totaling $51.8 million — a 233% increase over 2024. One contractor settled for $4.6 million after submitting an SPRS score of 104 against an actual score of negative 142. Annual CMMC affirmations create recurring FCA exposure on every contract cycle. [Fluet Law, 2026; Holland & Knight, 2026]
1. What Level 2 Actually Requires
CMMC Level 2 covers the 110 security requirements in NIST SP 800-171 Rev. 2, validated against 320 assessment objectives in NIST SP 800-171A. It is not a self-assessment. Certification requires a C3PAO authorized by the Cyber AB — not your IT vendor, not a general cybersecurity consultant, not a compliance platform.
The DFARS final rule (effective November 10, 2025) introduced two clauses that together make certification a hard eligibility condition:
- DFARS 252.204-7021 — requires contractors and all applicable subcontractors to maintain current CMMC status at the level specified in the contract, for the full duration of performance, with annual affirmations.
- DFARS 252.204-7025 — requires offerors to provide their CMMC UID in SPRS before award. If the UID is absent or below the required level, the contracting officer cannot award the contract.
The DoD's own rulemaking cost-benefit analysis (32 CFR Part 170) puts the triennial C3PAO certification cycle at $104,670 for a small business — covering the formal assessment, planning, documentation, and two annual affirmations. That figure assumes contractors were already implementing NIST 800-171. For firms whose MSP has been handling "cybersecurity" without RPO standing, the implementation costs are not behind them. They are ahead.
| Cost Component | DoD Estimate (32 CFR Part 170) |
|---|---|
| One-time implementation — labor + hardware | $175,700 |
| Recurring annual compliance — labor + tools | $103,800 / year |
| C3PAO triennial assessment + 2 affirmations | $104,670 |
| Three-year total (small business) | ~$487,970 |
Industry-reported first-cycle costs — from gap assessment through C3PAO certification — range from $75,000 to $300,000 or more depending on starting security posture. The DoD floor assumes a posture that most small DIB contractors do not have.
2. The Bottleneck the Rule Did Not Solve
The Cyber AB had authorized 103 C3PAOs as of March 2026, with 764 Certified CMMC Assessors available to conduct Level 2 assessments. The demand side: an estimated 76,598 to 80,000+ organizations requiring Level 2 C3PAO certification.
As of February 2026, 896 final Level 2 certificates had been issued. Ninety-nine percent of the contractor population still needs to go through the process.
The GAO flagged this directly in its December 2025 review (GAO-26-107955): DoD "has not documented how it will address the risk if these private-sector assessors are insufficient to satisfy the volume of assessments needed to satisfy program demand."
DoD's own capacity projections in the 32 CFR rulemaking model C3PAO throughput growing from approximately 517 assessments in Year 1 to 2,599 in Year 2 and 8,666 in Year 3. Cumulative capacity over the first three years of Phase 2 reaches roughly 11,782 assessments against a backlog of 75,000+. Demand will outpace capacity well past 2028.
Booking windows confirm the constraint. C3PAOs are scheduling six to nine months out. Organizations starting their search in mid-2026 face late Q3 or Q4 availability — after the Phase 2 deadline. A prime contractor whose solicitation closes in September 2026 will not hold a subcontract award for a supplier whose C3PAO slot opens in November.
The MSP problem is structural. 74% of the defense industrial base consists of small businesses relying on outsourced IT providers. Most MSP service level agreements do not require or cover the 320 assessment objectives in NIST SP 800-171A. A generalist MSP cannot scope a CUI enclave, configure a GCC High cloud environment, or produce the System Security Plan documentation a C3PAO will examine. The contractor believes compliance is handled. The Cyber AB Marketplace will show otherwise.
This is not a budget problem or a motivation problem. It is an accreditation-pipeline problem. The C3PAO ecosystem grew from 70 authorized organizations in May 2025 to 103 in March 2026 — a 47% increase in ten months. At that pace, meeting the demand would take the better part of a decade.
3. The Worked Scenario
Setup. Vanguard Defense Machining LLC. 85 employees. $4.2M in annual DoD revenue, 35% of the firm's total. Three active contracts carrying DFARS 252.204-7021 clauses. A new $1.8M solicitation is open, closing in 90 days. DFARS 252.204-7025 lists CMMC Level 2 (C3PAO) as the required certification — a go/no-go award condition.
Base case — the conventional wisdom runs true. The CEO tells the IT MSP to handle the CMMC requirement. The MSP runs an internal self-assessment against NIST 800-171 and posts an SPRS score of 72 (the SPRS maximum is 110; conditional C3PAO certification requires 88 or higher). The CEO is told compliance is in progress. The firm bids on the $1.8M solicitation.
Outcome: The contracting officer searches SPRS for the firm's CMMC UID. No C3PAO Level 2 status exists. The bid is ineligible for award. The solicitation closes. The contract is awarded to a certified competitor.
Slip case — the corrected numbers apply. Before submitting, the CEO engages an RPO for a gap assessment ($8,000). The RPO's findings: the firm's actual NIST 800-171 posture scores 34. The MSP had misclassified several access-control and audit-logging requirements. No CUI enclave was in place. Commercial Microsoft 365 — not GCC High — was being used to process technical drawings covered under CUI. The SPRS self-attestation of 72 is a false affirmation.
From gap assessment to C3PAO certification: 12–18 months minimum. Current C3PAO booking: seven months out. The $1.8M solicitation cannot be addressed. The existing $4.2M annual DoD run rate is at risk on re-compete — each active contract carries the 252.204-7021 clause requiring a current CMMC status for the full period of performance.
Remediation + C3PAO assessment first cycle: $185,000 (remediation) + $105,000 (C3PAO cycle) = $290,000. FCA exposure for the prior SPRS affirmation remains open under the annual certification requirement.
The honest number. $290,000 remediation plus a $1.8M lost bid that cannot be recovered, plus $4.2M annual DoD revenue at risk on re-compete before certification is complete. The MSP's self-assessment did not produce a score the prime contractor or contracting officer will accept. It produced a liability.
What a Sharp Defense Contractor Pulls Now
- Pull your SPRS score today. If it is below 88, your next DoD bid requiring Level 2 (C3PAO) is already at risk. If no CMMC UID exists in SPRS, you are ineligible for contracts with 252.204-7025 in the solicitation.
- Search every active contract for DFARS 252.204-7021 and 252.204-7025 clauses. These are your exposure surface. Each carries an annual affirmation obligation; each affirmation is a potential FCA false claim if the underlying posture is inaccurate.
- Verify your MSP's status on the Cyber AB Marketplace at cyberab.org. If they are not listed as an RPO, they cannot represent your compliance posture to primes or contracting officers. If they conducted your NIST 800-171 self-assessment, that assessment is not validated.
- Commission a gap assessment from a registered RPO — not your MSP. The gap assessment produces your real SPRS number. Cost is $3,500–$20,000. The cost of not knowing is the slip case above.
- Book your C3PAO slot now, even if your readiness date is 9–12 months out. C3PAOs are scheduling six to nine months out and moving toward late Q4 2026. The booking slot, not the remediation plan, is the constraint.
- Calculate your certification date backward from your next solicitation close date. If the earliest available C3PAO slot falls after the solicitation close, the bid is ineligible before you write a word of the proposal.
- Brief your senior certifying official on FCA exposure from past affirmations. If your SPRS score was self-assessed without a validated gap assessment, the delta between the stated score and the actual posture is an open FCA liability on every contract where that score was used.
Sources referenced
DFARS 252.204-7025 and 252.204-7021 (Nov 2025), acquisition.gov; 32 CFR Part 170, CMMC Program Final Rule, DoD, December 2024; Cyber AB Town Hall Recaps, February and March 2026 (cmmc.com, secureframe.com); Secureframe, "CMMC Ecosystem by the Numbers," March 2026; GAO Report GAO-26-107955, "Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation," December 2025, gao.gov; 1TEN Intelligence, "How Much Does CMMC Level 2 Compliance Cost?" (poweredby1ten.com); CMMC.com, "Cost of CMMC 2.0 by Level"; CyberSheath / Merrill Research, "2025 State of the DIB Report"; CyberSheath, "Why Defense Contractors Face a C3PAO Capacity Crisis," 2025; Fluet Law, "Civil Cyber-Fraud Initiative 2025 Year in Review," 2026; Holland & Knight, "CMMC Affirmation Trap: FCA Exposure for Defense Contractors and Acquirers," January 2026; Dickinson Wright, "Cybersecurity Enforcement in 2025: DOJ Steps Up Action," 2025; DOJ settlement, MORSE Corp (Massachusetts), March 2025, $4.6M — SPRS score of 104 self-reported vs. actual negative 142; DOJ settlement, precision machining subcontractor (Illinois), December 2025, $421,000 — first FCA action directly targeting a subcontractor; Summit7, "Find A Managed Service Provider (MSP) For CMMC Compliance," summit7.us; Idenhaus, "CMMC Certification Timeline: November 2025 Deadline"; Stratokey, "CMMC Flow Down Requirements 2026," March 2026; elevateconsult.com, "CMMC C3PAO Selection: Essential Criteria for Level 2."
About DealVault Network. We work with defense contractors, compliance officers, and owner-operators navigating regulated markets on the part of the workflow that requires a fast, vetted introduction: the right RPO, the right C3PAO, the right specialist before the solicitation closes. Selective mandates. Discreet routing.
Recent work. Hippocratic AI · 2 partners signed in 60 days. Connect Group · $105K added in 90 days. Crawford Thomas · $100K in 6 months.
Get in touch. ritvik@dealvaultnetwork.biz