CMMC rulemaking was finalized in late 2024 with phased implementation beginning in 2025. By 2026, CMMC requirements are appearing in new DoD solicitations. Level 1 covers 15 basic safeguarding requirements (self-assessment). Level 2 maps to 110 NIST 800-171 controls (third-party assessment for critical programs). Level 3 adds NIST 800-172 advanced threat protections. We explain what level you need, when you need it, and how to get there efficiently.
CMMC in 2026
The Cybersecurity Maturity Model Certification program continues to evolve, but the core requirement is clear: defense contractors handling controlled unclassified information must demonstrate cybersecurity maturity through independent assessment. The phased rollout means CMMC requirements are appearing in new contracts throughout 2026 and beyond.
Manufacturers who wait until CMMC appears in their contracts to begin preparation face a 12 to 18 month implementation timeline — likely too long to meet contract deadlines. Starting preparation now, while requirements are still rolling out, provides the runway needed for thorough implementation without the pressure of contract deadlines.
Understanding the Levels
CMMC has three levels. Level 1 requires basic cyber hygiene with 17 practices — appropriate for contractors handling Federal Contract Information but not CUI. Level 2 requires implementation of 110 NIST SP 800-171 controls — required for contractors handling CUI. Level 3 adds enhanced security requirements for the most sensitive programs.
Most defense manufacturers need Level 2. This requires a significant investment in cybersecurity infrastructure, policies, and training — but the payoff is continued access to defense contracts that increasingly mandate CMMC certification.
The Implementation Timeline
A realistic CMMC Level 2 implementation takes 12 to 18 months for manufacturers starting from a basic cybersecurity posture. The timeline includes gap assessment against NIST SP 800-171 controls, remediation of identified gaps, policy and procedure development, employee training, and system hardening.
Manufacturers with existing ISO 27001 certification can accelerate this timeline to 4 to 8 months because approximately 70 percent of CMMC Level 2 controls are already addressed by their ISMS. This is one of the strongest arguments for pursuing ISO 27001 as a CMMC foundation.
Preparing Your Organization
Start with an honest gap assessment against all 110 NIST SP 800-171 controls. Identify which controls are fully implemented, partially implemented, or not implemented. Develop a Plan of Action and Milestones to address gaps. Allocate budget for technology investments, consulting support, and employee training.
ComplianceFortress provides integrated CMMC and ISO 27001 implementation services that address both frameworks simultaneously. This integrated approach saves 30 to 40 percent compared to implementing them separately while providing the management system foundation that CMMC assessors increasingly expect to see.
