The Cybersecurity Maturity Model Certification (CMMC) is no longer a future requirement. As of November 2025, the Department of Defense (DoD) began the first phase of CMMC enforcement, signaling a critical compliance window for small- to mid-sized government contractors. Knowing what comes next is key to maintaining momentum and avoiding compliance gaps.
At Badger CPA, we help businesses nationwide move from planning to execution, so they’re positioned to pursue and retain DoD contracts.
What is CMMC?
CMMC is a program designed to protect sensitive federal information. Instead of self-attestation, these requirements follow a “trust, but verify” framework. Under CMMC, cybersecurity controls must be demonstrated and, in many cases, validated through self-assessments, independent assessments, and government assessments before a contractor can be eligible for specific DoD contracts.
Do You Need to be CMMC Compliant?
The short answer is yes. Whether you are a GovCon contractor or a subcontractor, you must meet the appropriate CMMC level to remain eligible for DoD work. Noncompliance can delay awards, jeopardize contract renewals, and affect long-term revenue. It should be treated as a business compliance requirement–not just an IT initiative.
What Changed Under CMMC 2.0
CMMC 2.0 streamlines the original framework and clarifies how cybersecurity requirements are assessed and enforced. Compliance is organized into three levels:
- Level 1 Assessment (Foundational): If you handle Federal Contract Information (FCI), you must ensure compliance with the 15 basic security requirements found in FAR clause 52.204-21.
- Level 2 Assessment (Advanced): If you handle Controlled Unclassified Information (CUI), you are required to implement the 110 security controls from NIST SP 800-171 r2. Most organizations will require a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).
- Level 3 (Expert): For contractors handling the most sensitive data. The U.S. government will conduct assessments.
- Note: CMMC allows limited use of Plans of Action & Milestones (POA&Ms), giving organizations up to 180 days to close remaining compliance gaps after an assessment.
CMMC Phases: Timeline
- Phase 1 (Starts Nov 10, 2025): The first “Phased Implementation” has begun, starting with CMMC Level 1 or Level 2 self-assessments.
- Phase 2 (Starts Nov 2026): The DoD will transition to Phase 2. Self-assessments will transition to independent verification. It can take between 6 and 18 months to complete, requiring a rigorous planning process and often support from experienced GovCon compliance and accounting advisors.
- Phase 3 (Starts Nov 2027): For those working on the DoD’s most sensitive or critical programs, Phase 3 starts in November 2027. This part of the process introduces the highest level of assessment, conducted directly by the government (DCMA/DIBCAC). This phase requires implementing 24 additional high-level controls from NIST SP 800-172, in addition to the existing Level 2 requirements.
The following year, contracts will start being awarded as a critical milestone.
What Contractors Should Be Doing Now
- Confirm your level: Determine whether your contracts involve FCI (Level 1) or CUI (Level 2 or 3) requirements.
- Register and update SPRS: Make sure your status and system information are reported accurately in Supplier Performance Risk System (SPRS); this data is tied to contract eligibility.
- Prepare for assessments: You’ll face a combination of self-assessments, third-party assessments, and government-led assessments depending on contract requirements.
- Evaluate the supply chain: Prime contractors may need to confirm that subcontractors meet the required criteria to avoid delays or risks.
What Are CMMC Compliance Costs Looking Like Now?
CMMC costs often exceed several thousand dollars and can grow significantly depending on scope and readiness. Expenses can include gap assessments, IT upgrades, third-party support from GovCon accountants, ongoing monitoring and maintenance costs, and more. Smaller contractors often feel the impact over the years, making budget planning essential, not optional. It should be treated as a recurring compliance cost. Our accounting experts recommend that contractors and subcontractors:
- Confirm what’s complete vs. what’s to come
- Budget ongoing compliance and monitoring costs
- Assess how CMMC impacts pricing, margins, and indirect rates
- Align cybersecurity spend with contract pipeline and renewals
Cybersecurity compliance can place a financial burden on small contractors. The Small Business Cybersecurity Act includes discussion of tax credits–potentially up to $50,000–for qualifying small businesses that invest in cybersecurity. While legislation continues to evolve, many cybersecurity-related costs may already be eligible for:
- Deductible business expenses
- Capitalized technology investments
- Operational improvements with tax planning implications
Protecting Your DoD Contract Pipeline
As we move into 2026, early planning helps finalize compliance, refine budgets, and protect future contract opportunities. If you’re unsure where you stand or how CMMC affects your financial strategy, partnering with a CPA firm experienced in government contracting can help you move forward with clarity.