CMMC Intelligence Report: April 2026
Phase 2 is active. Assessment queues are building. Volt Typhoon is still targeting small defense suppliers. And the November 2026 deadline is now closer than the time it takes most contractors to complete a remediation plan. This is what changed in March and what needs your attention in April.
CMMC Program Status
Phase 2 has been in effect since DFARS 252.204-7021 entered the acquisition system on June 11, 2025. Ten months in, the enforcement picture is clear: contracting officers are inserting CMMC requirements into new solicitations for contracts involving CUI, and companies without a credible compliance plan are being turned away at award.
The DoD’s CMMC Program Management Office continues to accredit C3PAOs through the Cyber AB marketplace. As of April 2026, more than 60 C3PAOs are authorized to conduct Level 2 assessments. That sounds like enough, but the demand from contractors who delayed action is creating real queue pressure heading into summer.
Self-attestation for Level 1 remains in place for contracts involving only Federal Contract Information (FCI), not CUI. If your work only touches FCI, you are not on the C3PAO track. If your work involves CUI, you are. Most contractors who are confused about this should review what actually activates CMMC before assuming they are in the clear.
60+
Authorized C3PAOs
As of April 2026
110
CMMC Level 2
NIST 800-171 practices required
7 mo
Nov 2026
Until broader Level 2 enforcement
Assessment Pipeline and C3PAO Capacity
The assessment pipeline is the thing most contractors underestimate. A C3PAO assessment is not a one-day audit. The average Level 2 assessment takes four to six weeks from kickoff to final report, and that does not count the pre-assessment preparation, the remediation of any gaps identified during a readiness review, or the time to schedule the assessment in the first place.
Wait times to get scheduled with an authorized C3PAO have been increasing since January. Some firms are reporting four to eight week lead times just to begin the engagement. If you target a November 2026 contract award and work backwards, you need to be in active assessment no later than August to leave room for a Plan of Action and Milestones (POA&M) closeout if anything comes up.
The Joint Surveillance Voluntary Assessment (JSVA) program, which allows DoD prime contractors to pursue a DIBCAC-led assessment alongside a C3PAO, is still operational. For large primes, the JSVA track is worth evaluating. For small and mid-sized contractors, the standard C3PAO path is the right one.
Assessment Timeline Reality Check
Gap assessment → remediation → readiness review → C3PAO scheduling → assessment → report. Plan for six to nine months if you are starting from scratch. If you have not run a gap assessment yet, April is the last month where starting puts you comfortably ahead of November.
CMMC Gap Assessment Grants Available
100 grants valued at $5,000 each for small and mid-sized defense contractors. Administered by Cyber Grants Alliance. First come, first served.
Key Deadlines This Quarter
NIST moves all FIPS 140-2 validated modules to historical status. Products without an active FIPS 140-3 validation will raise questions from C3PAO assessors reviewing SC.3.177 (cryptographic protection). Verify your products now.
Full FIPS 140-2 transition guideDoD has signaled broader enforcement of CMMC Level 2 requirements across new awards involving CUI. Contractors without a final C3PAO assessment letter or active JSVA by this window face exclusion from competitive awards.
CMMC Phase 2 timeline detailsSPRS scores must reflect current posture. An outdated score from 2023 or 2024 is a contracting risk. If your environment has changed or you have not rescored since your last assessment cycle, update it.
DIB Threat Landscape
The threat picture for the Defense Industrial Base in Q1 2026 is consistent with what we saw throughout 2025. Three themes dominate.
Volt Typhoon: Still Active, Targeting Small Suppliers
Volt Typhoon, the Chinese state-sponsored actor tied to critical infrastructure pre-positioning, has continued targeting small and medium defense contractors. Their approach is patient: establish persistent access through edge devices and VPN appliances, then wait. The goal is not immediate exfiltration. It is a foothold that survives vendor patching cycles and can be activated later.
Small machine shops, electronics manufacturers, and engineering firms are targeted precisely because they have weaker defenses than prime contractors but still handle CUI flowing down from primes. If you are a subcontractor handling CUI under a prime contract, you are in scope. Not just for CMMC, but for this threat actor.
Spearphishing Against Contractor Personnel
Business email compromise and targeted spearphishing remain the highest-volume threat vector for DIB companies. Attackers are using publicly available contract award data from SAM.gov to identify contractor personnel and craft convincing pretexts. If your company recently won a contract that was announced publicly, expect phishing attempts within 30 days.
CMMC control AT.2.056 requires role-based security awareness training. CMMC control AT.3.058 requires awareness training that includes threat recognition. Companies without current training programs are leaving a door open that CMMC assessors will notice and threat actors are already walking through.
Unmanaged Endpoints Remain the Most Common Entry Point
In gap assessments conducted across the DIB in Q1 2026, unmanaged personal devices accessing work systems was the single most common finding. Contractors who allow employees to access CUI systems from personal laptops or phones without mobile device management (MDM) controls in place are failing CMMC control MP.3.125 and creating real exposure.
The fix is not complicated, but it requires a policy decision: define the boundary of your CUI environment and enforce that boundary. Bring-your-own-device (BYOD) access to CUI systems must go through a managed, controlled endpoint.
Regulatory Watch
FAR CUI Rule: Still in Rulemaking
The proposed FAR rule that would extend NIST 800-171 requirements to all federal contractors handling CUI (not just DoD) is still working through the rulemaking process. No final rule has been published. Contractors with significant civilian agency work should monitor this and treat it as a reason to build a unified compliance program now rather than two separate ones later.
Full FAR CUI rule analysisNIST SP 800-171 Rev 3: DoD Still Using Rev 2
NIST published Rev 3 in May 2024. DoD has not yet moved CMMC Level 2 to Rev 3. Current C3PAO assessments are conducted against the 110 practices in Rev 2. Rev 3 reorganizes the controls and adds several new practices. When DoD does transition, contractors will face a revised assessment scope.
What changes in Rev 3Post-Quantum Cryptography: FIPS 203/204/205 Final
NIST finalized the first three quantum-resistant cryptography standards in August 2024. Federal agencies are beginning transition planning. Defense contractors do not yet face a hard requirement to implement these standards, but the trajectory is clear and early movers will avoid a compressed transition window.
Post-quantum readiness for CMMCApril Action Items
If you are a defense contractor with CUI in scope, here is what to prioritize this month.
Check your C3PAO scheduling window
If you have not engaged a C3PAO, do it this month. Wait times are increasing and every week of delay narrows your pre-November runway.
Verify FIPS product validation status
Go to the NIST CMVP database and confirm every product handling CUI encryption has an active FIPS 140-3 (not just 140-2) validation. The September 21 sunset is five months away.
Run endpoint inventory
Identify every device that can access your CUI environment. Any unmanaged personal device accessing CUI is both a CMMC finding and a live threat vector.
Update your SPRS score
If your score has not been updated since your last major remediation cycle, update it. Contracting officers are reviewing SPRS scores at award and a stale score creates unnecessary friction.
Run or refresh security awareness training
Spearphishing is the number one initial access vector for DIB threats. Training every employee on recognizing targeted phishing is an AT.2.056 requirement and a practical defense.
CMMC Gap Assessment Grants Available
100 grants valued at $5,000 each for small and mid-sized defense contractors. Administered by Cyber Grants Alliance. First come, first served.