CMMC Intelligence Report: May 2026

CMMC Program Status

The CMMC program is past the phase where contractors could reasonably argue they were waiting for clarity. DFARS 252.204-7021 is in the acquisition system. C3PAOs are conducting assessments. Contracting officers are enforcing at award. What is left is execution, and the execution window is shrinking.

DoD has been consistent on the November 2026 timeline for broader Level 2 enforcement across new awards with CUI. What that means practically: contracts flowing through the system in Q3 and Q4 2026 will require either a completed C3PAO assessment on record or an active POA&M with a credible remediation timeline. Neither of those is something you can manufacture in 30 days.

One nuance worth tracking: the POA&M closeout rules. DoD has published guidance on which CMMC practices can be covered by a Plan of Action and Milestones at time of assessment and which ones must be fully implemented. Not every gap is closeable with a POA&M. High-value practices, particularly those in the Access Control, Identification and Authentication, and Incident Response families, require full implementation before a C3PAO will issue a passing assessment. Companies banking on POA&M flexibility for core security controls should not count on it.

Assessment Pipeline: The Queue Crunch Is Real

C3PAO scheduling lead times have continued to grow through May. Companies reaching out to authorized assessors for the first time in May are hearing four to ten week wait times before an engagement can even begin. Add six to nine weeks for the assessment itself, and a company starting outreach today is looking at a completed assessment no earlier than September or October at best.

That leaves almost no room for what happens after an assessment: findings, remediation, and re-verification of anything that came back as not yet implemented. Most assessments surface at least a handful of gaps even in well-prepared organizations. Planning for a perfect first pass is not realistic planning.

The contractors who are in the best position right now are the ones who ran a gap assessment in Q1 or Q2 2025, spent 12 months remediating, and are now moving into scheduled C3PAO assessments with confidence. The ones in the hardest position are those who have been watching and waiting. June is the last month where starting puts you on a realistic track for November. After July, the math stops working.

FIPS 140-2 Sunset: Four Months Out

September 21, 2026 is the date NIST moves all FIPS 140-2 validated modules to historical status under the Cryptographic Module Validation Program (CMVP). Four months is not a lot of runway for procurement decisions, vendor upgrades, and configuration changes.

The practical risk for defense contractors: CMMC control SC.3.177 requires FIPS-validated cryptography for CUI protection. A C3PAO assessor reviewing a system running products whose cryptographic modules are now in historical status has grounds to flag a finding. Whether assessors will uniformly flag historical-status modules is not yet settled, but the conservative path is clear.

The action is straightforward. Go to the NIST CMVP validated modules search and confirm that every product handling encryption in your CUI environment has an active FIPS 140-3 certificate. If your VPN, endpoint protection, email encryption, or file transfer tools only have FIPS 140-2 certificates, contact the vendor now about their 140-3 timeline. Some have already published FIPS 140-3 validated versions. Others are still in the queue.

For more on this transition, the full FIPS 140-2 sunset guide covers the steps in detail.

DIB Threat Landscape

Ransomware Groups Rotating to the DIB

Ransomware activity targeting defense contractors has increased in Q2 2026. Several groups that spent 2024 and 2025 heavily focused on healthcare and critical infrastructure have shifted attention to smaller defense suppliers, particularly those in manufacturing, electronics, and engineering services. The pattern is consistent with opportunistic targeting: these sectors often have weaker security postures than the prime contractors they supply.

For CMMC purposes, a ransomware incident is also a CUI incident. If attackers encrypt or exfiltrate data from a system that holds controlled unclassified information, that triggers CMMC incident reporting requirements under IR.2.092 and IR.2.093. Contractors who have not thought through their incident response procedures for a ransomware scenario should work through that tabletop before their C3PAO assessment, not during it.

Third-Party Software Risk in the DIB Supply Chain

CISA’s ongoing work on software supply chain security has highlighted a persistent gap in how DIB contractors evaluate the software they run on CUI systems. Many small contractors use commercial off-the-shelf software without reviewing the vendor’s security practices or verifying that the software itself does not introduce unmanaged risk.

CMMC control SA.3.169 addresses this directly: organizations must limit the use of software that has not been reviewed and approved for use in the CUI environment. In practice, most small contractors fail this control in their initial gap assessment because no formal software approval process exists. Building that process before your C3PAO shows up is straightforward and takes less time than most remediation tasks.

Credential Theft Remains Underreported

Stolen credentials from DIB contractor systems continue to surface in underground markets. In many cases, contractors are unaware their credentials have been compromised until months after the fact. Multi-factor authentication (MIA.3.064) is a Level 2 control for a reason. Companies still running single-factor authentication on any system that accesses CUI should treat that as an immediate remediation item.

Regulatory Watch

June Action Items

June is the last month where a contractor starting from scratch can build a credible path to November. These are the items that move the needle.