Published February 2026

For years, CMMC felt like something that was always around the corner. A regulation that would matter “eventually.” That eventually is over. Right now, on SAM.gov, there are more than 120 active solicitations that require some level of CMMC certification before a contractor can submit a bid. This is not a pilot program. It is not limited to a handful of classified contracts. It is happening across construction, manufacturing, logistics, and defense services.

The Numbers Are Real

We track every CMMC solicitation posted to SAM.gov. The current count is over 120 and growing weekly. The Army Corps of Engineers is the most active agency in the construction space, with 13 of the 15 tracked construction solicitations originating from USACE. On the manufacturing side, Navy NAVSEA dominates, with contracts ranging from submarine maintenance to missile components.

The majority of these solicitations require Level 2 certification. Some allow self-assessment, while others require a third-party C3PAO audit. A small number start at Level 1 but include escalation clauses that push contractors to Level 2 and Level 3 within 12 to 24 months.

Construction Companies: You’re Already Behind

If you’re a construction company that works on federal projects, the shift has already happened. The Army Corps of Engineers is embedding CMMC requirements into contracts that, a year ago, would have had no cybersecurity language at all.

USACE NWD Design Build MATOC
Posted 2/23/2026. Requires Level 2 with C3PAO assessment. A major multi-award task order contract covering design-build work across the Northwestern Division.

Special Tactics Complex, OR Air National Guard
Posted 2/17/2026. Level 2 C3PAO required. A specialized military construction project that now comes with a cybersecurity certification gate.

Lake City Army Ammo Plant Microgrid
Posted 2/19/2026. Level 2 self-assessment. Even energy infrastructure work at military installations now carries CMMC requirements.

These are not IT contracts. They are construction projects for buildings, fuel systems, microgrids, and seismic upgrades. The fact that they require CMMC certification tells you everything about where DoD is heading: every contractor that touches military infrastructure will need to prove their cybersecurity posture.

Manufacturers: The Supply Chain Effect

Manufacturing contracts carry an additional dimension that many businesses overlook. When Navy NAVSEA posts a solicitation for submarine maintenance requiring Level 2 C3PAO certification, that requirement does not stop at the prime contractor. Every subcontractor handling controlled unclassified information (CUI) in that supply chain needs to meet the same standard.

If you manufacture parts, components, or assemblies that end up in defense systems, your customer is going to ask for your CMMC certification. Not because they want to. Because the contract requires it. The IDIQ MAC Submarine CNO Availabilities contract, posted February 10, requires C3PAO Level 2. That flows down to every machine shop, electronics supplier, and coating facility in the supply chain.

DLA contracts tell the same story. Aviation parts, troop support equipment, maritime components: all requiring Level 2. The Defense Logistics Agency processes thousands of orders from manufacturers across the country, and CMMC is becoming a standard clause.

The Escalation Timeline

One solicitation illustrates the trajectory better than any policy document. The SOF Tactical Equipment Maintenance Facility, posted January 22, 2026, by the Army Corps of Engineers, lays out a phased requirement:

• Today: Level 1 certification required
• October 2026: Level 2 required
• October 2027: Level 3 required

This is the model DoD will use going forward. Start with a manageable baseline and ratchet up. If you wait until Level 2 is required to start working on Level 1, you are already behind. Certification takes time. Assessments take time. Implementing the controls takes time. The businesses that start now will be positioned to win contracts when the requirements escalate.

What You Need to Do Now

The foundation of CMMC compliance comes down to five core controls. These are the areas where most small and mid-sized businesses have gaps, and they are the first things an assessor will look for:

• Multi-Factor Authentication (MFA) on every account that accesses company systems
• Endpoint Detection and Response (EDR) on every device, replacing basic antivirus
• Encrypted, Tested Backups that can restore operations after an incident
• Security Awareness Training for every employee, documented and recurring
• Automated Patching so vulnerabilities are closed before they can be exploited

Capital Cyber’s Fast Track program implements these five controls in 30 days at a fixed fee. No open-ended consulting engagements. No scope creep. You get a clear timeline, a defined scope, and a path to certification readiness that you can show to primes and contracting officers.

See every active CMMC solicitation, updated weekly.
View the Live CMMC Contract Tracker

Need help tracking your CMMC compliance? CMMC Ready Now is a platform built to help contractors manage their path to certification, track controls, and maintain their System Security Plan.

Book a Call

Ready to talk? Schedule a call with Rick, our COO, and let us figure out where you stand.

Or Send Us a Message