CMMC Intelligence · Vol. 1, Issue 1

April 2026 CMMC Intelligence Report

Published May 1, 2026 · Capital Cyber

Phase 2 rollout accelerates as DoD embeds Level 2 requirements in new contracts. POA&M rules tighten, C3PAO queues remain long, and Volt Typhoon intensifies targeting of sub-tier defense contractors.

With 67% of Level 2 contractors still not assessment-ready and wait times running 6-9 months, organizations that have not begun their C3PAO journey are already behind schedule for any Q4 2026 or Q1 2027 contract pursuits.

67%Level 2 contractors not assessment-ready

6-9 moC3PAO assessment wait times

4APT groups actively targeting DIB

Phase 2Now live in new DoD solicitations

Critical Alerts - April 2026

Phase 2 Now Live

Level 2 C3PAO certification required in all new DoD solicitations above $5M. Self-attestation no longer sufficient.

POA&M Rules Tightened

High-value practices in AC, AU, CM, and IR must be fully implemented at assessment. No POA&M deferral permitted.

Volt Typhoon Active

Sub-tier DIB contractors now the primary target. Living-off-the-land TTPs make detection difficult without behavioral EDR.

C3PAO Queue: 6-9 Months

Contractors needing certification for Q4 2026 awards must initiate engagement now.

01 Rule & Policy Updates

Phase 2 Expansion and POA&M Tightening

The Department of Defense has confirmed CMMC Level 2 requirements are being incorporated into all new competitive solicitations above $5 million. Contracting officers across Army, Navy, Air Force, and DARPA are embedding DFARS clause 252.204-7021 as a standard requirement in RFPs issued this spring.

This marks the full operationalization of Phase 2 under 32 CFR Part 170. Contractors who previously relied on self-attestation for Level 1 contracts must now demonstrate C3PAO-validated Level 2 compliance to compete for new awards. Organizations that have not begun their assessment journey are already behind - with queue times at 6-9 months.

If your organization bids on new DoD contracts above $5M, CMMC Level 2 C3PAO certification is a go/no-go requirement today. Prime contractors are also flowing this requirement down to subcontractors handling CUI.

POA&M Tightening: High-Value Practices Cannot Remain Open at Assessment

The CMMC Accreditation Body released updated guidance clarifying which NIST SP 800-171 practices may remain as open POA&M items at assessment - and which must be fully implemented. The new guidance explicitly prohibits POA&M entries for high-value practices in the following domains: Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), and Incident Response (IR). Only lower-risk practices remain eligible for open POA&M status, subject to a firm remediation timeline not exceeding 180 days post-assessment.

SPRS Annual Reaffirmation Now Mandatory

The Supplier Performance Risk System now requires contractors to reaffirm their NIST SP 800-171 self-assessment scores annually. Scores more than 12 months old without reaffirmation are flagged by contracting officers. If your organization submitted an SPRS score in 2024 or earlier, prioritize a current self-assessment and update before your next contract action.

Policy Update · April 2, 2026

CMMC AB POA&M Guidance Memo #2026-04

The CMMC AB published guidance clarifying permissible POA&M scope at assessment. C3PAOs are instructed to fail assessments where high-value practices remain unimplemented with no documented closure evidence.

DFARS Update · March 28, 2026

DFARS 252.204-7021 Flow-Down Enforcement Increases

DoD guidance reinforces prime contractor obligation to flow DFARS 252.204-7021 to all subcontractors handling CUI. Primes that fail to enforce this flow-down face potential contractor responsibility determinations.

Note: Qualifying defense contractors can fund a CMMC gap assessment through the Cyber Grants Alliance at no cost. Apply for a CMMC Gap Assessment Grant →

02 Compliance Deadlines

Key Dates for Q2 2026

Map these deadlines against your contract portfolio and pipeline activity now.

Now - Ongoing

Phase 2: Level 2 Required in New Solicitations

All new competitive DoD solicitations above $5M now include CMMC Level 2 requirements. C3PAO certification is required before award. Self-attestation is no longer sufficient.

June 30, 2026

SPRS Score Annual Reaffirmation

Contractors whose SPRS scores were originally submitted in Q2 2025 or earlier should reaffirm by June 30 to avoid flagging by DoD contracting officers.

Q3 2026

CMMC Level 3 Preview Guidance Expected

DoD expected to release Level 3 preview guidance based on NIST SP 800-172. Organizations working with SAPs or highly sensitive CUI should begin preparation now.

At Option Exercise

Existing Contract Transitions

Contracts issued prior to the CMMC 2.0 Final Rule may transition at first option exercise. Review existing contracts for applicable DFARS clauses and upcoming option periods.

180-Day Limit

POA&M Closure Requirement Post-Assessment

Eligible open items at assessment must have documented closure plans not exceeding 180 days. Items without credible timelines will be assessed as failures.

With C3PAO wait times at 6-9 months, contractors who need Level 2 certification for Q4 2026 or Q1 2027 contract pursuits must initiate C3PAO engagement now.

03 DIB Threat Landscape

April 2026 Active Threats

Nation-state actors - particularly China and Russia affiliated - have shifted tactics toward smaller, sub-tier defense contractors. Volt Typhoon (Bronze Silhouette) has pivoted targeting in Q1 2026 toward small and mid-size contractors in manufacturing, aerospace components, and engineering. The group's living-off-the-land technique uses native Windows tools (WMIC, netsh, PowerShell) rather than custom malware, making it nearly invisible to signature-based detection.

Threat Actor	Attribution	Primary Tactics	Severity
Volt Typhoon	China (PRC)	Living-off-the-land, VPN exploitation, LSASS credential dumping, persistent access via legitimate tools	Critical
Salt Typhoon	China (PRC)	Telecom network infiltration, lawful intercept system access, supply chain positioning	Critical
Sandworm	Russia (GRU)	Destructive wiper malware, OT/ICS disruption, targeting defense-adjacent manufacturing	High
LockBit Successors	Criminal (mixed)	Ransomware via phishing/RDP, double extortion, targeting mid-size manufacturers	Medium

LockBit successor groups have continued targeting mid-size defense manufacturers in the $10-$200M revenue range. Three publicly reported ransomware incidents in Q1 2026 involved defense subcontractors. In two of the three cases, initial access was via an unpatched VPN appliance or an RDP endpoint without MFA - both addressable through CMMC Level 2 controls.

The controls most frequently cited in recent DIB breach post-mortems - Access Control, Configuration Management, and Audit & Accountability - are also the controls organizations most commonly fail or leave in POA&M.

04 Assessment News

63 C3PAOs, Queues Long, 67% Not Ready

The CMMC Marketplace now lists 63 authorized C3PAO organizations as of April 2026, up from 41 at the start of 2025. Despite this growth, assessment demand continues to outpace supply, and average wait times remain at 6-9 months. A CMMC AB survey of 1,200+ defense contractors found 67% do not yet meet the threshold for assessment readiness. Most common gaps: audit logging, MFA for all remote access, incident response planning, and media protection.

Marketplace Update · April 2026

Joint Surveillance Voluntary Assessments Increase

DoD and CMMC AB have expanded the Joint Surveillance Voluntary Assessment program. These assessments, if passed, carry additional weight in high-value contract competitions.

DIBCAC Update · March 2026

DIBCAC Expands Capacity for High-Priority Programs

The Defense Industrial Base Cybersecurity Assessment Center has added staff, prioritizing assessments for contractors supporting Special Access Programs, nuclear deterrence, and hypersonics programs.

What to Expect in a C3PAO Assessment

Assessments cover all 110 NIST SP 800-171 practices across 14 domains, conducted over 2-5 days. Assessors will request:

System Security Plan (SSP) - A complete, current SSP documenting your CUI environment, system boundaries, and implementation of all 110 practices.
Evidence packages - Screenshots, configuration exports, policy documents, and logs demonstrating each practice is implemented and operational.
Interviews - Staff interviews to verify processes are understood and followed, not just documented.
Live system review - Assessors will observe systems and configurations in your operating environment.
POA&M review - Any open items will be evaluated against new guidance; high-value practices must be fully implemented.

05 Recommended Actions

What to Do This Month

Initiate C3PAO engagement now if you need Level 2 certification for any contract award in the next 12 months. With 6-9 month wait times, delay is not an option.
Review your POA&M against new CMMC AB guidance. High-value practices in AC, AU, CM, and IR that remain unimplemented must be remediated - they will result in assessment failure.
Update your SPRS score if your current submission is more than 12 months old. Conduct a fresh NIST 800-171 self-assessment and submit to SPRS before your next contract action.
Deploy behavioral EDR and audit logging to detect Volt Typhoon TTPs. Review CISA Advisory AA24-038A and confirm logging covers authentication events, scheduled task changes, and privileged account activity.
Apply for a CMMC Gap Assessment Grant through the Cyber Grants Alliance if you haven't completed a current gap assessment. Funded assessments identify the exact practices requiring remediation.
Review subcontractor obligations. If you are a prime contractor, verify DFARS 252.204-7021 is flowing down to all subs handling CUI. Failing to enforce this creates prime contractor liability.

All Reports · May 2026 Report →