April 2026 CMMC Intelligence Report
Phase 2 rollout accelerates as DoD embeds Level 2 requirements in new contracts. POA&M rules tighten, C3PAO queues remain long, and Volt Typhoon intensifies targeting of sub-tier defense contractors.
Rule & Policy
DoD confirms Phase 2 expansion into all new competitive solicitations over $5M. CMMC AB releases clarified POA&M guidance limiting high-value open items at assessment.
Compliance Deadlines
SPRS scores must reflect current assessments; reaffirmation required annually. Level 3 preview guidance expected Q3 2026. Existing contracts transition at option exercise.
Threat Landscape
Volt Typhoon shifts focus to smaller sub-tier DIB contractors. Salt Typhoon telecom campaign continues. Ransomware groups targeting mid-size defense manufacturers.
Assessment News
63 authorized C3PAOs now in marketplace. Average wait time: 6–9 months. DIBCAC expanding capacity. Joint Surveillance voluntary assessments increasing.
01 — Rule & Policy Updates
Phase 2 Expansion: Level 2 Now Required in New Solicitations
The Department of Defense has confirmed CMMC Level 2 requirements are being incorporated into all new competitive solicitations above $5 million. Contracting officers across Army, Navy, Air Force, and DARPA are embedding DFARS clause 252.204-7021 as a standard requirement in RFPs issued this spring.
This marks the full operationalization of Phase 2 under 32 CFR Part 170. Contractors who previously relied on self-attestation for Level 1 contracts must now demonstrate C3PAO-validated Level 2 compliance to compete for new awards. Organizations that have not begun their assessment journey are already behind — with queue times at 6–9 months.
Phase 2 is not a future concern
If your organization bids on new DoD contracts above $5M, CMMC Level 2 C3PAO certification is a go/no-go requirement today. Prime contractors are also flowing this requirement down to subcontractors handling CUI.
POA&M Tightening: High-Value Practices Cannot Remain Open at Assessment
The CMMC Accreditation Body released updated guidance clarifying which NIST SP 800-171 practices may remain as open Plan of Action and Milestones (POA&M) items at assessment — and which must be fully implemented. The new guidance explicitly prohibits POA&M entries for high-value practices in the following domains: Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), and Incident Response (IR). Only lower-risk practices remain eligible for open POA&M status, subject to a firm remediation timeline not exceeding 180 days post-assessment.
CMMC AB POA&M Guidance Memo #2026-04
The CMMC AB published guidance clarifying permissible POA&M scope at assessment. C3PAOs are instructed to fail assessments where high-value practices remain unimplemented with no documented closure evidence.
DFARS 252.204-7021 Flow-Down Enforcement Increases
DoD guidance reinforces prime contractor obligation to flow DFARS 252.204-7021 to all subcontractors handling CUI. Primes that fail to enforce this flow-down face potential contractor responsibility determinations.
SPRS Annual Reaffirmation Now Mandatory
The Supplier Performance Risk System now requires contractors to reaffirm their NIST SP 800-171 self-assessment scores annually. Scores more than 12 months old without reaffirmation are flagged by contracting officers. If your organization submitted an SPRS score in 2024 or earlier, prioritize a current self-assessment and update before your next contract action.
Note: Qualifying defense contractors can fund a CMMC gap assessment through the Cyber Grants Alliance at no cost. Apply for a CMMC Gap Assessment Grant →
02 — Compliance Deadlines & Key Dates
Critical deadlines for defense contractors in Q2 2026. Map these against your contract portfolio and pipeline activity.
Phase 2: Level 2 Requirements in New Solicitations
All new competitive DoD solicitations above $5M now include CMMC Level 2 requirements. C3PAO certification is required before award. Self-attestation is no longer sufficient.
SPRS Score Annual Reaffirmation Window
Contractors whose SPRS scores were originally submitted in Q2 2025 or earlier should reaffirm by June 30 to avoid flagging by DoD contracting officers.
CMMC Level 3 Preview Guidance
DoD expected to release Level 3 preview guidance based on NIST SP 800-172. Organizations working with SAPs or highly sensitive CUI should begin preparation.
Existing Contract Transitions
Contracts issued prior to the CMMC 2.0 Final Rule may transition at first option exercise. Review existing contracts for applicable DFARS clauses and upcoming option periods.
POA&M Closure Requirement Post-Assessment
Eligible open items at assessment must have documented closure plans with hard deadlines not exceeding 180 days. Items without credible timelines will be assessed as failures.
Assessment queue reality check
With C3PAO wait times at 6–9 months, contractors who need Level 2 certification for Q4 2026 or Q1 2027 contract pursuits must initiate C3PAO engagement now. A gap assessment first maximizes your readiness before entering the queue.
03 — DIB Threat Landscape — April 2026
Nation-state actors — particularly China and Russia affiliated — have shifted tactics toward smaller, sub-tier defense contractors with less mature cybersecurity programs. These organizations often hold valuable CUI but lack the resources of large prime contractors.
Volt Typhoon: Shifting Focus to Sub-Tier Contractors
The China-affiliated threat actor Volt Typhoon (Bronze Silhouette) has pivoted targeting in Q1 2026 toward small and mid-size contractors in manufacturing, aerospace components, and engineering — rather than exclusively large defense primes. The group's "living off the land" technique uses native Windows tools (WMIC, netsh, PowerShell) rather than custom malware, making it nearly invisible to signature-based detection.
Key indicators: anomalous LSASS access, unusual scheduled task creation, and VPN authentication from unexpected geolocations. Organizations should ensure EDR tools are deployed and tuned for behavioral detection, and review CISA Advisory AA24-038A.
Active Threat Actors — April 2026
| Threat Actor | Attribution | Primary Tactics | Severity |
|---|---|---|---|
| Volt Typhoon | China (PRC) | Living-off-the-land, VPN exploitation, LSASS credential dumping, persistent access via legitimate tools | Critical |
| Salt Typhoon | China (PRC) | Telecom network infiltration, lawful intercept system access, supply chain positioning | Critical |
| Sandworm | Russia (GRU) | Destructive wiper malware, OT/ICS disruption, targeting defense-adjacent manufacturing | High |
| LockBit Successors | Criminal (mixed) | Ransomware via phishing/RDP, double extortion, targeting mid-size manufacturers | Medium |
Ransomware Targeting Mid-Size Defense Manufacturers
LockBit successor groups have continued targeting mid-size defense manufacturers in the $10–$200M revenue range. Three publicly reported ransomware incidents in Q1 2026 involved defense subcontractors. In two of the three cases, initial access was via an unpatched VPN appliance or an RDP endpoint without MFA — both addressable through CMMC Level 2 controls: CM.2.061 (patch management) and IA.3.083 (MFA for privileged access).
CMMC and threat mitigation go hand in hand
The controls most frequently cited in recent DIB breach post-mortems — Access Control, Configuration Management, and Audit & Accountability — are also the controls organizations most commonly fail or leave in POA&M. Treating CMMC compliance as a security investment, not a checkbox, is the clearest path to both certification and resilience.
04 — Assessment News & Readiness
C3PAO Ecosystem: 63 Authorized Organizations, Queues Still Long
The CMMC Marketplace now lists 63 authorized C3PAO organizations as of April 2026, up from 41 at the start of 2025. Despite this growth, assessment demand continues to outpace supply, and average wait times remain at 6–9 months. Organizations requiring certification for near-term contract pursuits must begin C3PAO engagement immediately.
Joint Surveillance Voluntary Assessments Increase
DoD and CMMC AB have expanded the Joint Surveillance Voluntary Assessment program. These assessments, if passed, carry additional weight in high-value contract competitions and signal a higher standard of compliance to DoD contracting officers.
DIBCAC Expands Capacity for High-Priority Programs
The Defense Industrial Base Cybersecurity Assessment Center has added staff, prioritizing assessments for contractors supporting Special Access Programs, nuclear deterrence, and hypersonics programs.
67% of Level 2 Contractors Not Assessment-Ready: CMMC AB Survey
A CMMC AB survey of 1,200+ defense contractors found 67% do not yet meet the threshold for assessment readiness. Most common gaps: audit logging, MFA for all remote access, incident response planning, and media protection.
What to Expect in a C3PAO Assessment
Assessments cover all 110 NIST SP 800-171 practices across 14 domains, conducted over 2–5 days depending on organization size. Assessors will request:
System Security Plan (SSP) — A complete, current SSP documenting your CUI environment, system boundaries, and implementation of all 110 practices.
Evidence packages — Screenshots, configuration exports, policy documents, and logs demonstrating each practice is implemented and operational.
Interviews — Staff interviews to verify processes are understood and followed, not just documented.
Live system review — Assessors will observe systems and configurations in your operating environment.
POA&M review — Any open items will be evaluated against the new guidance; high-value practices must be fully implemented.
05 — Recommended Actions This Month
Initiate C3PAO engagement now if you need Level 2 certification for any contract award in the next 12 months. With 6–9 month wait times, delay is not an option.
Review your POA&M against new CMMC AB guidance. High-value practices in AC, AU, CM, and IR that remain unimplemented must be remediated — they will result in assessment failure.
Update your SPRS score if your current submission is more than 12 months old. Conduct a fresh NIST 800-171 self-assessment and submit to SPRS before your next contract action.
Deploy behavioral EDR and audit logging to detect Volt Typhoon TTPs. Review CISA Advisory AA24-038A and confirm logging covers authentication events, scheduled task changes, and privileged account activity.
Apply for a CMMC Gap Assessment Grant through the Cyber Grants Alliance if you haven't completed a current gap assessment. Funded assessments identify the exact practices requiring remediation.
Review subcontractor obligations. If you are a prime contractor, verify DFARS 252.204-7021 is flowing down to all subs handling CUI. Failing to enforce this creates prime contractor liability.