If you’re a defense contractor trying to make sense of the CMMC landscape, you’re not alone. The noise around CMMC 2.0 has been building for years, but now—post–November 10—it’s real. The Department of Defense (DOD) has officially started rolling out CMMC requirements in contracts, and that means the time for planning is over. It’s go-time.
Whether you’re just starting your CMMC journey or you’ve been “working on it” for a while, we’re breaking down practical insights shared during this webinar hosted by Casey Lang of CyberSheath and Matt Bruggeman of A-LIGN—two experts who live and breathe CMMC readiness and certification.
Let’s walk through what you need to know, what you need to do, and how to avoid the common pitfalls that could derail your path to compliance in 2026.
Who’s Who in the CMMC Ecosystem
Before we dive into the roadmap, let’s talk about the players.
CyberSheath is a Registered Practitioner Organization (RPO). That means we help defense contractors prepare for CMMC compliance—hands-on, boots-on-the-ground, doing the work. As Casey put it, “All we do is CMMC compliance.” Our services span managed IT, managed security, and managed compliance, all designed to get you ready for certification.
A-LIGN, on the other hand, is a CMMC Third Party Assessment Organization (C3PAO). They’re the ones who actually issue your Level 2 certification after assessing your environment. As Matt explained, “We would be the independent third-party assessor that comes in, assesses your conformity to the requirements in CMMC and the NIST 800-171 Rev 2 baseline.”
Together, CyberSheath and A-LIGN represent the two sides of the CMMC coin—preparation and certification.
The Three Buckets of CMMC Readiness
One of the most helpful frameworks from the webinar was the idea of three buckets of readiness:
- Not Started: You’ve heard of CMMC, maybe read a few articles, but you haven’t taken any concrete steps.
- Working On It: You’ve started implementing controls, maybe have a System Security Plan (SSP), but you’re not sure if you’re ready for an assessment.
- Ready: You’ve got your documentation, your evidence, and your environment scoped. You’re ready to engage a C3PAO.
Most contractors fall into the second bucket. And that’s okay. But as Casey pointed out, “The timeline to engage with a C3PAO for a certification attempt should be informed in some way—boots-on-the-ground practical.”
Translation? You need a plan. And that plan should be based on your Plan of Action and Milestones (POAM), your SSP, and a realistic understanding of your operational maturity.
When to Engage a C3PAO vs. an RPO
This is where a lot of contractors get tripped up. They reach out to a C3PAO too early—before they’ve scoped their environment or implemented controls—and end up in what’s called a false start.
Matt explained it clearly: “We get clients coming to us all the time and saying, ‘Hey, I need a Level 2 CMMC certification.’ I ask some very basic scoping questions and find out they’re in that first bucket. And I say, ‘We don’t even have an environment to scope.’”
A-LIGN has seen a surprising number of false starts—organizations that begin the assessment process but aren’t ready.
Matt shared, “We’ve seen in some cases 30 to 50% of companies that come to us are in some way, shape, or form not ready and not passing through Phase 1.”
The biggest differentiator? Working with an experienced RPO.
“By far the biggest differentiator that we have seen in clients coming to us that move through Phase 1 successfully is have they been or are they working with a reputable RPO,” Matt said.
The organizations that have been successful have generally started earlier, taken a more long-term operational approach, and partnered with an experienced RPO like CyberSheath.
We can assess your current operations against NIST SP 800-171 standards, implement all required controls to achieve compliance, and maintain compliance continuously, ensuring ongoing fulfillment of DOD mandates and contract eligibility.
Once you’ve got your SSP, POAM, and a clear timeline, that’s when you engage a C3PAO. But don’t wait until you’re “fully ready” to start those conversations.
As Matt warned, “You want to avoid getting all the way to the ‘I’m ready’ state and then beginning conversations with C3PAOs. They have backlogs—sometimes six, nine, twelve months out.”
Meaning there’s a C3PAO capacity crisis. For defense contractors, this creates a critical planning problem. Even if you’re in the “ready” bucket today, you may not get in front of a C3PAO until well into 2026.
And once you’re certified, it doesn’t end there.
CMMC is a three-year certification, but you have to self-attest in years two and three. That means maintaining compliance, monitoring changes, and staying ready. CMMC Managed Services ensures complete, ongoing fulfillment of DOD mandates to secure eligibility for current and future contracts.
November 10 Changed Everything
So what’s the big deal about November 10?
That’s the date the DOD officially began Phase 1 of the CMMC rollout. And now there is real enforcement.
It means CMMC language can now be included in contracts. And while Phase 1 allows for self-attestation, it’s not the same as the old SPRS score submission.
As Casey explained, “Today, as of November 10, there is no more plan forward if you’re going to be awarded work and it has CMMC language in contract. It means that you need to be fully attesting to compliance.”
And that attestation isn’t just a checkbox. You’re attesting to all 110 requirements in NIST 800-171. That’s a big deal. And it’s why evidence matters more than ever.
Evidence = Readiness
If there’s one takeaway from the webinar, it’s this: Evidence is everything.
Matt broke it down: “You tell us what you’re doing, and then you just prove to us that you’re doing what you say you’re doing. That’s really what it is at its heart.”
Evidence can take many forms—screenshots, configuration outputs, ticket records, completed forms, even live demonstrations. But it has to be tied to operational processes. It’s not enough to have a policy on paper. You have to show that you’re living it.
Casey emphasized this point: “Institutionalizing the processes to truly understand at the right level of granularity and in a way that understands that you have to demonstrate compliance all matter critically when it comes to your timeline and preparedness.”
Budgeting for CMMC
Let’s talk dollars.
There’s a lot of confusion around the cost of CMMC. Early estimates from the DOD pegged certification at around $50,000, but that only covers the assessment—not the work to get compliant.
Matt clarified: “Most organizations that come to us, it’s probably between $40,000 and $80,000 for that C3PAO assessment. But that does not include any cost for third-party services, licensing tools, paying an RPO, any of that sort of stuff.”
CyberSheath sees a wide range of readiness levels. Some contractors are buying equipment at Best Buy and have no IT function. Others have mature environments but need help documenting and operationalizing controls.
The cost depends on where you’re starting from.
Final Thoughts: CMMC Is Operational
CMMC isn’t a one-time project. It’s an ongoing operational capability.
As Casey put it, “CMMC isn’t really an end state. It feels like an end state, but it’s really operational capabilities that matter.”
You need to be self-aware of changes—acquisitions, divestitures, technology shifts, new data flows. All of these can impact your compliance posture. And if you’re not managing them, you’re not ready.
Want to hear the full conversation between Casey Lang and Matt Bruggeman? Watch the webinar on-demand for more insights into planning your 2026 CMMC roadmap.