New Pentagon contracts will now include Cybersecurity Maturity Model Certification (CMMC) requirements as conditions of award, and contractors across the defense industrial base (DIB) are scrambling to meet compliance standards that have been mandatory in their contracts for years. Because now there is real enforcement.
An estimated 118,000 companies will need CMMC Level 2 certification, but there are only 83 certified third-party assessment organizations (C3PAOs) available to conduct that mountain of assessments. According to the latest Cyber AB Town Hall, 431 certificates have been awarded, with another 104 Level 2 assessments in progress. To meet demand, each C3PAO would need to complete roughly 118 assessments per month before the second phase begins on Nov. 10, 2026.
C3PAOs are booking assessments six to nine months out. Some are already expressing doubts about their capacity to handle the incoming volume. For defense contractors, this creates a critical planning problem: Even if you’re ready for assessment today, you may not get in front of a C3PAO until well into 2026.
The capacity crunch makes preparation more critical than ever. When a contractor initiates the C3PAO assessment process, that triggers notification to the government as noted during the C3PAO session at this year’s CMMC CON. It creates a record. Fail the assessment or don’t complete it, now there’s a paper trail documenting non-compliance.
Some contractors are learning this the hard way. They’re scheduling assessments without understanding basic requirements. They’re paying C3PAOs to conduct assessments, but they aren’t compliant. Then they have to get compliant and pay again. But they’ve also created documentation of their non-compliance, and they’ve consumed assessment capacity that other contractors needed.
The consequences extend beyond wasted money and time. In 2021, the Department of Justice launched the Civil Cyber-Fraud Initiative, which uses the False Claims Act to pursue government contractors who knowingly misrepresent their cybersecurity practices or violate obligations to meet cybersecurity requirements. Defense contractors self-report their cybersecurity posture through SPRS scores in a federal database. Some companies have entered perfect scores despite knowing they’re not compliant, betting there was no validation mechanism and therefore no consequences.
That bet is getting riskier. Aerojet Rocketdyne agreed to pay $9 million in 2022 to settle a False Claims Act suit alleging it knowingly misrepresented its cybersecurity compliance. Last year, Penn State University agreed to pay $1.25 million to settle a similar case.
Yet awareness of the False Claims Act is dropping within the DIB. The 2025 State of the DIB report found that 80% of contractors were aware of the False Claims Act, down from 96% in 2024. This decline is happening precisely when enforcement is increasing and the stakes are getting higher.
If C3PAOs are already backlogged, contractors who wait until mid-2026 to start compliance efforts won’t have assessment capacity available when they need it. The timeline doesn’t allow for procrastination.
CyberSheath can be your partner to determine whether you’re ready for a C3PAO assessment and help you get prepared if you aren’t yet. Join our upcoming webinar featuring C3PAO A-LIGN to learn directly from the experts about assessment readiness, common pitfalls, and strategies for getting on the path to a successful CMMC Level 2 certification. Reserve your spot today and take the first step toward compliance with confidence.