The Defense Compliance Report — Research & Data
CMMC Certification Tracker: Level 2 Certifications, C3PAOs & Assessment Capacity
As of the Cyber AB town hall
1,666 final CMMC Level 2 Certificates of CMMC Statushave been issued — about 2.2% of the 76,598 entities the Department of Defense estimates will eventually need Level 2 certification. At the trailing three-month pace of roughly 197 final certificates per month, closing the 74,932-certificate gap would take about 380 months. The same public numbers, run through different reasonable assumptions, produce timelines from 19 years to 32. DoD’s own planning model tells a different story. The spread between those answers is the most useful thing on this page, and we walk through all of it below.
| Metric | Value | As of |
|---|---|---|
| Final Level 2 Certificates of CMMC Status | 1,666 | |
| Conditional Level 2 certificates (latest public count) | 47 | |
| Level 2 assessments in progress (latest public count) | 140 | |
| Authorized C3PAOs | 107 | |
| Certified CMMC Assessors (CCAs) | 1,000+ (596 also hold Lead CCA) | |
| CMMC Certification Gap | 74,932 | 76,598 (DoD estimate) − 1,666 |
| Trailing three-month velocity | ~197 final certificates/month | – |
| Months to clear the Gap at current pace | ~380 months (~31.6 years) | Editorial calculation, method below |
How many companies are CMMC certified right now?
The most common way people ask this question is “how many companies are CMMC certified,” and the most accurate answer is that 1,666 final CMMC Level 2 Certificates of CMMC Status had been issued as of the Cyber AB town hall, with 47 conditional certificates as of the latest public count (). Strictly speaking, though, CMMC does not certify companies — it certifies information systems within a defined assessment scope, a distinction the Cyber AB has reinforced repeatedly.
The company-versus-system distinction is not pedantry. One organization can hold multiple certificates covering different enclaves or systems, each with its own CMMC Unique Identifier (UID). A single certified system operated by a joint venture can satisfy the requirement for multiple JV members, provided the right UIDs appear in the proposal — guidance the CMMC Program Management Office clarified in FAQ C-A6 and the Cyber AB discussed at the May 2026 town hall.
So when this page says “certificates,” it means certificates. The number of unique organizations holding at least one certificate is not publicly reported, and we do not estimate it.
CMMC certification tracker by month: the full Level 2 data table
Final Level 2 certificates grew from 85 in to 1,666 in — a nearly twenty-fold increase in fourteen months, or roughly ten-fold year over year measured June to June. The three most recent months alone added 592 final certificates, which is more than the entire cumulative total that existed at the town hall (559).
| Month | Final L2 certs | Net new | Conditional | In progress | C3PAOs | CCAs | Lead CCAs |
|---|---|---|---|---|---|---|---|
| 85 | — | 4 | ~100 | 67 | 345 | — | |
| 115+ | ~30 | 3–4 | ~60 | 70 | 364 | — | |
| † | 168 | ≈53 | — | — | 73 | 389 | 266 |
| 258 | +90 | — | 87 | 77 | 455 | 300 | |
| ‡ | 270 | +12 | 9 | 91 | 79 | 496 | 304 |
| 366 | +96 | 16 | — | 82 | — | — | |
| 431 | +65 | 21 | 104 | 83 | 567 | — | |
| § | 459 | +28 | — | — | 88 | 623 | 384 |
| 559 | +100 | 29 | 115 | 93 | 635 | 377 | |
| 773 | +214 | 34 | 109 | 97 | 688 | 425 | |
| 896 | +123 | 36 | 110 | 98 | 748 | 452 | |
| 1,074 | +178 | 39 | — | 103 | 759 | — | |
| 1,198 | +124 | 42 | 124 | 103 | 766 | 489 | |
| 1,391 | +193 | 47 | 140 | — | — | — | |
| ¶ | 1,666 | +275 | — | — | 107 | 1,000+ | 596 |
Sources by month:the Cyber AB does not publish these figures on a static page; they are presented orally and in slides at each monthly town hall (typically the last Tuesday of the month). The primary record is the Cyber AB’s own per-month town hall page, where each session’s slide deck and recording are posted: August 2025 · September 2025 · October 2025 · November 2025 · December 2025 · January 2026 · February 2026 · March 2026 · April 2026 · May 2026 · June 2026.
Download the dataset (CSV) — no email required. Data dictionary: month · final_l2_certificates (value used in the tracker; restated where applicable) · final_l2_reported_value (as originally reported) · net_new_final · conditional_l2 · assessments_in_progress · authorized_c3paos · ccas · lead_ccas · source_url · notes.
CMMC certification statistics: what this data shows — and what it doesn’t
This series shows public certificate counts and public ecosystem-capacity counts, point-in-time, as disclosed by the Cyber AB. It shows that certification volume is accelerating: monthly net-new certificates roughly doubled from the autumn 2025 average to the spring 2026 average, and +275 was the largest single-month gain on record. It also shows that assessor capacity has grown steadily — 67 to 107 C3PAOs, 345 to more than 1,000 CCAs, in fourteen months.
What it does not show: which organizations are certified (no public list exists — more on that below), how many unique organizations the certificates represent, C3PAO booking calendars, failed or paused assessments, or when any particular contractor’s certification actually comes due. The Certification Gap defined below is a capacity indicator built from DoD’s own planning estimate. It is not a count of non-compliant companies and not a forecast of any individual deadline.
What is the CMMC Certification Gap?
The CMMC Certification Gap is the difference between the number of entities DoD estimates will need a Level 2 certification assessment and the number of final Level 2 certificates issued to date. As of : 76,598 − 1,666 = 74,932. That works out to roughly 700 assessments per currently authorized C3PAO, if the future looked exactly like today — which, as the scenarios below show, it will not.
The denominator comes from DoD’s own Regulatory Impact Analysis for the CMMC Program rule (32 CFR Part 170, RIN 0790-AL49). Its “Estimated Number of Entities by Type and Level” table projects 76,598 entities requiring a Level 2 certification assessment — 56,689 small entities and 19,909 other-than-small — out of 221,286 total defense industrial base (DIB) entities. The full document is public on Regulations.gov.
Which number is right — 70,000 contracts, 76,598 entities, or 80,000 organizations?
Several official-sounding denominators circulate, and they measure different things. Writers routinely conflate them, so here is the reconciliation:
| Figure | What it counts | Source |
|---|---|---|
| 76,598 | Entities DoD estimates will need a Level 2 certification (C3PAO) assessment | DoD Regulatory Impact Analysis, 32 CFR Part 170 — the denominator this tracker uses |
| 80,598 | All Level 2 entities: the 76,598 above plus ~4,000 expected to qualify for Level 2 self-assessment | Same DoD RIA table (76,598 + 4,000) |
| ~70,000 | Contracts — not entities — DoD estimates will carry a Level 2 certification requirement | DoD PMO statement at the Cyber AB town hall, which also noted the number of affected organizations could run higher |
| ~221,000 | The entire DIB, all CMMC levels including the ~139,000 Level 1 self-assessment population | DoD RIA (221,286 total); often rounded up to “300,000+” in vendor materials |
We use 76,598 because it matches the numerator’s unit of measure most closely: it counts entities expected to go through the same C3PAO assessment pipeline that produces the certificates we track. If you prefer the all-Level-2 basis, the Level 2 Population Gap on the 80,598 denominator is 78,932 as of . Both are DoD planning estimates, not a census.
How many C3PAOs are there?
As of the Cyber AB town hall, there are 107 authorized C3PAOs — Certified Third-Party Assessment Organizations, the firms authorized by the Cyber AB to conduct official CMMC Level 2 certification assessments. On the individual-assessor side, Certified CMMC Assessors (CCAs) crossed 1,000 for the first time in , with 596 of them also holding the Lead CCA designation required to lead an assessment team.
The growth curve matters as much as the count. In there were 67 authorized C3PAOs and 345 CCAs. Fourteen months later: 107 and 1,000+. That is steady, not explosive — C3PAO count grew about 60% while certificate output grew nearly twenty-fold, which tells you throughput per organization has risen sharply as the ecosystem matured. Even so, the remaining Certification Gap works out to roughly 700 future assessments per currently authorized C3PAO.
One recurring error worth correcting: figures like “250 authorized C3PAOs” sometimes appear in vendor content. Those numbers typically conflate the Cyber AB Marketplace’s broader listings — which include candidate C3PAOs, Registered Provider Organizations (RPOs), and other ecosystem roles — with the authorized-C3PAO count the Cyber AB reports monthly. The authorized count in is 107. The Cyber AB Marketplace is the authoritative place to check any individual firm’s current status, and status matters: under the Cyber AB’s C3PAO authorization requirements implementing 32 CFR § 170.9, authorized C3PAOs must complete their own DIBCAC assessment on a three-year cycle and have a 27-month window to achieve full ISO/IEC 17020 accreditation.
Is there enough CMMC assessment capacity before Phase 2?
It depends entirely on which assumption you hold constant, and the honest answer is that the same public data supports timelines from roughly 19 years to 32 — while DoD’s own planning model assumed a ramp far steeper than anything observed yet. The Cyber AB’s position, stated plainly at the town hall, is that there is no assessor shortage relative to current demand: some C3PAOs are booked through the year, many are not, and the binding constraint right now is contractor readiness and urgency, not assessor availability. The math below is about what happens if demand arrives the way DoD modeled it.
| Scenario | Monthly pace | Months to clear | Years | Assumptions |
|---|---|---|---|---|
| A — Current run-rate | 197/month | ~380 | ~31.6 | Trailing three completed months (Apr +124, May +193, Jun +275 = 592 ÷ 3), held flat forever |
| B — Trend-adjusted | 244/month | ~307 | ~25.6 | Ordinary least-squares trend fit to the last six monthly net-new values (214, 123, 178, 124, 193, 275), projected as the next three-month average, held flat |
| C — Assessor-team ceiling | ~333/month | ~225 | ~18.7 | All 1,000 CCAs organized into three-person assessment teams (the minimum staffing model in DoD’s own cost analysis), each team completing one certification assessment per month |
These scenarios are capacity math, not forecasts. All three hold capacity static even though capacity has grown every month on record. None accounts for new C3PAOs and CCAs entering (Tier 3 background investigations for new assessors currently run roughly four to ten months, per the Cyber AB), Lead CCA availability, multi-system certifications, failed assessments, POA&M closeouts, conflicts-of-interest rules, or — increasingly relevant from 2027 onward — the triennial reassessment cycle, when the earliest certified systems return to the queue for renewal under 32 CFR § 170.17.
The comparison nobody runs: actuals versus DoD’s own ramp
DoD’s Regulatory Impact Analysis did not assume today’s pace would persist — it assumed a steep ramp. The model projects 517 Level 2 certification entities in phase-in Year 1, 2,599 in Year 2, 8,666 in Year 3, and roughly 16,600 per year in Years 4 through 6, reaching the full 76,598 by Year 7. In monthly terms, DoD’s own model requires roughly 720 certifications per month by Year 3 and about 1,380 per month by Year 4 — against roughly 197 per month today.
Cumulative actuals are, so far, broadly in the neighborhood of the model’s early years: 1,666 certificates about eighteen months after the rule took effect, versus a modeled cumulative of 517 by end of Year 1 and 3,116 by end of Year 2. The open question this tracker exists to answer, month by month, is whether issuance can multiply roughly sevenfold from here to hold DoD’s Year 3–4 line. That is the number to watch — not the raw count.
What changed in the restatement?
In , the Cyber AB reported 270 final Level 2 certifications and noted that duplicate records had recently been removed from eMASS — the DoD system where C3PAOs upload assessment results — “providing a more accurate count.” August’s unusually small net gain (+12 over July’s 258) is net of that cleanup. We treat as the clean baseline for the modern series, and we flag the earlier 2025 rows as pre-de-duplication figures that are not perfectly comparable.
A tracker that pretends every month-over-month change is organic growth is quietly wrong. Point-in-time counts pulled from a live administrative system get restated, and the honest way to handle that is to keep both the originally reported value and the restated value visible. That is how the CSV is structured: a final_l2_reported_value field holds the value as originally reported, the final_l2_certificates field holds the value the tracker uses (restated where applicable), and a note explains the difference. The figure is the other current example — reported as 158 in the written record, shown as 168 in later Cyber AB chart materials — and both values are preserved in the dataset with the discrepancy logged.
Is there a public list of CMMC certified companies?
No. The Cyber AB stated at its town hall that, for privacy and security reasons, it does not publish a public list of certified organizations. Certification status lives in eMASS and flows to SPRS (the Supplier Performance Risk System), where it is visible to DoD contracting officers — not to the public. That is why aggregate monthly counts, and this tracker of them, are the only public measure of certification volume.
For anyone who needs to verify a specific partner’s status — a prime vetting a subcontractor, for instance — here is what is and isn’t publicly checkable:
| Question | Public answer available? | Reliable verification path | What remains nonpublic |
|---|---|---|---|
| Is a firm an authorized C3PAO? | Yes | Cyber AB Marketplace listing, which distinguishes authorized from candidate status | Internal authorization timelines and scheduling |
| Is an organization Level 2 certified? | No public list | eMASS/SPRS status, visible to DoD contracting officers; primes verify through contracting channels rather than public lookup | The certified-organization roster and certificate details |
| Is a certificate document trustworthy on its face? | No | Verify against eMASS-backed status, not the paper — certificates carry CAGE codes and UIDs the Cyber AB advises against sharing publicly anyway | Whether a supplied document matches the system of record, without a check |
| Can a prime verify a subcontractor? | Yes, through contracting channels | SPRS-based verification during source selection and flowdown management | Sub-tier statuses outside the prime’s contractual line of sight |
The last two rows are not hypothetical. At the town hall, the Cyber AB disclosed that a counterfeit Certificate of CMMC Status had been discovered circulating among prime contractors vetting teaming partners — complete with a fabricated certifying official and a UID apparently lifted from a legitimate certificate. The fraud would not survive an eMASS check, which is precisely the point: as certification becomes a competitive differentiator, document-based verification is no longer enough.
What’s the difference between a Final and a Conditional Level 2 certificate?
A Conditional Level 2 (C3PAO)status means the assessment passed with an allowable Plan of Action and Milestones (POA&M) still open; under 32 CFR § 170.21, the POA&M must be closed out within 180 days or the conditional status expires. A Final Level 2 (C3PAO)status means all applicable security requirements were met — either outright, or after a successful POA&M closeout assessment. This tracker’s headline metric counts final certificates only; conditionals are tracked as their own column and never merged into the headline number.
| Conditional Level 2 (C3PAO) | Final Level 2 (C3PAO) | |
|---|---|---|
| What it means | Passed with a limited POA&M open | All 110 NIST SP 800-171 Rev. 2 requirements met |
| Time limit | POA&M closeout within 180 days, per 32 CFR § 170.21 | Valid three years, with annual affirmations in SPRS |
| Counted in our headline metric | No — tracked separately | Yes |
| Latest public count | 47 ( town hall) | 1,666 ( town hall) |
The conditional column is worth watching in its own right. Across the nine months where both final and conditional counts are public, conditional certificates ranged from 3.2% to 4.9% of public Level 2 statuses — so POA&M-based passes appear to be a stable minority of outcomes rather than a growing crutch:
| Month | Final | Conditional | Conditional share |
|---|---|---|---|
| 270 | 9 | 3.2% | |
| 366 | 16 | 4.2% | |
| 431 | 21 | 4.6% | |
| 559 | 29 | 4.9% | |
| 773 | 34 | 4.2% | |
| 896 | 36 | 3.9% | |
| 1,074 | 39 | 3.5% | |
| 1,198 | 42 | 3.4% | |
| 1,391 | 47 | 3.3% |
When does CMMC Phase 2 begin — and is a deadline?
Phase 2 begins , and the Cyber AB spent a segment of its town hall stating plainly that this date is not a deadline. It is the start of the phase in which new DoD solicitations will routinely require Level 2 C3PAO certification, with the Department retaining discretion to defer the requirement within a specific contract — for example, to an option year. Existing contracts are not automatically modified — though under the 48 CFR CMMC acquisition rule, contracting officers may bilaterally add the CMMC clause (DFARS 252.204-7021) to a contract awarded before the clause’s effective date, with the contractor’s agreement and appropriate consideration. The practical pressure points are new solicitations, option years, and task and delivery orders issued after that date.
| Phase | Begins | What it adds |
|---|---|---|
| Voluntary period | Rule effective; organizations could pursue Level 2 certification before any contract required it (early counts were seeded partly by Joint Surveillance Voluntary Assessments converting to certificates) | |
| Phase 1 | New solicitations require Level 1 or Level 2 self-assessments where applicable; DoD discretion to require Level 2 C3PAO certification in select contracts | |
| Phase 2 | New solicitations routinely require Level 2 C3PAO certification; DoD may defer within a contract; Level 3 may appear at DoD discretion | |
| Phase 3 | Level 3 (DIBCAC) requirements begin appearing routinely | |
| Phase 4 / Full implementation | All applicable solicitations and contracts carry CMMC requirements as a condition of award |
Set the phase calendar against this tracker’s data and the stakes get concrete: at the trailing three-month velocity of about 197 final certificates per month, the ecosystem is running at roughly a quarter of the ~720-per-month pace DoD’s own phase-in model assumes for Year 3, and about a seventh of the ~1,380 assumed for Year 4.
Two forces make that math matter well before any phase date. First, demand is arriving ahead of the federal schedule: the Cyber AB noted in that some prime contractors are setting their own internal certification deadlines for suppliers — in some cases end of fiscal year — as supply-chain risk decisions independent of DoD’s timeline. Second, the cost of overstating your posture is no longer theoretical: in the Department of Justice announced a $507,144 settlement with an Alabama defense contractor resolving False Claims Act allegations that it had self-reported a perfect 110 NIST SP 800-171 score in SPRS while a subsequent government assessment scored the same environment at −170; the settlement resolves allegations, with no determination of liability.
Methodology: how we build this tracker
We extract certification and ecosystem-capacity figures from each monthly Cyber AB town hall, record them against the month reported, preserve the original source for every cell, and log any later restatement instead of silently overwriting it. The source hierarchy is fixed: Cyber AB town hall materials first — the slide decks and recordings posted on each month’s page at cyberab.org/News-Events/Town-Halls, which is the primary source, since the Cyber AB is the DoD-authorized accreditation body and these figures originate as point-in-time pulls from eMASS; the written recap record second, used to corroborate and to fill months where a deck is not posted; secondary commentary never, except to cross-check. The CSV carries both source layers for every row.
Fields captured each month: final Level 2 certificates, net-new finals, conditional certificates, assessments in progress, authorized C3PAOs, CCAs, and Lead CCAs. Cells the Cyber AB did not state that month stay blank — we do not interpolate, estimate, or carry values forward. Chart-read figures (values presented graphically rather than in text) are flagged as such until confirmed.
Formulas, stated so anyone can reproduce them: Certification Gap= 76,598 (DoD RIA estimate of Level 2 certification-assessment entities) − cumulative final Level 2 certificates. Trailing three-month velocity= sum of the last three months’ net-new final certificates ÷ 3. Months to clear= Gap ÷ velocity. Scenario assumptions are printed with each scenario. Everything derived is recomputed after each town hall; the underlying denominator is re-verified quarterly and whenever DoD amends the rule or publishes revised estimates.
Limitations: what this tracker does not tell you
Stating these plainly matters more to us than a tidier story would.
- Certificates are not companies.CMMC status attaches to information systems within an assessment scope. One organization can hold several certificates; one certificate can serve a joint venture. The unique-organization count is not public.
- The denominator is a planning estimate, not a census.DoD’s 76,598 figure is a rulemaking-era model built from historical contracting data and subject-matter judgment. DoD’s own RIA cautions that actual volumes may vary significantly because assessment demand is market-driven. The Gap inherits every limitation of that estimate.
- Not everyone in the Gap is “due” at once.Requirements attach contract by contract across a phased rollout running to , with DoD discretion to defer within contracts. The Gap measures cumulative modeled demand against cumulative supply — it is not a count of currently non-compliant firms.
- Counts are point-in-time and restatable.Figures are eMASS pulls as of each town hall (typically the last Tuesday of the month), so “monthly” intervals are approximate, and history has been restated at least twice ( de-duplication; the 158/168 discrepancy). The changelog records every known case.
- Capacity is more than headcount.C3PAO throughput depends on Lead CCA availability, Tier 3 background-investigation timelines (roughly four to ten months at present), team composition rules, conflict-of-interest restrictions, accreditation deadlines, and scope complexity — none of which a simple count captures. And from roughly 2027–2028 onward, triennial reassessments of the earliest certified systems begin competing for the same assessor capacity as first-time certifications.
How to cite this page
The Defense Compliance Report — Research. “CMMC Certification Tracker: Level 2 Certifications, C3PAOs & Assessment Capacity.” https://thedefensecompliancereport.com/research/cmmc-certification-tracker/. Last updated . Underlying primary sources: Cyber AB monthly town halls; DoD Regulatory Impact Analysis, 32 CFR Part 170.
Dated per-month anchors (for example, #jun-2026) resolve to each month’s changelog entry, so a citation can point to a specific month’s snapshot even after later updates.
Frequently asked questions
How many companies are CMMC certified?
As of the Cyber AB town hall, 1,666 final CMMC Level 2 Certificates of CMMC Status have been issued, plus 47 conditional certificates as of the latest public count (). CMMC certifies information systems rather than companies, so the certificate count is the precise public measure; a unique-company count is not published.
How many companies need CMMC Level 2 certification?
DoD’s Regulatory Impact Analysis for the CMMC rule estimates 76,598 entities will need a Level 2 certification (C3PAO) assessment, and 80,598 will fall under Level 2 overall including the ~4,000 expected to qualify for self-assessment. Separately, the DoD PMO has estimated roughly 70,000 contracts will carry a Level 2 certification requirement. These are planning estimates, not a census.
How many C3PAOs are there?
107 authorized C3PAOs as of the Cyber AB town hall, up from 67 in . Authorized status can be verified for any individual firm in the Cyber AB Marketplace.
What is the CMMC Certification Gap?
The gap between DoD’s estimate of entities needing a Level 2 certification assessment and final certificates issued to date: 76,598 − 1,666 = 74,932 as of . It is a capacity indicator, not a compliance scorecard.
Does a Conditional Level 2 certificate count as certified?
It is a recognized CMMC status, but it depends on closing the associated POA&M within 180 days under 32 CFR § 170.21, so this tracker reports conditionals separately (47 as of the latest public count, ) and never merges them into the final-certificate count.
Is the CMMC deadline?
No. It is the start of Phase 2, when new solicitations begin routinely requiring Level 2 C3PAO certification, with DoD discretion to defer within individual contracts. Existing contracts are not automatically modified — though contracting officers may bilaterally add the CMMC clause to earlier contracts with the contractor’s agreement and appropriate consideration — and new solicitations, option years, and task and delivery orders after that date are where the requirement lands, with many prime contractors imposing earlier deadlines of their own.
How often is this tracker updated?
Within 48 hours of each monthly Cyber AB town hall, typically held the last Tuesday of the month. The “Last verified” date at the top of the page and the changelog below reflect every update.
Changelog
— v1.1.
Post-audit corrections, all logged per our restatement policy: July 2025 capacity fields added from the written town hall record (77 C3PAOs, 455 CCAs, 300 Lead CCAs); November 2025 Lead CCA count (384) and March 2026 conditional count (39) added from the official Cyber AB town hall decks; Phase 2 contract-modification language corrected to reflect the 48 CFR rule’s bilateral-modification provision; CSV restructured to carry primary and secondary source URLs per row.
— v1.0.
Initial publication. Series compiled through from Cyber AB town hall disclosures. Known restatements carried into the dataset: (1) eMASS de-duplication — the Cyber AB noted duplicates were removed, “providing a more accurate count”; (270 final) is treated as the clean baseline. (2) figure reported as 158 in the written record, restated to 168 in later Cyber AB chart materials; both values preserved in the CSV. final-certificate figure (1,666) is chart-read pending written confirmation.