The Defense Compliance Report — Research & Data

CMMC Statistics 2026: Certification Counts, Costs, Small Business Impact & Enforcement Data

By The Defense Compliance Report editorial team · Published · Last verified: · Updated monthly after each Cyber AB Town Hall

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance. Our /research section publishes reference data with a source on every claim.


The most important CMMC statistics in 2026 come from the Department of Defense’s own rulemaking: DoD estimates 337,968 prime and subcontractor entities will be subject to the Cybersecurity Maturity Model Certification (CMMC) program by Year 4 of implementation — 229,818 of them (68%) small entities — with 118,289 projected to need third-party Level 2 certification. DoD’s official price for that certification, $104,670 for a small entity over three years, excludes implementation and remediation entirely. Meanwhile, $38,986,778 in defense-related False Claims Act settlements since 2022 enforces the preexisting obligations CMMC now exists to verify.

Every number on this page is graded, dated, and linked to its source — including the popular ones we refused to publish.

Key CMMC statistics at a glance

Table 1 — Headline CMMC statistics, verified
StatisticFigureGradeSource
Entities subject to CMMC by Year 4337,968ADFARS final rule, Sept. 10, 2025
Small entities among them229,818 (68%)ADFARS final rule
Entities projected to need Level 2 (C3PAO) certification118,289ADFARS final rule
Official small-entity Level 2 certification estimate$104,670 over 3 years — implementation excludedACMMC Program final rule, Oct. 15, 2024
Final Level 2 certificates issued1,391BCyber AB May 2026 Town Hall (PDF)
Authorized C3PAOs104BCyber AB May 2026 Town Hall (PDF)
Defense-related cybersecurity FCA settlements since 2022$39.0 million across 10 resolutionsTDCRDOJ press releases (Table 8)
Phase 2 — Level 2 certification in applicable new contractsADoD CIO

Source: Compiled by The Defense Compliance Report from the Federal Register, DoD CIO, Cyber AB Town Halls, and Department of Justice press releases. Per-row sources, grades, and calculations appear in the sections below.

What this shows — and what it doesn’t

These figures establish the program’s scale (roughly one-third of a million entities), its cost floor (six figures for a small business before a single control is implemented), its early trajectory (about 1.2% of the projected Level 2 population certified so far), and its legal teeth ($39.0 million in defense-related False Claims Act settlements before any certificate was ever required).

They do not show a compliance rate — no public registry says who is compliant and who isn’t. They do not show total compliance cost — DoD deliberately excluded implementation from its estimates, for reasons we explain below. And they do not show an assessment backlog, because no primary-source backlog measurement exists anywhere. Where the data ends, we say so.

How we built this page

We read both CMMC rules in the Federal Register — the program rule (32 CFR Part 170) and the acquisition rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) — along with the current clause text on Acquisition.gov, DoD’s published reports and CIO guidance, the class deviation memo, Department of Justice settlement announcements, Cyber AB Town Hall disclosures, and original reporting from Reuters and Federal News Network. We recomputed every number independently and checked it against its stated source.

Every statistic carries one of three evidence grades, or a calculation label:

Table 2 — Evidence grades used on this page
GradeMeaning
AOfficial primary source: Federal Register, eCFR, Acquisition.gov, DoD, NIST, DOJ documents
BOfficial program data stated in official venues or official dynamic sources, verified as of a date (Cyber AB Town Halls)
CNamed industry surveys, analyses, or original reporting by major news organizations with disclosed sourcing or methodology; sponsor identified where applicable
TDCROur arithmetic from A- or B-grade inputs, with the formula shown

Source: The Defense Compliance Report methodology, .

Claims that fail all four categories — no source, no denominator, no methodology — do not appear as facts anywhere on this page. They appear in one place only: the “claims we could not verify” section near the end.

Two related references in this section update on their own schedules: our CMMC certification tracker (monthly, after each Cyber AB Town Hall) and our cybersecurity enforcement ledger (event-driven, as DOJ announces resolutions). Figures on this page are snapshots from those datasets as of the verification date above.

How to cite this page

The Defense Compliance Report. “CMMC Statistics 2026: Certification Counts, Costs, Small Business Impact & Enforcement Data.” thedefensecompliancereport.com/research/cmmc-statistics/. Last verified .

Every statistic on this page, with its source, evidence grade, and verification date, is available as a CSV at /research/cmmc-statistics/cmmc-statistics-ledger.csv — no email required.


How many companies need CMMC?

DoD estimates 337,968 unique entities — prime contractors and subcontractors combined — will be subject to CMMC requirements by Year 4 of the phased rollout, according to the DFARS final rule published . Of those, 229,818 (68%) are small entities. The requirement applies to any contractor whose information systems process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI) under a DoD contract, with a carve-out for contracts solely for commercially available off-the-shelf (COTS) items.

Table 3 — Projected CMMC population by level at full implementation
CMMC levelShareEntity countGrade
Level 1 (Self) — FCI only62%209,540 *A / TDCR
Level 2 (Self) — lower-risk CUI2%6,759 *A / TDCR
Level 2 (C3PAO) — most CUI35%118,289A
Level 3 (DIBCAC) — most sensitive CUI1%3,380 *A / TDCR
Total100%337,968A

Source: DFARS final rule, 90 FR 43560 (). Distribution percentages and the 337,968 and 118,289 figures are DoD’s; entity counts marked * are TDCR calculations applying the rule’s distribution to the 337,968 total. Last verified .

How DoD counted.The department doesn’t actually track unique offerors, and it has no contractual relationship with subcontractors at all. So the rule’s analysis works from assumptions: roughly 28,164 annual solicitations, an assumed average of two offerors each (56,328 prime offerors), and an assumed five subcontractors per prime proposal. Multiply through and you reach 337,968 unique entities. That means the headline number is a model output, not a census — a distinction that matters when extrapolating.

The phase-in is deliberately back-loaded for small businesses. The rule projects 1,104 small entities affected in Year 1, 5,565 in Year 2, 18,554 in Year 3, and the full 229,818 by Year 4 and beyond.

One precision note writers routinely miss: CMMC certifies information systems, not companies. Each assessed system receives a CMMC unique identifier (UID) in SPRS, DoD’s contractor-performance database, and a single company can hold several. The Cyber AB reinforced this at its Town Hall in guidance on joint ventures, which must identify every UID used in contract performance. “Companies certified” and “certificates issued” are close approximations, not identical measures.

How many companies need CMMC Level 2 certification?

The DFARS final rule projects 118,289 entities will require Level 2 certification by a Certified Third-Party Assessment Organization (C3PAO) — an independent assessor authorized by the Cyber AB — by Year 4 of implementation. That is 35% of all impacted entities. A much smaller group, about 6,759 entities (2%), will be allowed to self-assess at Level 2 for lower-risk CUI. The two paths are frequently collapsed into one “Level 2” number; they shouldn’t be.

About that “80,000” figure you keep seeing.A claim that “roughly 80,000 contractors need Level 2 certification” circulates widely. We could not pin that exact figure to current rule text. What we canreproduce: apply the rule’s 35% Level 2 (C3PAO) share to the 229,818 small entities and you get 80,436 small entities in the certification population (TDCR calculation) — almost certainly the origin of the ~80,000 shorthand. The correct all-entity figure is 118,289.

How many companies are CMMC certified right now?

As of the Cyber AB Town Hall, 1,391 organizations hold a final Level 2 certificate, with 47 conditional certificates open and 140 assessments in progress. That is roughly 1.2% of the 118,289 entities DoD projects will need Level 2 certification (1,391 ÷ 118,289; TDCR calculation). Current figures update monthly in our certification tracker.

Table 4 — Final Level 2 certificates over time
DateFinal L2 certificatesGradeSource
~100BCyber AB Town Hall, via July 2025 recap (first five months)
158BCyber AB Town Hall, via July 2025 recap
~270C2025 State of the DIB Report release
459 †CRedspin, citing Cyber AB statistics
773BCyber AB Town Hall, January 2026 recap
896BCyber AB Town Hall, February 2026 recap
~1,074 ‡B / TDCRMarch 2026 Town Hall, as reported by Secureframe
~1,220 ‡TDCRImplied by May’s reported +14% month-over-month
1,391BCyber AB May 2026 Town Hall (PDF)

Source: Cyber AB Town Hall disclosures, (cyberab.org/News-Events/Town-Halls), linked per row. † December figure reported as “completed Level 2 assessments,” which may be defined differently from certificates issued. ‡ Derived from adjacent town hall figures as noted; treat as approximate. Compiled by The Defense Compliance Report; last verified .

That works out to an average of about 155 new final certificates per month in 2026 ((1,391 − 773) ÷ 4 months, through ; TDCR calculation).

The finding nobody else has published: the market is running ahead of DoD’s own model. The program rule projected 135 C3PAO-led certification assessments in Year 1, 673 in Year 2, 2,252 in Year 3, and 4,452 in Year 4 — 808 cumulative through the first two years. Actual final certificates reached 1,391 by , about seventeen months after the program rule took effect and only partway into Year 2. Measured against DoD’s own curve, the defense industrial base is ahead of model on early adoption.

Failure data is thin but real: the Cyber AB disclosed in that 8 organizations had failed a Level 2 assessmentto that point, while noting unreported false starts likely exist. And conditional status — certification with an open Plan of Action and Milestones (POA&M), the 180-day punch list for unmet requirements — covers only about 3% of certified organizations (47 of 1,438 total certificates; TDCR calculation).

What are the official CMMC cost statistics?

DoD’s official estimate for a small entity’s Level 2 certification is $101,752 initially and $104,670 over the full three-year cycle — and that figure covers only assessment, certification, and affirmation activity. It excludes implementation and remediation entirely. Both numbers come from the CMMC Program final rule’s regulatory analysis.

Table 5 — DoD’s official CMMC cost estimates, by level and entity size
Assessment pathInitial estimateThree-year estimate
Level 1 self-assessment (small entity)$5,977+ $560 per annual reaffirmation
Level 2 self-assessment (small entity)$34,277$37,196
Level 2 self-assessment (other-than-small)$43,403$48,827
Level 2 C3PAO certification (small entity)$101,752$104,670
Level 2 C3PAO certification (other-than-small)$112,345$117,768
Level 3 assessment + affirmations (small entity)$12,802 (atop Level 2, excl. engineering)

Source: CMMC Program final rule, 89 FR 83092 (), regulatory impact analysis; docket DOD-2023-OS-0063. Evidence grade: A for every row. Compiled by The Defense Compliance Report; last verified .

What DoD’s $104,670 estimate does not include

The rule states that implementation costs are not attributed to CMMC because the underlying requirements already exist: the basic safeguarding clause at FAR 52.204-21 has applied since , and DFARS 252.204-7012 required full implementation of NIST SP 800-171 — the 110-requirement federal standard for protecting CUI — by . In DoD’s accounting, a contractor handling CUI should have absorbed those costs years ago. CMMC merely charges you to prove it.

The proof that this was a choice, not an oversight: at Level 3, where the rule adds genuinely new requirements drawn from NIST SP 800-172, DoD did count engineering costs — an estimated $2.7 million in nonrecurring and $490,000 in recurring engineering costs for a small entity. The department costs implementation when requirements are new and excludes it when they’re preexisting. That accounting boundary is the single most useful thing to understand about every CMMC cost figure in circulation.

The gap between the certification paths is itself instructive: a small entity’s three-year Level 2 certification estimate runs $67,474 more than the self-assessment path($104,670 − $37,196; TDCR calculation). For scale, the rule’s own analysis puts the DFARS acquisition rule’s total cost at $344.9 million in present value over ten years at a 3% discount rate ($329.1 million public, $15.8 million government).

What contractors actually budget is a different question — and a different grade of evidence. In a PreVeil survey of more than 2,000 defense contractors (sponsor: PreVeil, a compliance platform vendor), 70% had budgeted less than the DoD estimate for Level 2 certification. The 2025 Merrill Research survey commissioned by CyberSheath, a CMMC managed services provider, found annual compliance budgets averaging nearly $50,000. We publish these as what they are — named surveys with disclosed sponsors (C) — not as official figures.

Is there enough C3PAO capacity — and is there a backlog?

As of the Cyber AB Town Hall there were 104 authorized C3PAOs, up from 97 in , alongside 759 Certified CMMC Assessors (CCAs) as of and a further 15% jump in CCAs from to . No primary-source measurement of an assessment backlog exists — from the Cyber AB, DoD, or anyone else — and the available capacity data points the other direction.

Table 6 — The Level 2 scale gap: projection vs. reality,
MeasureFigureGradeSource
Entities projected to need Level 2 (C3PAO) certification118,289ADFARS final rule
Final Level 2 certificates issued1,391BCyber AB May 2026 Town Hall (PDF)
Authorized C3PAOs104BCyber AB May 2026 Town Hall (PDF)

Source: Federal Register projection data combined with Cyber AB May 2026 Town Hall snapshot data by The Defense Compliance Report; last verified .

Table 7 — CMMC ecosystem capacity, monthly
DateC3PAOsCCAsCCPsLead CCAsGradeSource
976881,459425BCyber AB Jan. 2026 recap
987481,494452BCyber AB Feb. 2026 recap
103759BMarch 2026 Town Hall via Secureframe
104+15% Apr→MayBCyber AB May 2026 Town Hall (PDF)

Source: Cyber AB Town Hall disclosures, linked per row. Compiled by The Defense Compliance Report; last verified .

Beyond the assessor corps: Registered Practitioners numbered roughly 2,000 and Registered Provider Organizations 378 as of early 2026, four non-US C3PAOs were moving through authorization, and credentialing operations transferred from the Cyber AB’s CAICO arm to ISACA, with the transition completing . A analysis by Secureframe, which pulled all 5,732 active Cyber AB Marketplace entries via the marketplace’s public API, counted 3,607 unique entities holding at least one ecosystem role.

Two scale figures, clearly labeled as arithmetic: if the DFARS-rule projection materializes, the current assessor base implies about 1,137 organizations needing certification per authorized C3PAO(118,289 ÷ 104), and the Level 2 certification population is 26.6 timesDoD’s own projected Year 4 annual assessment volume (118,289 ÷ 4,452). Neither is a backlog claim — they describe the size of the mountain, not the length of the queue.

As for the queue itself: Secureframe’s capacity model estimated a theoretical ceiling around 1,500 assessments per month if every CCA ran two solo assessments monthly — against roughly 178 certificates actually issued in . On the numbers available, the binding constraint is organizational readiness, not assessor headcount: assessors report spending much of their time on advisory work and mock assessments because organizations arrive unprepared. The “24–30 month backlog” figure appears in our unverified-claims section below, where it belongs.

How does CMMC affect small businesses?

Small entities are 68% of everyone CMMC touches — 229,818 small entities, including prime contractors and subcontractors — and roughly 80,436 of the projected Level 2 certification population (TDCR calculation from the rule’s distribution). The program’s costs land on the smallest balance sheets in the defense supply chain, and they land on a population that was already shrinking.

The pre-CMMC context comes from DoD itself. The department’s State of Competition report found the number of small businesses in the DIB shrank by more than 40% over the preceding decade— even as DoD grew small-business R&D spending 83% and manufacturing spending 28% over the same period. Then-Deputy Secretary Kathleen Hicks warned the department could lose an additional 15,000 suppliers over the following ten years on the existing trend. More companies spent more money and still left. CMMC adds a six-figure gate on top of that trend.

The early evidence on how suppliers are responding is journalistic, and we grade it accordingly (grade C: original reporting, attributed). Reuters reported on that the new rules are leading some small suppliers to rethink military work: three aerospace companies each told Reuters they have suppliers who will not undergo the CMMC audit; the president of one U.S. firm said half of its suppliers had not indicated whether they will comply; and one Canadian supplier executive put his combined EU/US compliance cost at about C$500,000 (roughly US$365,000). The Aerospace Industries Association told Reuters that accumulating regulatory costs are forcing some member firms to “reconsider — if not exit” the defense marketplace. Reuters also cited 2022 House Small Business Subcommittee data that 88% of aerospace firms are small businesses. These are documented examples and on-record statements — not an exit rate. No verified exit-rate statistic exists (see the unverified-claims section).

Assistance is starting to move. The Senate Armed Services Committee’s FY2027 defense authorization bill would require DoD to establish a CMMC assessment grant program by — up to $100,000 per grant, capped at $50 million total — for small businesses and new entrants, prioritizing companies that have never held a DoD contract. It is a proposal, not law; Federal News Network first reported the provision in . Already real: the Army’s NCODE program awarded eight contracts worth a collective $49 million to provide small businesses a secure cloud enclave for meeting the requirements CMMC evaluates. A previously proposed federal tax credit (30% of costs, up to $50,000, for firms under 50 employees) has not passed.

What CMMC enforcement actions have happened?

Since the Department of Justice launched its Civil Cyber-Fraud Initiative in , we count 13 publicly announced False Claims Act resolutions involving federal cybersecurity requirements, totaling $60,393,500 — of which $38,986,778 across 10 resolutions involved defense-related contracts. Not one of them enforces CMMC certification itself. Every case enforces the preexisting obligations — NIST SP 800-171, DFARS 252.204-7012, FAR 52.204-21, and truthful self-reporting in SPRS — that CMMC now exists to verify. The False Claims Act (FCA) is the federal statute penalizing false claims for government payment; most of these cases began as qui tamsuits, meaning a whistleblower filed on the government’s behalf and shares in the recovery.

Table 8 — DOJ cybersecurity-related False Claims Act resolutions, 2022–2026
YearCaseAmountContract contextDefense?
2022Comprehensive Health Services$930,000State Dept. & Air Force medical facilitiesYes
2022Aerojet Rocketdyne$9,000,000Misrepresented cyber compliance on federal contractsYes
2024Guidehouse / Nan McKay$11,300,000Federally funded state programNo
2024ASRC Federal Data Solutions$306,722Medicare beneficiary dataNo
2024Penn State$1,250,00015 DoD/NASA contracts; NIST SP 800-171 failuresYes
2025MORSECORP Inc.$4,600,000Army and Air Force contracts; NIST SP 800-171 requirementsYes
2025Health Net / Centene$11,253,400DoD TRICARE cybersecurity certificationsYes
2025Raytheon / Nightwing$8,400,000~30 DoD contracts; noncompliant internal systemYes
2025Illumina$9,800,000Product cybersecurity vulnerabilitiesNo
2025Aero Turbine / Gallant Capital$1,750,000Air Force contract; NIST SP 800-171 requirementsYes
2025Georgia Tech Research Corp.$875,000Air Force & DARPA contractsYes
2025Swiss Automation$421,234DoD prime and subcontractor; NIST SP 800-171Yes
2026LOGZONE Inc.$507,144Two Navy contracts; NIST SP 800-171 failuresYes

Source: Department of Justice press releases, linked where shown; evidence grade A (DOJ-published amounts) for every row. Full documentation for every resolution is maintained in our enforcement ledger. Totals are The Defense Compliance Report’s calculations from DOJ-published amounts, not official DOJ aggregate statistics. “Defense-related” means the resolution involved DoD-funded contracts, subcontracts, or DoD program certifications. Last verified .

TDCR calculation: 13 public DOJ cybersecurity-related FCA resolutions identified, $60,393,500 total; defense-related subset, 10 resolutions, $38,986,778.

The case that explains why third-party verification exists. On , DOJ announced that LOGZONE Inc., a Huntsville, Alabama defense contractor, agreed to pay $507,144 over two Navy contracts spanning to . The company had assessed itself a perfect 110 in SPRS. When the Defense Contract Management Agency assessed the same environment, it scored −170— near the bottom of the −203-to-110 scale. Half the settlement, $253,572, is restitution. A 280-point gap between self-report and government assessment, in one sentence, is the entire argument for CMMC.

Two more patterns worth a writer’s attention. The Raytheon/Nightwing resolution held Nightwing liable as successorfor conduct predating its acquisition of Raytheon’s cyber business — acquirers now inherit cyber-FCA exposure. And the Georgia Tech resolution paid whistleblowers $201,250 of the $875,000 recovery, a reminder of where these cases originate. Separately, the Administrative False Claims Act () now lets agencies pursue smaller cyber misrepresentations directly, without a DOJ suit.

How ready is the defense industrial base?

The most complete public multi-year readiness series we found — Merrill Research’s annual survey commissioned by CyberSheath, a CMMC managed services provider — found only 1% of surveyed contractors felt fully prepared for CMMC assessments in 2025, down from 8% in 2023 and 4% in 2024. Over the same series, the median self-reported SPRS score rose from 20 in 2022 to 60 in 2025. This is self-reported survey data with a commercial sponsor, and we grade it accordingly. We publish it anyway because it is the only multi-year readiness series with a named research firm and disclosed methodology.

Table 9 — Readiness survey provenance
FieldDetail
SeriesState of the DIB Report, annual waves 2022–2025
Research firmMerrill Research
SponsorCyberSheath, a CMMC managed services provider (disclosed in every release)
Published methodology2022 wave: 300 US-based DoD contractors, tested at a 95% confidence level; later-wave sample sizes are not stated in the public releases
Evidence gradeC
Key limitationSelf-reported readiness; commercially sponsored

Source: Merrill Research / CyberSheath State of the DIB releases, 2022–2025; 2025 wave released . Compiled by The Defense Compliance Report; last verified .

The 2025 wave’s other findings, per the release: 69% of contractors claim DFARS compliance through self-assessment, but only 30% have completed medium or high validated assessments; just 42% have submitted SPRS scores at all; 17% still report negative scores (110 is the maximum); 89% report having suffered financial, business, or reputational losses from cyber incidents(57% financial, 56% business, 46% reputational); more than 70% call achieving and maintaining compliance “very difficult”; and eight in ten expect to undergo a C3PAO audit by winter 2026.

Read alongside the certification data above, the readiness picture is coherent: certificates are being issued faster than DoD modeled, by the prepared sliver of the market, while the survey data suggests the median contractor remains far from assessment-ready. Both facts should appear in any honest account.

What is the CMMC timeline?

The CMMC Program rule became effective . The DFARS acquisition rule became effective , starting Phase 1, which DoD lists as running through . Phase 2 begins — Level 2 (C3PAO) certification in applicable solicitations and contracts, generally as a condition of award, with DoD discretion to delay the requirement to an option period. Full implementation arrives .

Table 10 — CMMC milestones, 2010–2028
DateMilestone
Executive Order 13556 establishes the CUI program
DoD announces CMMC
Interim DFARS rule (85 FR 61505)
CMMC 2.0 announced; model cut from five levels to three
Proposed program rule (88 FR 89058)
Proposed DFARS rule (89 FR 66327); draws 97 public comments
CMMC Program final rule published (89 FR 83092)
Program rule effective; Level 2 assessments begin Jan. 2025
DFARS final rule published (90 FR 43560)
DFARS rule effective — Phase 1 begins (through Nov. 9, 2026 per DoD CIO)
Class Deviation 2026-O0025 issued / takes effect: new DFARS Part 240; deviation clause 252.240-7997 prescribed (see Table 11)
Phase 2 — Level 2 (C3PAO) in applicable solicitations, generally as a condition of award, with DoD discretion to defer to an option period
Phase 3 — adds option-period conditions and Level 3 (DIBCAC)
Phase 4 — full implementation across applicable contracts

Source: Federal Register documents as cited; DoD CIO CMMC page (dodcio.defense.gov/cmmc/About/); DoD Class Deviation 2026-O0025. Evidence grade: A for every row. Compiled by The Defense Compliance Report; last verified .

Two details from that table that writers get wrong constantly. First, the elapsed time: six years from announcement to enforceable contract clause (2019 to ). Second, the clause numbers. Since , DoD has used Class Deviation 2026-O0025 — part of the Revolutionary FAR Overhaul — to route NIST SP 800-171 assessment mechanics through deviation clause 252.240-7997 in covered solicitations, removing the old -7019 provision from those packages. But class deviations don’t rewrite the codified regulations: current Acquisition.gov DFARS text still lists 252.204-7019 and 252.204-7020 pending formal rulemaking. The operative clause is the one printed in your solicitation or contract.

Table 11 — Which clause should you cite? Status after
Clause / provisionStatusWhat to cite in practice
FAR 52.204-21 (basic safeguarding, 15 controls)Renumbered to FAR 52.240-93 in covered solicitations; title, text, and requirements unchanged; codified FAR still shows 52.204-21Both numbers refer to the same requirements; CMMC Level 1 documentation still references 52.204-21
DFARS 252.204-7012 (safeguarding + 72-hour incident reporting)UnchangedCite as-is — still the foundational clause
DFARS 252.204-7019 (notice of NIST SP 800-171 assessment)Removed from packages issued under the deviation; still appears in codified DFARS pending rulemakingLegacy contracts only; do not cite as a current requirement in new solicitations
DFARS 252.204-7020 (NIST SP 800-171 assessment requirements)Mechanics carried forward through 252.240-7997 in covered solicitations; codified text still lists 7020The clause in your contract controls — new packages use 252.240-7997
DFARS 252.240-7997 (NIST SP 800-171 DoD Assessment Requirements, deviation)New deviation clause; defines Medium and High government-performed assessments only — no “basic” self-assessmentThe operative assessment clause in solicitations issued on or after under the deviation
DFARS 252.204-7021 / 252.204-7025 (CMMC clause and solicitation provision)UnchangedThe contracting instruments for CMMC status requirements

Source: DoD Class Deviation 2026-O0025 and attachments (DARS class deviation index); current DFARS Part 252 text on Acquisition.gov. Evidence grade: A for every row. Compiled by The Defense Compliance Report; last verified .

Which circulating CMMC statistics could we not verify?

Several widely repeated CMMC numbers could not be traced to any primary source, reproducible denominator, or named methodology. We list them here — with what the verified data says instead — so they stop getting recycled. If you originated one of these figures and can share the underlying methodology, we will evaluate it and update this page.

Table 12 — Circulating claims we declined to publish as fact
Circulating claimWhy we could not verify itWhat the verified data says
“Only 8% of contractors requiring Level 2 are certified” (as of early 2026)No source, no denominator, no methodology on any page carrying itCyber AB data: 896 final certificates in Feb. 2026 ≈ 0.8% of the 118,289 projection. The real figure is an order of magnitude lower than the claim.
“A 24–30 month C3PAO assessment backlog by late 2026”Attributed only to unnamed “industry analysts”; no queue data exists from any primary sourceObserved March 2026: ~178 certificates issued against a modeled assessor ceiling of ~1,500/month. Readiness, not assessor supply, is the documented constraint.
“15–20% of small suppliers will exit the DIB because of CMMC”No survey or dataset produces this rangeVerified instead: a >40% small-business decline in the pre-CMMC decade (DoD, 2022) and Reuters-documented suppliers declining to comply (Feb. 2026). The direction is supported; the percentage is invented.
“~80,000 contractors need Level 2 certification”Not pinned to current rule textCite 118,289 (DFARS final rule). The ~80,000 shorthand likely traces to the derived small-entity figure of 80,436.
“All DoD contractors need CMMC”Contradicted by the rule itselfThe rule exempts contracts solely for COTS items and applies based on whether systems handle FCI or CUI.
“Cyber-related FCA cases rose 156% from 2024 to 2025”No DOJ statistic matches; DOJ does not publish a “cyber FCA” category this wayThe countable record is Table 8: publicly announced resolutions and amounts.
“Non-compliance costs $14.82M vs. $5.47M for compliance”Circulates without citation; we could not trace it to any CMMC- or DIB-specific datasetNo verified CMMC-specific cost-of-noncompliance figure exists. The verifiable consequences are contract ineligibility and FCA exposure (Table 8).

Source: The Defense Compliance Report review of circulating vendor statistics pages and sales collateral, , checked against the primary sources cited throughout this page.

Why these numbers matter right now

Phase 2 begins — about four months from this page’s verification date. From that point, Level 2 (C3PAO) certification appears in applicable solicitations, generally as a condition of award, and the gap between 1,391 certified organizations and a six-figure projected population stops being an abstraction and starts deciding who can bid. Congress is negotiating whether to subsidize the on-ramp (the FY2027 grant proposal). DOJ announced six defense-related cybersecurity FCA resolutions in 2025 alone and has already added LOGZONE in — and that case shows exactly what happens when a self-reported score meets a government assessment. Every number on this page moves — which is why each one carries a date, and why the page carries a verification stamp.

Limitations: what this data does and doesn’t show

We publish the caveats because a statistic without its limits is just a slogan.

  • Cyber AB Town Hall figures are official statements at a point in time, not an auditable public registry; monthly deltas can reflect reporting timing as well as issuance.
  • DoD’s entity counts and cost figures are regulatory model outputs built on disclosed assumptions (two offerors per solicitation, five subcontractors per prime proposal, preexisting NIST SP 800-171 implementation) — they are the authoritative estimates, not measurements.
  • There is no public registry of which contractors must certify, so no true compliance rate can be computed by anyone.
  • Survey findings in the readiness section are self-reported and commercially sponsored; we identify the sponsor every time.
  • Our enforcement totals are aggregations of DOJ-published amounts under a stated scope definition, not DOJ statistics.
  • Clause status in Table 11 reflects a class deviation that remains in effect until rescinded or incorporated through rulemaking; the operative clause is always the one in the contract.
  • Derived figures marked as TDCR calculations inherit their inputs’ uncertainty and are rounded as shown.
  • Nothing here is legal, financial, or compliance advice — for obligations under a specific contract, read the clause and consult qualified counsel.

Frequently asked questions

How many companies need CMMC?

DoD estimates 337,968 unique prime and subcontractor entities will be subject to CMMC requirements by Year 4 of implementation, per the DFARS final rule published . Of those, 229,818 — 68% — are small entities.

How many companies need CMMC Level 2 certification?

The DFARS final rule projects 118,289 entities will require Level 2 certification by a C3PAO, or 35% of all impacted entities. A separate, much smaller group of about 6,759 entities will be permitted to self-assess at Level 2.

How many companies are CMMC certified right now?

As of the Cyber AB Town Hall, 1,391 organizations held a final Level 2 certificate, with 47 conditional certificates and 140 assessments in progress. The figure has grown by an average of about 155 per month in 2026; our certification tracker updates it monthly.

How much does CMMC Level 2 certification cost a small business?

DoD’s official estimate is $101,752 initially and $104,670 over the three-year cycle. That covers assessment, certification, and affirmation activity only.

Does DoD's cost estimate include implementation?

No. The rule excludes implementation and remediation costs on the basis that FAR 52.204-21 (2016) and DFARS 252.204-7012 (2017) already required contractors to implement the underlying safeguards. At Level 3, where requirements are new, DoD did include engineering costs.

How many C3PAOs are there?

104 authorized C3PAOs as of the Cyber AB Town Hall, up from 97 in , supported by 759 Certified CMMC Assessors as of with further growth reported through . Four non-US C3PAOs were in the authorization pipeline as of early 2026.

Is DOJ enforcing CMMC?

Not CMMC certification itself — no case has done that. DOJ enforces the preexisting cybersecurity obligations CMMC verifies: since 2022, defense-related False Claims Act resolutions total $39.0 million across 10 cases, most recently LOGZONE’s $507,144 settlement in .

When did Phase 1 start, and when is Phase 2?

Phase 1 began , when the DFARS rule took effect, and runs through . Phase 2 begins , adding Level 2 (C3PAO) certification to applicable solicitations — generally as a condition of award, though DoD may delay the requirement to an option period.

Is there a CMMC assessment backlog?

No primary-source backlog measurement exists. Current data shows assessment capacity exceeding demand — roughly 178 certificates issued in against a modeled ceiling near 1,500 — with organizational readiness, not assessor supply, as the documented constraint. That could change as Phase 2 requirements take hold; we track the monthly figures.

Primary sources

This page is educational reference material, produced independently. It is not legal, financial, or compliance advice.