The Defense Compliance Report — Research & Data
CMMC Statistics 2026: Certification Counts, Costs, Small Business Impact & Enforcement Data
The most important CMMC statistics in 2026 come from the Department of Defense’s own rulemaking: DoD estimates 337,968 prime and subcontractor entities will be subject to the Cybersecurity Maturity Model Certification (CMMC) program by Year 4 of implementation — 229,818 of them (68%) small entities — with 118,289 projected to need third-party Level 2 certification. DoD’s official price for that certification, $104,670 for a small entity over three years, excludes implementation and remediation entirely. Meanwhile, $38,986,778 in defense-related False Claims Act settlements since 2022 enforces the preexisting obligations CMMC now exists to verify.
Key CMMC statistics at a glance
| Statistic | Figure | Grade | Source |
|---|---|---|---|
| Entities subject to CMMC by Year 4 | 337,968 | A | DFARS final rule, Sept. 10, 2025 |
| Small entities among them | 229,818 (68%) | A | DFARS final rule |
| Entities projected to need Level 2 (C3PAO) certification | 118,289 | A | DFARS final rule |
| Official small-entity Level 2 certification estimate | $104,670 over 3 years — implementation excluded | A | CMMC Program final rule, Oct. 15, 2024 |
| Final Level 2 certificates issued | 1,391 | B | Cyber AB May 2026 Town Hall (PDF) |
| Authorized C3PAOs | 104 | B | Cyber AB May 2026 Town Hall (PDF) |
| Defense-related cybersecurity FCA settlements since 2022 | $39.0 million across 10 resolutions | TDCR | DOJ press releases (Table 8) |
| Phase 2 — Level 2 certification in applicable new contracts | A | DoD CIO |
What this shows — and what it doesn’t
These figures establish the program’s scale (roughly one-third of a million entities), its cost floor (six figures for a small business before a single control is implemented), its early trajectory (about 1.2% of the projected Level 2 population certified so far), and its legal teeth ($39.0 million in defense-related False Claims Act settlements before any certificate was ever required).
They do not show a compliance rate — no public registry says who is compliant and who isn’t. They do not show total compliance cost — DoD deliberately excluded implementation from its estimates, for reasons we explain below. And they do not show an assessment backlog, because no primary-source backlog measurement exists anywhere. Where the data ends, we say so.
How we built this page
We read both CMMC rules in the Federal Register — the program rule (32 CFR Part 170) and the acquisition rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) — along with the current clause text on Acquisition.gov, DoD’s published reports and CIO guidance, the class deviation memo, Department of Justice settlement announcements, Cyber AB Town Hall disclosures, and original reporting from Reuters and Federal News Network. We recomputed every number independently and checked it against its stated source.
Every statistic carries one of three evidence grades, or a calculation label:
| Grade | Meaning |
|---|---|
| A | Official primary source: Federal Register, eCFR, Acquisition.gov, DoD, NIST, DOJ documents |
| B | Official program data stated in official venues or official dynamic sources, verified as of a date (Cyber AB Town Halls) |
| C | Named industry surveys, analyses, or original reporting by major news organizations with disclosed sourcing or methodology; sponsor identified where applicable |
| TDCR | Our arithmetic from A- or B-grade inputs, with the formula shown |
Claims that fail all four categories — no source, no denominator, no methodology — do not appear as facts anywhere on this page. They appear in one place only: the “claims we could not verify” section near the end.
Two related references in this section update on their own schedules: our CMMC certification tracker (monthly, after each Cyber AB Town Hall) and our cybersecurity enforcement ledger (event-driven, as DOJ announces resolutions). Figures on this page are snapshots from those datasets as of the verification date above.
How to cite this page
The Defense Compliance Report. “CMMC Statistics 2026: Certification Counts, Costs, Small Business Impact & Enforcement Data.” thedefensecompliancereport.com/research/cmmc-statistics/. Last verified .
Every statistic on this page, with its source, evidence grade, and verification date, is available as a CSV at /research/cmmc-statistics/cmmc-statistics-ledger.csv — no email required.
How many companies need CMMC?
DoD estimates 337,968 unique entities — prime contractors and subcontractors combined — will be subject to CMMC requirements by Year 4 of the phased rollout, according to the DFARS final rule published . Of those, 229,818 (68%) are small entities. The requirement applies to any contractor whose information systems process, store, or transmit federal contract information (FCI) or controlled unclassified information (CUI) under a DoD contract, with a carve-out for contracts solely for commercially available off-the-shelf (COTS) items.
| CMMC level | Share | Entity count | Grade |
|---|---|---|---|
| Level 1 (Self) — FCI only | 62% | 209,540 * | A / TDCR |
| Level 2 (Self) — lower-risk CUI | 2% | 6,759 * | A / TDCR |
| Level 2 (C3PAO) — most CUI | 35% | 118,289 | A |
| Level 3 (DIBCAC) — most sensitive CUI | 1% | 3,380 * | A / TDCR |
| Total | 100% | 337,968 | A |
How DoD counted.The department doesn’t actually track unique offerors, and it has no contractual relationship with subcontractors at all. So the rule’s analysis works from assumptions: roughly 28,164 annual solicitations, an assumed average of two offerors each (56,328 prime offerors), and an assumed five subcontractors per prime proposal. Multiply through and you reach 337,968 unique entities. That means the headline number is a model output, not a census — a distinction that matters when extrapolating.
The phase-in is deliberately back-loaded for small businesses. The rule projects 1,104 small entities affected in Year 1, 5,565 in Year 2, 18,554 in Year 3, and the full 229,818 by Year 4 and beyond.
One precision note writers routinely miss: CMMC certifies information systems, not companies. Each assessed system receives a CMMC unique identifier (UID) in SPRS, DoD’s contractor-performance database, and a single company can hold several. The Cyber AB reinforced this at its Town Hall in guidance on joint ventures, which must identify every UID used in contract performance. “Companies certified” and “certificates issued” are close approximations, not identical measures.
How many companies need CMMC Level 2 certification?
The DFARS final rule projects 118,289 entities will require Level 2 certification by a Certified Third-Party Assessment Organization (C3PAO) — an independent assessor authorized by the Cyber AB — by Year 4 of implementation. That is 35% of all impacted entities. A much smaller group, about 6,759 entities (2%), will be allowed to self-assess at Level 2 for lower-risk CUI. The two paths are frequently collapsed into one “Level 2” number; they shouldn’t be.
About that “80,000” figure you keep seeing.A claim that “roughly 80,000 contractors need Level 2 certification” circulates widely. We could not pin that exact figure to current rule text. What we canreproduce: apply the rule’s 35% Level 2 (C3PAO) share to the 229,818 small entities and you get 80,436 small entities in the certification population (TDCR calculation) — almost certainly the origin of the ~80,000 shorthand. The correct all-entity figure is 118,289.
How many companies are CMMC certified right now?
As of the Cyber AB Town Hall, 1,391 organizations hold a final Level 2 certificate, with 47 conditional certificates open and 140 assessments in progress. That is roughly 1.2% of the 118,289 entities DoD projects will need Level 2 certification (1,391 ÷ 118,289; TDCR calculation). Current figures update monthly in our certification tracker.
| Date | Final L2 certificates | Grade | Source |
|---|---|---|---|
| ~100 | B | Cyber AB Town Hall, via July 2025 recap (first five months) | |
| 158 | B | Cyber AB Town Hall, via July 2025 recap | |
| ~270 | C | 2025 State of the DIB Report release | |
| 459 † | C | Redspin, citing Cyber AB statistics | |
| 773 | B | Cyber AB Town Hall, January 2026 recap | |
| 896 | B | Cyber AB Town Hall, February 2026 recap | |
| ~1,074 ‡ | B / TDCR | March 2026 Town Hall, as reported by Secureframe | |
| ~1,220 ‡ | TDCR | Implied by May’s reported +14% month-over-month | |
| 1,391 | B | Cyber AB May 2026 Town Hall (PDF) |
That works out to an average of about 155 new final certificates per month in 2026 ((1,391 − 773) ÷ 4 months, through ; TDCR calculation).
The finding nobody else has published: the market is running ahead of DoD’s own model. The program rule projected 135 C3PAO-led certification assessments in Year 1, 673 in Year 2, 2,252 in Year 3, and 4,452 in Year 4 — 808 cumulative through the first two years. Actual final certificates reached 1,391 by , about seventeen months after the program rule took effect and only partway into Year 2. Measured against DoD’s own curve, the defense industrial base is ahead of model on early adoption.
Failure data is thin but real: the Cyber AB disclosed in that 8 organizations had failed a Level 2 assessmentto that point, while noting unreported false starts likely exist. And conditional status — certification with an open Plan of Action and Milestones (POA&M), the 180-day punch list for unmet requirements — covers only about 3% of certified organizations (47 of 1,438 total certificates; TDCR calculation).
What are the official CMMC cost statistics?
DoD’s official estimate for a small entity’s Level 2 certification is $101,752 initially and $104,670 over the full three-year cycle — and that figure covers only assessment, certification, and affirmation activity. It excludes implementation and remediation entirely. Both numbers come from the CMMC Program final rule’s regulatory analysis.
| Assessment path | Initial estimate | Three-year estimate |
|---|---|---|
| Level 1 self-assessment (small entity) | $5,977 | + $560 per annual reaffirmation |
| Level 2 self-assessment (small entity) | $34,277 | $37,196 |
| Level 2 self-assessment (other-than-small) | $43,403 | $48,827 |
| Level 2 C3PAO certification (small entity) | $101,752 | $104,670 |
| Level 2 C3PAO certification (other-than-small) | $112,345 | $117,768 |
| Level 3 assessment + affirmations (small entity) | — | $12,802 (atop Level 2, excl. engineering) |
What DoD’s $104,670 estimate does not include
The rule states that implementation costs are not attributed to CMMC because the underlying requirements already exist: the basic safeguarding clause at FAR 52.204-21 has applied since , and DFARS 252.204-7012 required full implementation of NIST SP 800-171 — the 110-requirement federal standard for protecting CUI — by . In DoD’s accounting, a contractor handling CUI should have absorbed those costs years ago. CMMC merely charges you to prove it.
The proof that this was a choice, not an oversight: at Level 3, where the rule adds genuinely new requirements drawn from NIST SP 800-172, DoD did count engineering costs — an estimated $2.7 million in nonrecurring and $490,000 in recurring engineering costs for a small entity. The department costs implementation when requirements are new and excludes it when they’re preexisting. That accounting boundary is the single most useful thing to understand about every CMMC cost figure in circulation.
The gap between the certification paths is itself instructive: a small entity’s three-year Level 2 certification estimate runs $67,474 more than the self-assessment path($104,670 − $37,196; TDCR calculation). For scale, the rule’s own analysis puts the DFARS acquisition rule’s total cost at $344.9 million in present value over ten years at a 3% discount rate ($329.1 million public, $15.8 million government).
What contractors actually budget is a different question — and a different grade of evidence. In a PreVeil survey of more than 2,000 defense contractors (sponsor: PreVeil, a compliance platform vendor), 70% had budgeted less than the DoD estimate for Level 2 certification. The 2025 Merrill Research survey commissioned by CyberSheath, a CMMC managed services provider, found annual compliance budgets averaging nearly $50,000. We publish these as what they are — named surveys with disclosed sponsors (C) — not as official figures.
Is there enough C3PAO capacity — and is there a backlog?
As of the Cyber AB Town Hall there were 104 authorized C3PAOs, up from 97 in , alongside 759 Certified CMMC Assessors (CCAs) as of and a further 15% jump in CCAs from to . No primary-source measurement of an assessment backlog exists — from the Cyber AB, DoD, or anyone else — and the available capacity data points the other direction.
| Measure | Figure | Grade | Source |
|---|---|---|---|
| Entities projected to need Level 2 (C3PAO) certification | 118,289 | A | DFARS final rule |
| Final Level 2 certificates issued | 1,391 | B | Cyber AB May 2026 Town Hall (PDF) |
| Authorized C3PAOs | 104 | B | Cyber AB May 2026 Town Hall (PDF) |
| Date | C3PAOs | CCAs | CCPs | Lead CCAs | Grade | Source |
|---|---|---|---|---|---|---|
| 97 | 688 | 1,459 | 425 | B | Cyber AB Jan. 2026 recap | |
| 98 | 748 | 1,494 | 452 | B | Cyber AB Feb. 2026 recap | |
| 103 | 759 | — | — | B | March 2026 Town Hall via Secureframe | |
| 104 | +15% Apr→May | — | — | B | Cyber AB May 2026 Town Hall (PDF) |
Beyond the assessor corps: Registered Practitioners numbered roughly 2,000 and Registered Provider Organizations 378 as of early 2026, four non-US C3PAOs were moving through authorization, and credentialing operations transferred from the Cyber AB’s CAICO arm to ISACA, with the transition completing . A analysis by Secureframe, which pulled all 5,732 active Cyber AB Marketplace entries via the marketplace’s public API, counted 3,607 unique entities holding at least one ecosystem role.
Two scale figures, clearly labeled as arithmetic: if the DFARS-rule projection materializes, the current assessor base implies about 1,137 organizations needing certification per authorized C3PAO(118,289 ÷ 104), and the Level 2 certification population is 26.6 timesDoD’s own projected Year 4 annual assessment volume (118,289 ÷ 4,452). Neither is a backlog claim — they describe the size of the mountain, not the length of the queue.
As for the queue itself: Secureframe’s capacity model estimated a theoretical ceiling around 1,500 assessments per month if every CCA ran two solo assessments monthly — against roughly 178 certificates actually issued in . On the numbers available, the binding constraint is organizational readiness, not assessor headcount: assessors report spending much of their time on advisory work and mock assessments because organizations arrive unprepared. The “24–30 month backlog” figure appears in our unverified-claims section below, where it belongs.
How does CMMC affect small businesses?
Small entities are 68% of everyone CMMC touches — 229,818 small entities, including prime contractors and subcontractors — and roughly 80,436 of the projected Level 2 certification population (TDCR calculation from the rule’s distribution). The program’s costs land on the smallest balance sheets in the defense supply chain, and they land on a population that was already shrinking.
The pre-CMMC context comes from DoD itself. The department’s State of Competition report found the number of small businesses in the DIB shrank by more than 40% over the preceding decade— even as DoD grew small-business R&D spending 83% and manufacturing spending 28% over the same period. Then-Deputy Secretary Kathleen Hicks warned the department could lose an additional 15,000 suppliers over the following ten years on the existing trend. More companies spent more money and still left. CMMC adds a six-figure gate on top of that trend.
The early evidence on how suppliers are responding is journalistic, and we grade it accordingly (grade C: original reporting, attributed). Reuters reported on that the new rules are leading some small suppliers to rethink military work: three aerospace companies each told Reuters they have suppliers who will not undergo the CMMC audit; the president of one U.S. firm said half of its suppliers had not indicated whether they will comply; and one Canadian supplier executive put his combined EU/US compliance cost at about C$500,000 (roughly US$365,000). The Aerospace Industries Association told Reuters that accumulating regulatory costs are forcing some member firms to “reconsider — if not exit” the defense marketplace. Reuters also cited 2022 House Small Business Subcommittee data that 88% of aerospace firms are small businesses. These are documented examples and on-record statements — not an exit rate. No verified exit-rate statistic exists (see the unverified-claims section).
Assistance is starting to move. The Senate Armed Services Committee’s FY2027 defense authorization bill would require DoD to establish a CMMC assessment grant program by — up to $100,000 per grant, capped at $50 million total — for small businesses and new entrants, prioritizing companies that have never held a DoD contract. It is a proposal, not law; Federal News Network first reported the provision in . Already real: the Army’s NCODE program awarded eight contracts worth a collective $49 million to provide small businesses a secure cloud enclave for meeting the requirements CMMC evaluates. A previously proposed federal tax credit (30% of costs, up to $50,000, for firms under 50 employees) has not passed.
What CMMC enforcement actions have happened?
Since the Department of Justice launched its Civil Cyber-Fraud Initiative in , we count 13 publicly announced False Claims Act resolutions involving federal cybersecurity requirements, totaling $60,393,500 — of which $38,986,778 across 10 resolutions involved defense-related contracts. Not one of them enforces CMMC certification itself. Every case enforces the preexisting obligations — NIST SP 800-171, DFARS 252.204-7012, FAR 52.204-21, and truthful self-reporting in SPRS — that CMMC now exists to verify. The False Claims Act (FCA) is the federal statute penalizing false claims for government payment; most of these cases began as qui tamsuits, meaning a whistleblower filed on the government’s behalf and shares in the recovery.
| Year | Case | Amount | Contract context | Defense? |
|---|---|---|---|---|
| 2022 | Comprehensive Health Services | $930,000 | State Dept. & Air Force medical facilities | Yes |
| 2022 | Aerojet Rocketdyne | $9,000,000 | Misrepresented cyber compliance on federal contracts | Yes |
| 2024 | Guidehouse / Nan McKay | $11,300,000 | Federally funded state program | |
| 2024 | ASRC Federal Data Solutions | $306,722 | Medicare beneficiary data | |
| 2024 | Penn State | $1,250,000 | 15 DoD/NASA contracts; NIST SP 800-171 failures | Yes |
| 2025 | MORSECORP Inc. | $4,600,000 | Army and Air Force contracts; NIST SP 800-171 requirements | Yes |
| 2025 | Health Net / Centene | $11,253,400 | DoD TRICARE cybersecurity certifications | Yes |
| 2025 | Raytheon / Nightwing | $8,400,000 | ~30 DoD contracts; noncompliant internal system | Yes |
| 2025 | Illumina | $9,800,000 | Product cybersecurity vulnerabilities | |
| 2025 | Aero Turbine / Gallant Capital | $1,750,000 | Air Force contract; NIST SP 800-171 requirements | Yes |
| 2025 | Georgia Tech Research Corp. | $875,000 | Air Force & DARPA contracts | Yes |
| 2025 | Swiss Automation | $421,234 | DoD prime and subcontractor; NIST SP 800-171 | Yes |
| 2026 | LOGZONE Inc. | $507,144 | Two Navy contracts; NIST SP 800-171 failures | Yes |
TDCR calculation: 13 public DOJ cybersecurity-related FCA resolutions identified, $60,393,500 total; defense-related subset, 10 resolutions, $38,986,778.
The case that explains why third-party verification exists. On , DOJ announced that LOGZONE Inc., a Huntsville, Alabama defense contractor, agreed to pay $507,144 over two Navy contracts spanning to . The company had assessed itself a perfect 110 in SPRS. When the Defense Contract Management Agency assessed the same environment, it scored −170— near the bottom of the −203-to-110 scale. Half the settlement, $253,572, is restitution. A 280-point gap between self-report and government assessment, in one sentence, is the entire argument for CMMC.
Two more patterns worth a writer’s attention. The Raytheon/Nightwing resolution held Nightwing liable as successorfor conduct predating its acquisition of Raytheon’s cyber business — acquirers now inherit cyber-FCA exposure. And the Georgia Tech resolution paid whistleblowers $201,250 of the $875,000 recovery, a reminder of where these cases originate. Separately, the Administrative False Claims Act () now lets agencies pursue smaller cyber misrepresentations directly, without a DOJ suit.
How ready is the defense industrial base?
The most complete public multi-year readiness series we found — Merrill Research’s annual survey commissioned by CyberSheath, a CMMC managed services provider — found only 1% of surveyed contractors felt fully prepared for CMMC assessments in 2025, down from 8% in 2023 and 4% in 2024. Over the same series, the median self-reported SPRS score rose from 20 in 2022 to 60 in 2025. This is self-reported survey data with a commercial sponsor, and we grade it accordingly. We publish it anyway because it is the only multi-year readiness series with a named research firm and disclosed methodology.
| Field | Detail |
|---|---|
| Series | State of the DIB Report, annual waves 2022–2025 |
| Research firm | Merrill Research |
| Sponsor | CyberSheath, a CMMC managed services provider (disclosed in every release) |
| Published methodology | 2022 wave: 300 US-based DoD contractors, tested at a 95% confidence level; later-wave sample sizes are not stated in the public releases |
| Evidence grade | C |
| Key limitation | Self-reported readiness; commercially sponsored |
The 2025 wave’s other findings, per the release: 69% of contractors claim DFARS compliance through self-assessment, but only 30% have completed medium or high validated assessments; just 42% have submitted SPRS scores at all; 17% still report negative scores (110 is the maximum); 89% report having suffered financial, business, or reputational losses from cyber incidents(57% financial, 56% business, 46% reputational); more than 70% call achieving and maintaining compliance “very difficult”; and eight in ten expect to undergo a C3PAO audit by winter 2026.
Read alongside the certification data above, the readiness picture is coherent: certificates are being issued faster than DoD modeled, by the prepared sliver of the market, while the survey data suggests the median contractor remains far from assessment-ready. Both facts should appear in any honest account.
What is the CMMC timeline?
The CMMC Program rule became effective . The DFARS acquisition rule became effective , starting Phase 1, which DoD lists as running through . Phase 2 begins — Level 2 (C3PAO) certification in applicable solicitations and contracts, generally as a condition of award, with DoD discretion to delay the requirement to an option period. Full implementation arrives .
| Date | Milestone |
|---|---|
| Executive Order 13556 establishes the CUI program | |
| DoD announces CMMC | |
| Interim DFARS rule (85 FR 61505) | |
| CMMC 2.0 announced; model cut from five levels to three | |
| Proposed program rule (88 FR 89058) | |
| Proposed DFARS rule (89 FR 66327); draws 97 public comments | |
| CMMC Program final rule published (89 FR 83092) | |
| Program rule effective; Level 2 assessments begin Jan. 2025 | |
| DFARS final rule published (90 FR 43560) | |
| DFARS rule effective — Phase 1 begins (through Nov. 9, 2026 per DoD CIO) | |
| Class Deviation 2026-O0025 issued / takes effect: new DFARS Part 240; deviation clause 252.240-7997 prescribed (see Table 11) | |
| Phase 2 — Level 2 (C3PAO) in applicable solicitations, generally as a condition of award, with DoD discretion to defer to an option period | |
| Phase 3 — adds option-period conditions and Level 3 (DIBCAC) | |
| Phase 4 — full implementation across applicable contracts |
Two details from that table that writers get wrong constantly. First, the elapsed time: six years from announcement to enforceable contract clause (2019 to ). Second, the clause numbers. Since , DoD has used Class Deviation 2026-O0025 — part of the Revolutionary FAR Overhaul — to route NIST SP 800-171 assessment mechanics through deviation clause 252.240-7997 in covered solicitations, removing the old -7019 provision from those packages. But class deviations don’t rewrite the codified regulations: current Acquisition.gov DFARS text still lists 252.204-7019 and 252.204-7020 pending formal rulemaking. The operative clause is the one printed in your solicitation or contract.
| Clause / provision | Status | What to cite in practice |
|---|---|---|
| FAR 52.204-21 (basic safeguarding, 15 controls) | Renumbered to FAR 52.240-93 in covered solicitations; title, text, and requirements unchanged; codified FAR still shows 52.204-21 | Both numbers refer to the same requirements; CMMC Level 1 documentation still references 52.204-21 |
| DFARS 252.204-7012 (safeguarding + 72-hour incident reporting) | Unchanged | Cite as-is — still the foundational clause |
| DFARS 252.204-7019 (notice of NIST SP 800-171 assessment) | Removed from packages issued under the deviation; still appears in codified DFARS pending rulemaking | Legacy contracts only; do not cite as a current requirement in new solicitations |
| DFARS 252.204-7020 (NIST SP 800-171 assessment requirements) | Mechanics carried forward through 252.240-7997 in covered solicitations; codified text still lists 7020 | The clause in your contract controls — new packages use 252.240-7997 |
| DFARS 252.240-7997 (NIST SP 800-171 DoD Assessment Requirements, deviation) | New deviation clause; defines Medium and High government-performed assessments only — no “basic” self-assessment | The operative assessment clause in solicitations issued on or after under the deviation |
| DFARS 252.204-7021 / 252.204-7025 (CMMC clause and solicitation provision) | Unchanged | The contracting instruments for CMMC status requirements |
Which circulating CMMC statistics could we not verify?
Several widely repeated CMMC numbers could not be traced to any primary source, reproducible denominator, or named methodology. We list them here — with what the verified data says instead — so they stop getting recycled. If you originated one of these figures and can share the underlying methodology, we will evaluate it and update this page.
| Circulating claim | Why we could not verify it | What the verified data says |
|---|---|---|
| “Only 8% of contractors requiring Level 2 are certified” (as of early 2026) | No source, no denominator, no methodology on any page carrying it | Cyber AB data: 896 final certificates in Feb. 2026 ≈ 0.8% of the 118,289 projection. The real figure is an order of magnitude lower than the claim. |
| “A 24–30 month C3PAO assessment backlog by late 2026” | Attributed only to unnamed “industry analysts”; no queue data exists from any primary source | Observed March 2026: ~178 certificates issued against a modeled assessor ceiling of ~1,500/month. Readiness, not assessor supply, is the documented constraint. |
| “15–20% of small suppliers will exit the DIB because of CMMC” | No survey or dataset produces this range | Verified instead: a >40% small-business decline in the pre-CMMC decade (DoD, 2022) and Reuters-documented suppliers declining to comply (Feb. 2026). The direction is supported; the percentage is invented. |
| “~80,000 contractors need Level 2 certification” | Not pinned to current rule text | Cite 118,289 (DFARS final rule). The ~80,000 shorthand likely traces to the derived small-entity figure of 80,436. |
| “All DoD contractors need CMMC” | Contradicted by the rule itself | The rule exempts contracts solely for COTS items and applies based on whether systems handle FCI or CUI. |
| “Cyber-related FCA cases rose 156% from 2024 to 2025” | No DOJ statistic matches; DOJ does not publish a “cyber FCA” category this way | The countable record is Table 8: publicly announced resolutions and amounts. |
| “Non-compliance costs $14.82M vs. $5.47M for compliance” | Circulates without citation; we could not trace it to any CMMC- or DIB-specific dataset | No verified CMMC-specific cost-of-noncompliance figure exists. The verifiable consequences are contract ineligibility and FCA exposure (Table 8). |
Why these numbers matter right now
Phase 2 begins — about four months from this page’s verification date. From that point, Level 2 (C3PAO) certification appears in applicable solicitations, generally as a condition of award, and the gap between 1,391 certified organizations and a six-figure projected population stops being an abstraction and starts deciding who can bid. Congress is negotiating whether to subsidize the on-ramp (the FY2027 grant proposal). DOJ announced six defense-related cybersecurity FCA resolutions in 2025 alone and has already added LOGZONE in — and that case shows exactly what happens when a self-reported score meets a government assessment. Every number on this page moves — which is why each one carries a date, and why the page carries a verification stamp.
Limitations: what this data does and doesn’t show
We publish the caveats because a statistic without its limits is just a slogan.
- Cyber AB Town Hall figures are official statements at a point in time, not an auditable public registry; monthly deltas can reflect reporting timing as well as issuance.
- DoD’s entity counts and cost figures are regulatory model outputs built on disclosed assumptions (two offerors per solicitation, five subcontractors per prime proposal, preexisting NIST SP 800-171 implementation) — they are the authoritative estimates, not measurements.
- There is no public registry of which contractors must certify, so no true compliance rate can be computed by anyone.
- Survey findings in the readiness section are self-reported and commercially sponsored; we identify the sponsor every time.
- Our enforcement totals are aggregations of DOJ-published amounts under a stated scope definition, not DOJ statistics.
- Clause status in Table 11 reflects a class deviation that remains in effect until rescinded or incorporated through rulemaking; the operative clause is always the one in the contract.
- Derived figures marked as TDCR calculations inherit their inputs’ uncertainty and are rounded as shown.
- Nothing here is legal, financial, or compliance advice — for obligations under a specific contract, read the clause and consult qualified counsel.
Frequently asked questions
How many companies need CMMC?
DoD estimates 337,968 unique prime and subcontractor entities will be subject to CMMC requirements by Year 4 of implementation, per the DFARS final rule published . Of those, 229,818 — 68% — are small entities.
How many companies need CMMC Level 2 certification?
The DFARS final rule projects 118,289 entities will require Level 2 certification by a C3PAO, or 35% of all impacted entities. A separate, much smaller group of about 6,759 entities will be permitted to self-assess at Level 2.
How many companies are CMMC certified right now?
As of the Cyber AB Town Hall, 1,391 organizations held a final Level 2 certificate, with 47 conditional certificates and 140 assessments in progress. The figure has grown by an average of about 155 per month in 2026; our certification tracker updates it monthly.
How much does CMMC Level 2 certification cost a small business?
DoD’s official estimate is $101,752 initially and $104,670 over the three-year cycle. That covers assessment, certification, and affirmation activity only.
Does DoD's cost estimate include implementation?
No. The rule excludes implementation and remediation costs on the basis that FAR 52.204-21 (2016) and DFARS 252.204-7012 (2017) already required contractors to implement the underlying safeguards. At Level 3, where requirements are new, DoD did include engineering costs.
How many C3PAOs are there?
104 authorized C3PAOs as of the Cyber AB Town Hall, up from 97 in , supported by 759 Certified CMMC Assessors as of with further growth reported through . Four non-US C3PAOs were in the authorization pipeline as of early 2026.
Is DOJ enforcing CMMC?
Not CMMC certification itself — no case has done that. DOJ enforces the preexisting cybersecurity obligations CMMC verifies: since 2022, defense-related False Claims Act resolutions total $39.0 million across 10 cases, most recently LOGZONE’s $507,144 settlement in .
When did Phase 1 start, and when is Phase 2?
Phase 1 began , when the DFARS rule took effect, and runs through . Phase 2 begins , adding Level 2 (C3PAO) certification to applicable solicitations — generally as a condition of award, though DoD may delay the requirement to an option period.
Is there a CMMC assessment backlog?
No primary-source backlog measurement exists. Current data shows assessment capacity exceeding demand — roughly 178 certificates issued in against a modeled ceiling near 1,500 — with organizational readiness, not assessor supply, as the documented constraint. That could change as Phase 2 requirements take hold; we track the monthly figures.
Primary sources
- DFARS final rule — Assessing Contractor Implementation of Cybersecurity Requirements, 90 FR 43560 (Sept. 10, 2025)
- CMMC Program final rule, 32 CFR Part 170, 89 FR 83092 (Oct. 15, 2024)
- 32 CFR Part 170, current text (eCFR)
- DoD CIO — About CMMC
- DoD Class Deviation 2026-O0025 — Revolutionary FAR Overhaul Part 40 / DFARS Part 240 (Dec. 18, 2025) and the DARS class deviation index
- DFARS Part 252, current text (Acquisition.gov)
- DoD — State of Competition Within the Defense Industrial Base (Feb. 2022)
- DOJ — Civil Cyber-Fraud Initiative announcement (Oct. 2021) and the settlement releases linked in Table 8
- Cyber AB Town Halls
- Reuters — “New cybersecurity rules for US defense industry create barrier for some small suppliers” (Feb. 20, 2026)
- Federal News Network — Senate NDAA proposes CMMC grant program (June 2026)