DBITDefenseCMMC Level 2 · Readiness
(561) 887-5470Free DashboardSign in
Insights · Deadlines · Defense Wire

Plain-language guidance on CMMC, CUI, and the road to award.

Field notes, the compliance timeline, and the contracting developments that actually change what contractors need to do — written for the people who have to do the work.

Updated · Q2 2026South Florida · Palm Beach · Broward · Miami-Dade
(561) 887-5470
No. 11 — Resources

Primary sources — cited, current, clickable.

External · opens in new tab

Control catalogs

NIST CSRC

NIST SP 800-171 Rev. 2 (current CMMC L2 basis)

The 110 security requirements for protecting CUI in non-federal systems. The authoritative catalog CMMC Level 2 maps to today.

Open primary source →
NIST CSRC

NIST SP 800-171A Rev. 2 — assessment procedures

Procedures for assessing the security requirements in 800-171 Rev. 2. The companion assessor guide referenced by CMMC.

Open primary source →
NIST CSRC

NIST SP 800-171 Rev. 3 (forward-looking)

Published 14 May 2024. Not yet the CMMC basis — DoD continues to anchor assessments to Rev. 2 pending future rulemaking.

Open primary source →

Program rules

Federal Register

CMMC 2.0 Final Rule (32 CFR Part 170)

Federal Register publication of the CMMC Program rule. Published 15 Oct 2024; effective 16 Dec 2024.

Open primary source →
Acquisition.gov

DFARS 252.204-7012 — safeguarding CDI & cyber incident reporting

The foundational DFARS safeguarding clause that introduced NIST SP 800-171 to defense contracts. Still in full force.

Open primary source →
Acquisition.gov

DFARS 252.204-7021 — contractor compliance with CMMC level

The DFARS clause requiring contractors to hold the required CMMC certification before award and primes to flow it down. Effective 10 Nov 2025.

Open primary source →
DoD CIO

DoD CIO — CMMC program portal

Office of the DoD CIO landing page for CMMC. Phase rollout timeline, current rule status, and program-office guidance.

Open primary source →

Assessor ecosystem

Cyber-AB

The Cyber AB — CMMC accreditation body

The non-profit accreditation body for the CMMC ecosystem (C3PAOs, assessors, training organizations).

Open primary source →
Cyber-AB

C3PAO marketplace directory

Searchable directory of authorized Third-Party Assessor Organizations. Use this when selecting an assessor for Level 2 certification.

Open primary source →

Threat intelligence

CISA

CISA Known Exploited Vulnerabilities (KEV) catalog

Living catalog of CVEs known to be exploited in the wild. Track and patch entries that affect software in your CMMC scope.

Open primary source →
CISA

CISA Cybersecurity Performance Goals 2.0 (CPG)

CISA’s recommended performance goals for critical infrastructure. Cross-walks well with NIST 800-171 Rev. 2 and CMMC L2.

Open primary source →
CISA

CISA Cybersecurity Alerts & Advisories

Authoritative cyber advisories. Subscribe to monitor advisories relevant to your defense-base supply chain.

Open primary source →
Compliance Window · Status: Active

CMMC 2.0 enforcement is already underway.

The DoD has staged CMMC rollout in phases. The industry-cited 10 November 2026 readiness window is approaching. The clock below reflects that target. Each milestone links to the authoritative source or to the engagement that handles it.

000
Days
:
00
Hours
:
00
Min
:
00
Sec
Target10 · NOV · 2026
Weeks remaining0W
WindowL2 Self-Assessment / C3PAO
NOV 2026
YOU ARE HERE
20242025202620272028
Oct 2024Q4 · 2024

CMMC 2.0 Final Rule

CFR 32 Part 170 finalized. The CMMC Program rule was published in the Federal Register, codifying Level 1 / 2 / 3.

Read on Federal Register
Dec 2024Q4 · 2024

CMMC Program Effective

The CMMC Program rule took effect, with phased rollout planned across DoD contracts.

DoD CIO program page
10 · NOV · 2025Phase 1 · ACTIVE

Phase 1 — Self-Assessment Required

DoD begins requiring Level 1 and Level 2 self-assessments in applicable contracts. The implementing DFARS rule (DFARS 252.204-7021) takes effect, kicking off the 3-year phased rollout.

DoD CIO rollout overview
10 · NOV · 2026Phase 2 · KEY DEADLINE

L2 Certification Assessments Required

DoD begins requiring Level 2 certification assessments by authorized C3PAOs in applicable contracts. This is the industry-watched deadline for contractors handling CUI to be assessment-ready.

Start with a gap assessment
10 · NOV · 2027Phase 3

Phase 3 — Level 3 Certification

DoD begins requiring Level 3 certification assessments (government-led) for contracts handling the most sensitive CUI. Level 2 obligations continue across the broader contract base.

See assessment prep
10 · NOV · 2028Phase 4

Full DoD Implementation

Anticipated end-state: CMMC level requirements appear in all applicable DoD solicitations and contracts. Phased rollout complete.

Browse all five engagements
Sources: 32 CFR Part 170 (CMMC Program), DoD Office of the CIO public guidance. Dates reflect publicly-stated industry timelines; specific contract requirements vary by program office and prime contractor flow-down.
The Defense WireEditionVol. I · MMXXVI·Last update----

CMMC, NIST & cyber intelligence — filtered for the defense base.

Editorially curated from DoD CIO, NIST CSRC, Cyber-AB, CISA, and the Acquisition.gov DFARS catalog. Click any item to read the primary source.

CMMC/CRITICAL/DoD CIO2026-11-10

CMMC Phase 2: Level 2 C3PAO certification requirements take effect

Phase 2 of the CMMC 2.0 rollout introduces mandatory Level 2 certification assessments by accredited C3PAOs in applicable DoD solicitations and contracts handling CUI, one year after Phase 1 self-assessments began.

Feature · top wireRead primary source →
highCMMC2025-11-10

DFARS 252.204-7021 in effect — CMMC certification required prior to award

The DFARS contract clause requiring contractors to hold the required CMMC certification level before award (and primes to flow down the requirement to subcontractors handling CUI/FCI) became enforceable on 10 November 2025.

SRC · Acquisition.govRead →
highPOLICY2026-02-01

Revolutionary FAR Overhaul — DFARS Part 240 reorganization takes effect

Class deviations issued under the FAR Overhaul renumber DFARS 252.204-7020 to DFARS 252.240-7997 and eliminate 252.204-7019. Foundational clauses 252.204-7012 and 252.204-7021 remain in full force.

SRC · DoDRead →
mediumNIST2024-05-14

NIST SP 800-171 Rev. 3 published — Rev. 2 remains current CMMC basis

NIST published the final SP 800-171 Rev. 3 and the assessment guide SP 800-171A Rev. 3 on 14 May 2024. DoD continues to anchor CMMC Level 2 assessments to Rev. 2; Rev. 3 implementation is expected to be addressed in future rulemaking.

SRC · NISTRead →
criticalTHREAT2026-05-21

CISA adds Langflow and Trend Micro Apex One vulnerabilities to KEV catalog

CISA added CVE-2025-34291 (Langflow origin validation) and CVE-2026-34926 (Trend Micro Apex One directory traversal) to the Known Exploited Vulnerabilities catalog with binding remediation deadlines for federal agencies.

SRC · CISARead →
highTHREAT2026-05-20

Microsoft Defender vulnerabilities added to KEV — exploited in the wild

CISA added seven vulnerabilities to the KEV catalog including CVE-2026-41091 (Microsoft Defender elevation of privilege) and CVE-2026-45498 (Microsoft Defender denial of service). Federal civilian agencies have set remediation deadlines.

SRC · CISARead →
mediumPOLICY2025-12-01

CISA releases Cybersecurity Performance Goals 2.0 for critical infrastructure

CPG 2.0 updates CISA’s recommended practices to reflect the NIST Cybersecurity Framework 2.0. The goals apply to defense-relevant critical infrastructure and align well with CMMC Level 2 controls.

SRC · CISARead →
mediumC3PAO2026-05-01

C3PAO marketplace — accredited assessor count remains in the dozens

The Cyber AB’s C3PAO marketplace lists currently-authorized third-party assessor organizations. Limited assessor supply versus demand makes scheduling Level 2 certification slots a planning consideration.

SRC · Cyber-ABRead →
Disclaimer: The Defense Wire aggregates publicly-available developments. Summaries reflect the editors' reading and are not legal or contractual advice. Always verify specific requirements with your contracting officer or prime.Sources tracked: DoD CIO, NIST CSRC, Cyber-AB, CISA, FBI/IC3, GAO, Acquisition.gov DFARS, Federal Register
Defense Wire · Live
§ CMMC Phase 2 Level 2 C3PAO certification — 10 Nov 2026§ DFARS 252.204-7021 in effect — certification required prior to award§ NIST SP 800-171 Rev. 2 remains the current CMMC Level 2 basis§ CISA KEV catalog — Langflow + Trend Micro Apex One added (May 2026)§ Microsoft Defender vulnerabilities exploited in the wild — patch ASAP§ Cyber-AB C3PAO marketplace — limited assessor capacity§ DFARS Part 240 reorganization effective 1 Feb 2026§ 110 controls · 14 families · NIST SP 800-171 Rev. 2§ CMMC Phase 2 Level 2 C3PAO certification — 10 Nov 2026§ DFARS 252.204-7021 in effect — certification required prior to award§ NIST SP 800-171 Rev. 2 remains the current CMMC Level 2 basis§ CISA KEV catalog — Langflow + Trend Micro Apex One added (May 2026)§ Microsoft Defender vulnerabilities exploited in the wild — patch ASAP§ Cyber-AB C3PAO marketplace — limited assessor capacity§ DFARS Part 240 reorganization effective 1 Feb 2026§ 110 controls · 14 families · NIST SP 800-171 Rev. 2