
CMMC Bottleneck Coming
Why Early Adopters Are Positioned for Success
Insights based upon September 2025 Cyber AB data.
See What Primes Are Saying About CMMC 2.0CMMC Rollout Projections
Maximize your competitive position
The latest Cyber AB data reinforces the main takeaways from our initial projections, and the warning signs are only getting clearer:
- Certification is still rare: 99.7% of companies expecting Level 2 (C3PAO) compliance have not yet achieved certification.
- Assessor growth isn’t enough: While the number of assessors is increasing, demand continues to outpace supply. This trend has now persisted for four consecutive months, pointing to a plateau in assessment volume as early as mid-2026.
- First movers win: Contractors securing assessment slots between now and mid-2026 are positioning themselves ahead of the peak backlog. Waiting to schedule will result in a longer period of contract ineligibility.
New Factors Adding Pressure
On top of these existing bottlenecks, recent CMMC developments could make the situation more challenging:
- Contract requirements arrive this year: The CMMC 48 CFR rule was published on September 10, 2025, with phased rollout beginning November 10, 2025. Contractors may see CMMC Level 2 (C3PAO) requirements in solicitations sooner than expected.
- More companies in scope: The DoD has raised its estimate of organizations pursuing Level 2 compliance to 118,000+, a 47% jump from its original projection.
- Operational risks from government shutdowns: Even short disruptions can trigger furloughs and staff cuts that slow the CCA pipeline, adding yet another layer of uncertainty.
Below is our projected assessment distribution across the phased rollout timeline based on September's updates:
Key Takeaways for Defense Contractors
-
Certification remains rare While September boasted the largest number of new Level 2 certifications in a month (95), the fact remains that just 0.32% of the estimated 118,000 contractors requiring a Level 2 (C3PAO) certification have passed their assessment.
-
Assessor Growth Outpacing Supply The rate of Certified CMMC Assessors (CCAs) is increasing faster than new assessor applications, potentially signaling a plateau in assessment capacity by mid-2026.
-
Early movers have the edge Contractors who proactively pursue certification are best positioned to secure future DoD contracts and expand their role in the defense supply chain.
Resources for Your CMMC Journey
CMMC 2.0's phased rollout will start before the end of the year. When you choose to start your compliance journey will be the biggest factor in winning new contracts or losing out on opportunities.
Check out these resources to guide your CMMC strategy.
Find Your CMMC Readiness Signal
.png?width=1080&height=1080&name=CRQ%20IG%20Story%20(4).png)
Steal Our CMMC Level 2 Strategy
.png?width=1920&height=1080&name=cmmc%20tracker%20page%20timeline%20graphic%20(1).png)
Webinars & Workshops

Tips for Improving Your Competitive Advantage
- Don’t mistake low certification rates as a green light to delay.
- The current low percentage of certified Level 2 companies isn’t a grace period; it’s a warning signal. Many organizations will scramble for certification once Level 2 (C3PAO) becomes a standard contract requirement in November 2026. Getting ahead now ensures you’re not caught in the bottleneck later.
- Target Q3 2026 for your C3PAO assessment.
- If you haven’t scheduled an assessment, aim for mid-2026. C3PAOs are already booking into that window, and competition for assessor availability will intensify. Remediation can take 6-18 months, depending on your environment. Start now: complete your gap assessment, plan your remediation timeline, and begin vetting C3PAOs.
- Bring in a CMMC-savvy partner.
- Achieving compliance requires technical depth and speed. External service providers can augment your IT team, accelerate remediation, and ensure your environment meets CMMC requirements (particularly if you're managing complex or hybrid infrastructures).

Ready to get ahead of the curve?
Start building your compliance plan today and talk to one of our CMMC advisors to map out your next steps.
Request A Discovery CallTracking cmmc compliance
what the latest data reveals
Completed CMMC Assessments
Of the 118,000 contractors estimated to require Level 2 certification, 382 have achieved final or conditional certification, while an additional eight organizations have failed their assessments.
Certified CMMC Assessors (CCAs)
More than 300 of which are also Lead Assessors. Growth in CCAs has been prevalent, with 138 new CCAs being certified in the last three months, compared to just 75 in the previous four.
CUMULATIVE CCA APPLICATIONS
CCA Applications were growing at a steady rate from February to July. However, August and September saw the application growth rate drop in back-to-back months for the first time.
PERCENTAGE TO FULL LEVEL 2 COMPLIANCE
Each month, the Cyber AB releases updates tracking the growth of the CMMC ecosystem, including how many Level 2 organizations seeking certification (OSCs) are successfully completing assessments every quarter. These updates offer critical insight into the readiness of the defense industrial base.
Dig Deeper
Get more insights into CMMC 2.0