Is Your Supply Chain Ready for CMMC Level 2?

On November 10, 2025, compliance with CMMC became a legal requirement in Department of War (formerly named Department of Defense) contracts. The rollout will follow four phases, each lasting one year.

During Phase 1 (until November 2026), DIB contractors handling Federal Contract Information (FCI) or non-critical Controlled Unclassified Information (CUI) must demonstrate compliance through Level 1 and Level 2 self-assessments.

Phase 2 (beginning November 2026) will introduce audits by Certified Third-Party Assessment Organizations (C3PAOs) for contracts involving critical CUI. However, the Department of War may require third-party certifications even during Phase 1.

With this level of discretion, it’s crucial for organizations handling CUI to complete certification as promptly as possible, before the first contracts with the Level 2 clause are awarded. Judging from the current pace, this may not always be possible. As of late October 2025, 431 CMMC Level 2 certifications had been issued, a small fraction of the approximately 80,000 organizations the Department of War estimates will ultimately need it.

The limited availability of C3PAOs is also likely to create bottlenecks. As of late November 2025, there were only 88 C3PAOs, with 537 applications pending processing by the Cyber AB.

Preparing your supply chain for CMMC requirements

Even if you have already secured your CMMC Level 2 third-party certification, there is a risk that some of your subcontractors that process, store, or transmit CUI won’t obtain their certification in time for contract award. This could ultimately make your organization ineligible as well.

To minimize this risk, it’s best to be proactive and assess where your suppliers are in their CMMC journey. Here are the steps you can take:

1. Start looking for alternatives. Even if replacing an established supplier should be the last resort, you should start early identifying which components/services have Level 2 certified contractors available.
2. Identify which subcontractors handle CUI or FCI.
3. Make expectations clear by flowing down CMMC requirements.
4. Evaluate likelihood of success:
   • If they have already implemented NIST 800-171 (CMMC foundation), they are more likely to achieve Level 2 in a reasonable time.
   • If they haven't implemented NIST 800-171 before, and are small or micro businesses with limited resources, they are at high risk of not achieving CMMC.

After identifying which critical suppliers are at risk, you have three strategic options:

1. Limit CUI scope: Do they truly need CUI access? If possible, restructure work so they don't handle CUI (eliminates Level 2 requirement) or handle CUI that is not deemed critical to national security (requires self-assessment instead of third-party assessment).
2. Put them in touch with NSF: As a C3PAO, NSF provides training on CMMC requirements and mock assessments to identify gaps and prevent false starts.
3. Replace them: This could be the right option when a critical supplier is unlikely to complete CMMC on time and certified alternatives exist. Just be aware that, in a scenario where only a few CMMC-certified contractors are available, these may be able to command premium pricing.

Getting support for your supply chain strategy

Surveying and monitoring thousands or even a hundred suppliers can be complex. NSF can help organizations seeking certification (OSCs) manage this through TraQtion®, our cloud-based solution for supply chain management and collaboration. We're currently helping a major DIB contractor survey over 6,000 suppliers, collect their responses on certification status, and gain visibility into where each supplier stands in their CMMC journey. TraQtion® is modular and scales according to your supplier base size, making it practical even for organizations with a much smaller supplier base.

As a C3PAO, we provide additional services to accelerate CMMC readiness:

• Mock assessments to identify gaps before formal assessment.
• Guidance on flowing down requirements and assessing risk.
• Webinars and training on CMMC requirements.