Insights

The State of CMMC Readiness 2026

An intelligence brief from Dragonfli Group.

Check your CMMC score
Stat card: 88 is the SPRS score needed to be conditionally certifiable under CMMC
Stat card: CMMC timeline, Nov 2025 clauses go live, Nov 2026 Level 2 certification can be required
Stat card: the cost of getting CMMC wrong, DoD contract loss and False Claims Act exposure
Stat card: the number you assume and the number you score are rarely the same
Why CMMC Is No Longer Optional

CMMC is no longer coming. It is here. Clauses are entering Department of War solicitations now, and third-party certification phases into awards beginning this fall. Most of the small businesses that make up the defense industrial base cannot tell you their SPRS score, the single number that decides whether they can bid. There is no small-business carve-out: handle Controlled Unclassified Information and you owe all 110 NIST SP 800-171 requirements, the same as a prime. The ones who guess, guess high. On a scale that runs from -203 to 110 and requires 88 to be conditionally certifiable, most are deep in the negatives and do not know it.

Where the Points Actually Go

Access control and passwords are usually fine. Audit logging, FIPS-validated encryption, vulnerability scanning, a written System Security Plan, and security training are where the points are lost, and they are exactly the controls a quick self-rating skips. The clock is real and short. The acquisition rule took effect November 2025. Level 2 C3PAO certification can be required as a condition of award starting November 2026, expanding every year through 2028. Going from a negative score to assessment-ready takes most companies months, not weeks, and assessors are scarce.

The Cost of Getting It Wrong

Getting it wrong is now a legal exposure, not a paperwork one. Under the DOJ Civil Cyber-Fraud Initiative, contractors have settled allegations of certifying cybersecurity compliance they had not met for six and seven figures, including settlements of $8.4 million and $4.6 million, both tied to unmet NIST SP 800-171 controls. The SPRS number you self-report is an attestation. Meanwhile, the market is overpaying for fear. Independent readiness assessments commonly run $10,000 to $20,000 for a static PDF. The C3PAO certification assessment itself typically runs $30,000 to $75,000, and the full first certification cycle frequently runs into six figures. Most of the readiness work does not require any of that to begin.

The Honest Path Out

Find your real number first. The free Pulse Check returns an honest read in about 10 minutes, no card required. Get the full picture. The assessment scores all 110 requirements and produces the SSP and POA&M your assessor will want, reviewed by a Registered Practitioner. Close the gap with a plan, not a panic. The hard families have known, affordable fixes, and the credit applies toward remediation. The companies that win the next three years of defense contracts are the ones getting ready now, quietly, while it is calm and cheap.