The Three Biggest Takeaways
1. The CMMC program is ahead of schedule. DoD didn’t expect 2,600 Level 2 certifications until end of 2027 — they’re hitting that number by end of 2026. Assessment capacity is also growing faster than demand, making the “not enough assessors” narrative essentially a non-issue.
2. The False Claims Act pipeline is a mystery. Everyone in the know says there are 100+ cases in the queue, but zero settlements have dropped in 2026. DOJ staffing cuts are likely a factor. This one still has time to correct itself before year-end.
3. Rulemaking is the wild card. Both the FAR CUI rule and CMMC 3.0 proposed rule are written and waiting — they just haven’t moved. Until CMMC 3.0 is finalized, contractors stay on NIST 800-171 Rev 2, which actually gives them more time to prepare.
Back in January, we made seven predictions about where the CMMC ecosystem would be by the end of 2026. Now that we’re halfway through the year, we’re checking the scoreboard. In this episode: • Level 2 certification growth • False Claims Act enforcement trends • Funding and compliance assistance programs • The FAR CUI rule • CMMC 3.0 and NIST SP 800-171 Rev. 3 • Early Level 3 activity • What the GAO report actually found Some predictions are looking strong. Others are too close to call. And at least one is trending in the wrong direction. Here’s our mid-year reality check on CMMC in 2026.
Transcript
CMMC Predictions Midyear Review — June 2026
Jacob: All right, folks. It is June of 2026 — halfway through the year. Back in January, we made some predictions about what we would see across the CMMC ecosystem by the end of the year, and it’s looking pretty good so far. That’s what we’re going to talk about today.
Jason, 60-70% of the time, we are correct 100% of the time when it comes to these predictions. We’ve done pretty well in the past, and this is going to be our first midyear review so that our holiday edition prediction review doesn’t take forever.
Jason: Yeah, Jacob. I’ve been up in the gym working on my fitness, and one thing that’s really been troubling me — a couple problem pounds I just can’t seem to shed. But after looking at our predictions halfway through the year, I think it’s a golden horseshoe I can’t seem to find when I step on the scale. Help me find it, Jacob.
Jacob: Okay. For everybody who got the reference — don’t give us a copyright strike. All right, let’s jump right into it. We’ve got seven predictions for what we thought we’d see across the ecosystem.
Prediction 1: 1,000+ CMMC Level 2 Certifications by March
Jacob: First prediction: 1,000 CMMC Level 2 certifications by March of 2026, and 2,500 by the end of 2026. Jason, back in January you were a little skeptical about this one. I was not. At least 1,000 Level 2 certifications by the end of March — that ended up being correct. There were 1,113 Level 2 certifications by the end of March. We also predicted 2,500 Level 2 certifications by end of year, and that’s currently trending correct — we’re on pace for about 2,600.
Remember, based on the estimates in the original CMMC rule, DoD did not expect to hit 2,600 Level 2 certifications until the end of 2027. We are literally years ahead of schedule. I’d call this a win.
Jason: Yeah, and I’ll give you another win — you managed to slide in my skepticism before you even threw those numbers out there. Appreciate the solidarity, brothers united. I was skeptical because whenever something can go wrong with CMMC, it seems like we hit a road bump. With the way things were trending at the time, I thought maybe a slowdown was coming. I’m so happy I was wrong.
Last month the town hall reported the largest increase in certifications in at least the past six months — the largest output since we made this prediction. It’s going in the right direction, and it has to go that direction. It kind of sets the tone for some of the other predictions too.
Prediction 2: 12+ False Claims Act Settlements (So Far)
Jacob: Let’s get into the second one. This one isn’t looking so great, though it’s tough to tell. Prediction number two: at least 12 False Claims Act settlements against defense contractors for cybersecurity non-compliance issues, with a majority carrying seven-figure penalties. That was the trend at the end of 2025, but we’re currently trending towards being incorrect — there have been zero FCA settlements so far in 2026.
That’s extremely puzzling, because anyone you talk to in the know says there are a ton of FCA whistleblower lawsuits in the queue — a hundred or more. It’s not hard to hear about cases that are still under seal. There’s a ton of noise, a ton of smoke, clearly a lot in process — but none of the settlements have come out.
In general, white-collar crime enforcement is down across the board. DOJ staffing has taken a massive hit, so that may be slowing things down on top of an already slow process. On the other hand, cyber FCA settlements take years to work through. Several could all drop within a couple weeks of each other after being in process for the last two years. There’s still time, but as of right now, there are none.
Jason: If we’re going to be wrong about one prediction, I’m okay with it being this one — the one where people are technically lying to the government about being compliant. If I’m wrong, I want to be wrong for the right reasons. And like you said, last year when we saw FCA cases come out, they didn’t trickle out — they clustered. We’d see one, then another, then another, popping out like dandelions. I don’t know if that’s what’s coming, or if there are unsubstantiated claims not moving forward.
Jacob: I definitely don’t think the lack of settlements is due to a lack of cases that could be settled. I think there’s probably some systemic issue at play.
Jason: That’s why I said wrong for the right reasons.
Jacob: Yeah. We’ll have to see. As of June, not looking great on this prediction — but there’s still time. We’ll know more by December.
Prediction 3: No Major CMMC Funding Appropriations
Jacob: Prediction number three: there will be no major funding appropriations for CMMC or DFARS 7012 compliance — no large federal program to offset the cost of compliance. No Brinks truck full of cash backing up to small businesses saying “here’s money for cybersecurity.” This is trending correct. There is zero effort, zero legislation, zero momentum around anyone getting money for these costs.
However, the ENCODE program has been funded. Summit 7 was one of the awardees and will help provide free enclave environments to very small companies dealing with DFARS 7012 and CMMC. We put out a blog about it — check the link in the show notes. It’s something, but it isn’t exactly a lot of money for everybody. It is a great solution for the people it works for.
Jason: It’s not “here’s a check to help you get compliant.” Instead, it’s “here’s a lease on your future as a contractor — here’s your compliant enclave environment, set up and paid for.” I think that’s a much better trade-off than just handing someone a check. For organizations that are struggling with the CMMC implementation, the ENCODE program is going to directly benefit them.
Jacob: As of June, I’d say this one is trending correct. No money, but there are programs to help offset costs. I don’t see anyone writing checks to the DIB, and they don’t redo budgets mid-year anyway, so we’re probably going to be correct on this one.
Prediction 4: FAR CUI Final Rule Published and Effective in 2026
Jacob: Prediction number four: the FAR CUI final rule will be published and go into effect before the end of 2026. Come on, GSA. Come on, FAR Council. It’s the 10-year anniversary of when we were supposed to have this rule — we were expecting it back in 2016. It’s caused untold problems for the CUI program and programs like CMMC that depend on it for a decade.
We predicted the FAR CUI final rule would move from proposed to final and go into effect. As of right now — too soon to tell. Rulemaking processes don’t telegraph progress until rules actually come out. We got spoiled by DoD’s CMMC rulemaking era where they’d just tell you what was going on, even when they weren’t supposed to.
The big complication is the revolutionary FAR overhaul — they’re overhauling the entire FAR and all its supplements and pushing it all through rulemaking at once. Until that’s done, individual changes probably won’t happen. But there’s still time for the FAR CUI final rule to pop out before year’s end.
Jason: Is this the one that stings you the most?
Jacob: It’s my white whale. But it’s not like there aren’t signs. We’ve seen traces. The FAR overhaul — isn’t that one of the precursor steps that has to happen first?
Jason: Theoretically, yes. They’re probably not going to update the FAR in the middle of a FAR overhaul — they’ll change it after. So there’s still time, but we’ll have to see.
Jacob: The writing on the wall says it’s happening. But is it happening on a human timeline or a geological timeline? Nobody knows. I’m hopeful, because the standard form that would clearly indicate whether a contract involves CUI is going to make everyone’s lives a lot easier. Keep your fingers crossed.
Prediction 5: CMMC 3.0 Proposed Rule Published Before Halloween
Jacob: Prediction number five: the CMMC 3.0 proposed rule will be published before Halloween. The prediction was that the proposed rule to update the 32 CFR CMMC regulation — what everyone calls CMMC 2.0 — up to CMMC 3.0, incorporating NIST SP 800-171 Revision 3 and new DoD organizationally defined parameters, would be published before Halloween.
That is still pending. The internal DoD rulemaking process has been executed. Through the grapevine, we know that everyone is standing around waiting to send this rule out for interagency review. There have been leadership changes, people want to make their mark on new programs, things pile up — and as of June, I haven’t heard any progress. It still could happen. A lot of rulemaking stuff drops right around Thanksgiving to New Year’s, so it’s possible before year’s end. Before Halloween? I don’t know.
Jason: Look, I’m going on vacation in late August and late September — just putting that out there as a factor. I’m going to start worrying about this prediction around that time, and not just because of the vacation. That marks the end of the government fiscal year, and that’s usually when we see pushes to get things out the door. Will that happen here? I don’t know. The writing’s on the wall — are they reading it?
Jacob: Yeah. The FAR CUI proposed rule exists, the comment period is done. The CMMC 3.0 proposed rule is done and waiting for interagency review. What are we waiting for? This is just how rulemaking goes, which is what makes predictions so fun.
Too soon to tell on Halloween, too soon to tell on year’s end. But the real takeaway — and we get this question all the time — is that 800-171 Revision 3 won’t be a requirement until CMMC 3.0 is final and in effect. The longer this takes, the more time people have to prepare. So additional time on 800-171 Rev 2 isn’t the worst thing in the world.
Jason: I don’t disagree with you.
Prediction 6: Level 3 Requirements Appear in Solicitations Ahead of Schedule
Jacob: Prediction number six: at least one solicitation will include CMMC Level 3 requirements ahead of the formal phased rollout schedule. We were correct. We’ve seen them. Several clients have been told directly by their customers that Level 3 will be required. Level 3 assessments conducted by DoD’s DIBCAC team are still technically in pilot mode, but they’ve asked people to sign up for the assessment queue — so that process is executing and the queue is forming. Whether anyone gets Level 3 certified before the formal Level 3 phase rollout, I’m not sure, but the requirement is out there. I’ll call this one correct.
Jason: Again, we read the writing on the wall. We were seeing preemptive preparation and discussions where people were saying, “We’re getting ready so we can achieve Level 3 as soon as it’s available.” There are people chomping at the bit to get assessed for Level 3, and some of them are in charge of major supply chains.
Prediction 7: GAO Report Shows No Major Issues with CMMC
Jacob: Last prediction from January: the GAO report would show no major issues with CMMC — a big nothing burger. We were right. There were no major findings that would derail, stop, or fundamentally revise the program. We did a full episode on it — link below.
DoD scored a 95% when you tally up all the criteria they were evaluated on for their CMMC strategy efforts. The Cyber AB was all clear. The DoD CMMC Program Office has created training for the broader contracting workforce — so at this point it’s largely out of their hands and up to other parts of DoD to pick it up and run with it. That nuance didn’t get enough attention after the report came out.
GAO did have to come up with something, and in my opinion they kind of made it up. They said DoD doesn’t have a plan in the event there aren’t enough assessors. The LinkedIn hive mind and the headlines jumped all over that.
Here are the two big problems with that finding. First, DoD does have a plan — that’s what the waivers are for. DoD said that in the report. GAO said “you don’t have a plan,” DoD said “yes we do,” and GAO said “well, that’s not the plan we would have come up with, so we’re calling it a finding.” Read the whole report.
Second, it’s a fictitious scenario. There are way more assessors than there is demand for assessments — there always have been, and that doesn’t look likely to change. As of May 2026, ecosystem capacity is 395 assessments per month, or over 4,700 per year, and that’s with only half the qualified assessor pool working at two assessments per month. By end of 2026, capacity is projected to grow to 566 assessments per month. We’ve never come anywhere close to that level of demand, because contractors aren’t ready for their assessments — which is exactly why CMMC was created in the first place. Big nothing burger. We were right.
Jason: I’ve resigned myself to the stance that until we can show there are 80,000 organizations being assessed every single day, someone is going to chirp that it’s not enough. But 95% is 95%. The numbers show that the assessor shortage concern doesn’t need to be addressed because it doesn’t exist. And nobody’s talking about the fact that we’re on trend to hit as many Level 2 assessments at the end of year one that DoD thought they’d hit by year two. Nobody wants to give them their flowers. The program is a massive success halfway through 2026, halfway through phase one — and that’s just what the data shows.
Jacob: A little more data to back that up: last month saw the largest quantifiable growth in the assessor pool since the current iteration of the CMMC program. The rate of assessment capacity is growing faster than demand for Level 2 assessments, and it doesn’t look like that’s going to change anytime soon.
Wrapping Up + One We Didn’t See Coming
Jacob: So that’s the midyear update on our January predictions. One thing we didn’t see coming — honestly, because I thought it was dead — is the CIRCIA rule. We just did an episode on that. Town halls where CISA wants feedback from the DIB are coming up soon, so get smart on what that rule means. It’s a big deal for defense contractors, and CISA wants to hear from you. That one came out of left field.
Check out that episode, like and subscribe, and we’ll see you next week.
Jason: See you next week.
Contact
Speak With Our Team
Our team of compliance and cybersecurity experts are on standby and ready to help. We’ll walk you through what you need and what to expect.