CMMC Level 2 Is Already Showing Up In DoD Contracts. Are You Ready?

CMMC is no longer “coming soon.”

It is already written into real Department of Defense (DoD) contracts. If your company is not ready for CMMC Level 2, you may already be blocked from bidding on work.

In late 2025, new solicitations started to include CMMC language. Some of them even call out CMMC Level 2 by name. This is a big shift for defense contractors of every size, especially small and mid sized firms that work with primes.

Let’s break down what is happening and what you should do next.

---

CMMC Is No Longer Just Talk

For years, CMMC felt like a future problem. There were drafts, hearings, and lots of talk. Now the rule is final, and DoD buyers can put CMMC into contracts.

A recent CMMC contracts roundup from PreVeil shows that CMMC requirements began appearing in new RFPs and solicitations as soon as the rule took effect in November 2025. Many of those early examples focus on CMMC Level 2 for companies that handle Controlled Unclassified Information (CUI).

In simple terms:

• CMMC is now active in real DoD contracts
• CMMC Level 2 is already being used as a gate for work that touches CUI
• If you are not at least on the path to Level 2, future deals are at risk

---

Real Examples From Navy And Army Corps

Here are a few real world examples that show how fast this is moving:

• Navy sources sought notice
  In mid November, the Navy released a sources sought notice for a GPS related project. The notice said the final contract was expected to require CMMC Level 2 with a third party assessment. Vendors were asked if they already had Level 2 and, if not, how and when they would get it.
• U.S. Army Corps of Engineers (USACE)
  USACE announced that any new solicitations on or after November 10, 2025 would require at least CMMC Basic (Level 1). They clearly stated that companies without the required CMMC level “will not be eligible” for award. In another USACE notice from the San Francisco District, the language was even stronger. It said, “CMMC Level 2 applies to this contract.” That put every bidder on notice that Level 2 was part of the final RFP.
• Early warnings before the rule date
  Even before the rule went live, late October notices from Army Corps offices overseas signaled what was coming. One notice from Japan said they expected all solicitations after November 10 to require at least Level 1. Another power infrastructure RFP stated that DFARS 252.204-7021, the CMMC clause, “will be included in the solicitation as applicable.”

These are not “what if” scenarios. They are real examples that prove CMMC is now baked into DoD buying.

---

Early Adopters Are Already Using CMMC As A Competitive Edge

Some defense suppliers have moved fast and are already certified at CMMC Level 2. For example, W.S. Darley & Co. recently announced that it completed a CMMC Level 2 assessment and pointed out that Level 2 is now required to bid on many U.S. defense contracts.

Early adopters are not treating CMMC as a burden. They are using it as a selling point:

• It proves they can protect CUI
• It removes doubt for contracting officers and primes
• It unlocks access to tenders where CMMC Level 2 is a hard requirement

If you are still in “wait and see” mode, you are now competing against vendors who can say, “We are already Level 2 certified.”

---

What This Means For Small And Mid Sized Contractors

The message is simple and a little harsh:

You must be CMMC ready now, not later.

If a new RFP drops tomorrow that requires CMMC Level 2 (Self), you will need to have:

1. Completed a CMMC Level 2 self assessment
2. Uploaded your score and required statements into SPRS (the Supplier Performance Risk System)
3. A clear plan and timeline to schedule a third party assessment with an approved C3PAO if the contract requires formal certification

Here is what is changing in the buying process:

• Market research is checking CMMC status
  Navy and Army notices are already asking if companies have CMMC and at what level. If you answer “no” with no plan, you may get screened out before the real RFP even comes out.
• Primes will push requirements down to subs
  DFARS 252.204-7021 requires primes to flow CMMC down to their subcontractors when subs handle the same type of information. That means primes may ask you for your SPRS score or proof of Level 2 before they add you to a team.
• “We will figure it out later” is no longer safe
  Waiting until a big opportunity appears is risky. By the time you see “CMMC Level 2 required” in a contract you want, it may be too late to catch up.

---

How To Get CMMC Level 2 Ready Fast

You do not have to be perfect tomorrow, but you do need to be in motion. Here is a simple path to get started.

1. Confirm If You Need Level 2

Ask these questions:

• Do we handle or expect to handle CUI for DoD work?
• Do our primes send us drawings, specs, or data that are marked as CUI?

If the answer is yes, you are in CMMC Level 2 territory.

2. Run An Honest Self Assessment

Use the CMMC Level 2 requirements, which are built on NIST SP 800 171, and score yourself:

• List what you already have in place
• Mark what is missing
• Document everything in a simple System Security Plan (SSP)

Do not guess or sugarcoat. A clean, honest starting point is better than a fake perfect score.

3. Post Your Score To SPRS

DoD buyers will look at your SPRS entry. Make sure you:

• Enter your current score
• Include dates and basic details
• Update it as you close gaps

Even if your score is not perfect yet, having a real number and an active plan looks far better than having no entry at all.

4. Build A Plan For Third Party Certification

You will eventually need a C3PAO to certify you at Level 2 for certain contracts. Start planning now:

• Talk to potential assessment partners
• Ask about timelines and prep work
• Aim for a target date to be “audit ready”

If you go after a contract that needs full Level 2 certification, you do not want to start this process from zero.

5. Use CMMC As A Sales Message

Once you are on the path, use it:

• Tell primes you are working toward CMMC Level 2
• Share your SPRS score when it strengthens your story
• When you achieve Level 2, put it in every proposal and capability statement

Buyers are looking for vendors that reduce risk. Good cyber hygiene does that.

---

Do Not Wait For The Perfect Moment

Many contractors are still in “planning” mode. But the contracts are not waiting. CMMC language is already in RFPs from Navy, USACE, and other agencies. That trend will only grow.

If you wait until a must win contract demands Level 2, you may find:

• You cannot submit a bid in time
• You rush and overspend to catch up
• You lose to a competitor who prepared earlier

The better move is to start now, at a steady pace, with clear steps and simple tools.

---

Get A Head Start With Our Free CMMC Audit Checklist

To make this easier, we put together a CMMC Audit Checklist for Level 2 that breaks the process into practical steps in plain language.

You can use it to:

• See what Level 2 really expects
• Track your current status
• Plan your next 90 days of work

👉 Download the free CMMC Audit Checklist here:
https://scorecard.cmmccompliance.us/download-audit-checklist

CMMC Level 2 is already showing up in DoD contracts. Make sure your company is ready before it appears in the next RFP you care about.