99% of organizations requiring Level 2 C3PAO certification have not completed it. Assessment wait times already stretch past six months. The DOJ recovered $52 million in cybersecurity False Claims Act settlements last fiscal year. Six months of runway remains — and it takes 12 to 18 months to get ready.
Phase 1 of CMMC has been active since November 10, 2025. Primes and subs across the defense supply chain have been submitting self-assessments to SPRS and attesting to compliance — the honor system, more or less, still applied. Phase 2 ends the honor system. On November 10, 2026, contracting officers begin requiring C3PAO-assessed Level 2 certification for CUI contracts by default. Self-assessment will not count.
The math is stark: an estimated 76,000 organizations need Level 2 certification. As of February 2026, fewer than 1,100 had completed it. C3PAO wait times are already running past six months in major defense hubs. A typical readiness journey runs 12 to 18 months. Organizations that start now are realistically looking at mid-to-late 2027 for certification — well past the Phase 2 deadline. For Pacific primes, this means the sub compliance conversations that were "coming eventually" are already overdue.
The situation by the numbers
The February 2026 Cyber AB Town Hall released numbers that should concern every prime contractor managing a sub supply chain. The gap between what's required and what's been done is not a minor shortfall — it is nearly total.
The 1,042 organizations that have completed Level 2 certification as of February 2026 represent approximately 1.4% of the estimated 76,000 that will eventually need it. DoD projections show C3PAO assessment capacity ramping from current levels through 2028 — meaning the assessment bottleneck will persist well into Phase 2 and beyond. Contractors who secure assessment slots now will have a structural advantage over those who wait.
A typical CMMC Level 2 readiness journey — gap analysis, remediation, documentation, pre-assessment review, and the C3PAO engagement itself — runs 12 to 18 months. From today (May 2026) to the November 10, 2026 Phase 2 deadline is approximately 6 months. Organizations starting now cannot complete the full journey before Phase 2. The question is not "how do I make the deadline" — it is "how do I minimize my exposure while I close the gap."
Regulatory update
A regulatory change took effect February 1, 2026 that most Pacific contractors have not registered. DFARS 252.204-7019 was formally deleted. DFARS 252.204-7020 was renumbered to 252.240-7997. The basic self-assessment and SPRS upload requirements under the legacy 7019/7020 framework have been eliminated. All assessment obligations now route exclusively through CMMC under DFARS 252.204-7021.
What this means in practice: if your compliance program is still referencing the old clause numbers — or if your subcontract flow-down language references DFARS 252.204-7019 — those clauses are legally void. Every subcontract where FCI or CUI flows needs to be reviewed against the current 252.204-7021 standard. Boilerplate language copied from pre-February 2026 contracts may not be sufficient.
Pull your active subcontract templates and any standard flow-down clause language your legal or contracts team uses. If you see references to DFARS 252.204-7019 or 252.204-7020, those clauses are deleted. Update to DFARS 252.204-7021 immediately. If you're unsure whether your current clause language is compliant, this is the specific question to put to counsel now, not at contract renewal time.
Assessment capacity
Nationally, the C3PAO capacity problem is significant. In the Pacific, it is acute. The assessment bottleneck that mainland contractors face — limited certified assessors, long wait times, high costs — is compressed by the geography and market size of the Pacific region.
There is currently one C3PAO in the entire Asia-Pacific region — eResilience in Honolulu. There are zero C3PAOs in Guam or CNMI. A Guam-based sub requiring Level 2 certification faces a travel-dependent assessment process with a single regional provider, at a time when that provider's schedule is already pressured by Phase 2 demand across Hawaii.
Assessment costs for small-to-mid-size organizations currently range from low tens of thousands to over $100,000 depending on scope and complexity. For a small trade sub with 10-20 employees, this is a significant capital event — one that cannot be absorbed overnight. Pacific primes who wait until 2027 to start these conversations will find their CUI-handling subs facing both a capacity problem and a cost shock simultaneously.
The C3PAO bottleneck applies to Level 2 organizations — those handling CUI. Most Pacific trade subs are Level 1 only — they handle FCI but not CUI. Level 1 self-assessment has no C3PAO requirement and no capacity constraint. The window to get your Level 1 subs documented, assessed, and into SPRS before their primes need it is open right now — and it closes the moment Phase 2 demand fully arrives. Level 1 compliance for your trade sub supply chain is achievable in 60 to 90 days with the right program in place.
Enforcement landscape
The False Claims Act enforcement environment around cybersecurity compliance has shifted from theoretical to active. The DOJ's Civil Cyber-Fraud Initiative — launched in 2021 — has now produced significant settlements, and the pattern is consistent: the violation is not a cyberattack. It is a contractor submitting compliance certifications that did not reflect their actual security posture.
| Organization | Settlement | Nature of Violation |
|---|---|---|
| Penn State University Prime / Research |
$1.25M | Failed to implement required cybersecurity controls on DoD-funded research systems while certifying compliance. Whistleblower-initiated. |
| Guidehouse / Nan McKay Sub relationship |
$11.3M | Subcontractor failed to deploy required multi-factor authentication on systems handling government data. Prime bore joint exposure. |
| Aerojet Rocketdyne Prime / Defense |
$9M | Knowingly misrepresented cybersecurity compliance status in SPRS to win DoD contracts. Whistleblower-initiated. |
| Georgia Tech Prime / Research |
Ongoing (est. $220M exposure) | Failed to develop required System Security Plan, did not install required security software on research systems. Active DOJ case as of 2025. |
The consistent pattern across every settlement: the violation is a certification, not a breach. Companies are paying not because they were hacked, but because they signed documents certifying compliance when their actual posture did not match. Under the False Claims Act, knowingly false certifications carry penalties of $13,946 to $27,894 per false claim, plus up to three times the contract value.
Every time a Pacific prime contractor submits an invoice on a CMMC-required contract, the affirming official is certifying that their compliance posture — including their sub supply chain — is current and accurate. If a sub's SPRS score is expired, fabricated, or based on a self-assessment that doesn't reflect reality, that certification is false. The prime signed it. The FCA clock starts there, not when the auditor arrives.
Pacific-specific implications
The NAVFAC Pacific contract vehicles awarded in 2024 and 2025 — $23 billion across Hawaii, Guam, and CNMI — are generating task orders that carry CMMC requirements from day one. Primes performing on those vehicles have an obligation that is active today, not November 2026.
The Level 1 window is still wide open. Most Pacific trade subs — electrical, HVAC, plumbing, welding, roofing, fencing, mechanical — are Level 1 organizations. They handle FCI but not CUI. Their path to compliance is a self-assessment against 15 practices, an SPRS submission, and an annual renewal. No C3PAO. No $50,000 assessment bill. The bottleneck that is swamping Level 2 contractors does not apply to them. What applies to them is a prime contractor who hasn't asked for their score yet — and will.
The Level 2 window is closing. Pacific primes and subs who handle CUI — engineering firms, design-build GCs, specialty contractors working with controlled drawings or technical specifications — need to be in active C3PAO conversations now. The realistic certification timeline from a standing start is 12 to 18 months. From May 2026, that puts full certification at mid-to-late 2027 at best. Conditional certification — available to organizations that meet 88 of 110 controls with a Plan of Action and Milestones for the remainder — may be the only realistic path before Phase 2 for organizations that have not yet started.
A prime must verify current SPRS scores for every FCI-handling sub before awarding a subcontract, flow down FAR 52.204-21 in subcontracts via DFARS 252.204-7021, re-verify annually, and document the entire process. An affirming official certifies this posture on every contract signature and invoice submission. A documented, verified sub supply chain is the prime's compliance record — and its FCA defense.
Action items
1. Update your subcontract flow-down clauses. DFARS 252.204-7019 was deleted February 1, 2026. Any subcontract template referencing the old clause numbers needs to be updated to DFARS 252.204-7021 immediately. This is a legal exposure that exists right now, independent of Phase 2.
2. Separate your Level 1 and Level 2 sub populations. Identify which subs handle FCI only (Level 1) and which handle CUI (Level 2). These two groups have completely different compliance paths, timelines, and cost profiles. Treating them the same — or failing to identify which is which — is the most common scope error Pacific primes make.
3. Get your Level 1 subs into SPRS now. This is the actionable item that can be completed in the next 60 to 90 days. Level 1 subs need a self-assessment against 15 practices, documented in a System Security Plan, with an SPRS submission and executive affirmation. No C3PAO. No third-party assessment. The window is open. Most of your Level 1 subs have never been asked.
4. Begin C3PAO conversations for your Level 2 subs immediately. If you have subs handling CUI, contact eResilience (the only Asia-Pacific C3PAO) or an authorized mainland C3PAO now to understand current scheduling. Do not wait for a solicitation to force the issue. Assessment slots are limited and the Phase 2 demand surge has already begun.
5. Build the paper trail that constitutes your FCA defense. Every SPRS verification, every flow-down clause confirmation, every sub attestation, every annual re-verification — document it and retain it. The FCA defense is not "we had a compliance program." It is "here is the dated record showing every step we took, in order, with signatures." Build the file as you go. Reconstructing it after an audit notice is impossible.
Pacific Cyber Compliance gives prime contractors a ready-to-run CMMC Level 1 sub compliance program — onboarding packet, sub tracker, rollout playbook, updated DFARS 252.204-7021 clause language, and annual renewal workflow. Flat fee. Unlimited subs. Pacific-based.