CMMC October 2026: What Defense Manufacturers Must Do Now

The Clock Is Running

The CMMC final rule took effect on December 16, 2024. Since then, DoD has been phasing in requirements across new contracts. Phase 1 — already active — requires Level 1 self-assessments and Level 2 self-assessments for applicable contracts. But the date that matters most is October 1, 2026, when Phase 2 kicks in and third-party certification by a C3PAO becomes mandatory for Level 2 contracts.

If you handle Controlled Unclassified Information (CUI) and want to keep bidding on DoD work after October, you need a certified assessment — not a self-assessment, not a Plan of Action and Milestones (POA&M), but an actual pass from an accredited assessor.

Seven months is not a lot of time. Here is what the timeline looks like.

CMMC Phased Rollout

Phase 2 is the inflection point. It is the first time the DoD requires an external, third-party assessment before contract award. Miss it and you are ineligible for new CUI-handling contracts — period.

Where Manufacturers Actually Get Stuck

CMMC Level 2 maps directly to the 110 controls in NIST SP 800-171 Rev 2. On paper, many defense manufacturers claim partial compliance. In practice, three control families consistently cause the most failures during assessments:

Access Control (AC)

• AC.L2-3.1.3 — Control the flow of CUI in accordance with approved authorizations. This means network segmentation that actually enforces boundaries, not just VLANs on a flat network.
• AC.L2-3.1.5 — Employ the principle of least privilege. In OT environments with shared operator accounts and legacy HMIs, this is rarely implemented.
• AC.L2-3.1.12 — Monitor and control remote access sessions. Remote vendor access to PLCs and SCADA systems is often unmonitored and unlogged.

System and Communications Protection (SC)

• SC.L2-3.13.1 — Monitor, control, and protect communications at the external boundary and key internal boundaries. For manufacturers with IT/OT convergence, the "key internal boundary" between the corporate network and the plant floor is frequently a single firewall rule — or nothing at all.
• SC.L2-3.13.6 — Deny network traffic by default. Most OT networks are configured to allow by default because "that's how they shipped from the integrator."

Audit and Accountability (AU)

• AU.L2-3.3.1 — Create and retain system audit logs. Many industrial control systems either do not generate logs or generate logs that are never collected.
• AU.L2-3.3.2 — Ensure actions of individual users can be traced. Shared accounts on HMIs and engineering workstations make this impossible without additional controls.

Why OT Environments Are the Hardest Gap to Close

Most CMMC readiness work focuses on IT systems: endpoints, email, Active Directory, cloud services. These have well-understood solutions. The OT side — PLCs, RTUs, HMIs, SCADA servers, historian databases — is where compliance programs stall.

The reasons are consistent across manufacturers:

• No agent support. Most OT devices cannot run endpoint agents. You cannot install CrowdStrike on a Siemens S7-1200.
• No downtime tolerance. Security controls that require reboots or configuration changes get rejected by operations teams.
• Unsegmented networks. Legacy plant networks were designed for reliability, not isolation. Everything talks to everything.
• No logging infrastructure. Syslog is either not configured or sent to a server nobody monitors.
• Shared credentials. A single operator login is shared across shifts because "the HMI only has one account."

Closing these gaps requires controls that work around legacy equipment rather than on it. Network-level enforcement — segmentation, access control, traffic logging — applied at the boundary of OT zones works because it wraps existing equipment without requiring downtime or agent installs. Many manufacturers are addressing this by building a CUI enclave architecture as an on-premise alternative to GCC High. Solutions like zero-trust network appliances (the Trout Access Gate is one) address multiple controls simultaneously by enforcing least-privilege access between zones and generating the audit trail needed for AU controls — all without touching the PLCs.

A Realistic 7-Month Action Plan

With October 2026 as the target, here is a month-by-month breakdown:

Month 1 (April 2026): Scope and Gap Assessment

1. Define your CUI boundary — every system, network, and facility that stores, processes, or transmits CUI
2. Complete a gap assessment against all 110 NIST SP 800-171 controls
3. Identify every OT system inside the CUI boundary

Month 2 (May 2026): Remediation Planning

1. Prioritize gaps by assessment impact — AC, SC, and AU failures are showstoppers
2. Develop a remediation plan with specific technical solutions per control
3. Begin vendor selection for any tools you need (network segmentation, SIEM, MFA)

Months 3-4 (June-July 2026): Implementation

1. Deploy network segmentation between IT and OT zones
2. Implement least-privilege access controls on all remote access paths
3. Stand up centralized log collection covering both IT and OT assets
4. Enforce MFA on all external and privileged access

Month 5 (August 2026): Evidence Collection

1. Document every control implementation with screenshots, configurations, and policies
2. Verify audit logs are capturing the required events
3. Run internal test assessments against the CMMC assessment guide

Month 6 (September 2026): Pre-Assessment

1. Engage your C3PAO for the formal assessment (you should have scheduled this in Month 1 — see our post on the C3PAO bottleneck and how to prepare during the wait)
2. Conduct a full mock assessment
3. Address any remaining findings

Month 7 (October 2026): Assessment

1. Complete the C3PAO assessment
2. Address any conditional findings within the allowed POA&M window (limited to 20% of objectives)

What Happens If You Are Not Ready

Starting October 2026, if you lack a CMMC Level 2 certification, you cannot be awarded new DoD contracts requiring CUI handling. Primes will not flow down CUI to uncertified subs. Your competitors who are certified will take your contracts.

There is no waiver process. There is no extension. The DoD has been signaling this for five years.

Start your gap assessment this month. Get your C3PAO scheduled now — wait times are already exceeding 12 months. And put your OT environment at the top of the remediation list, because that is where the hardest problems live and where the most time is needed.