For many companies, especially manufacturers, fabricators and/or specialty suppliers, the expanding radius of the efforts to secure the U.S. defense industrial base will reach their doorstep this year. If you are a Department of Defense contractor, subcontractor or supplier, regardless of size, and you handle, store or transmit controlled unclassified information or federal contract information, then you are in this radius. Suddenly, cybersecurity is no longer something you know you should prioritize; it’s now a condition for doing business.
The Cybersecurity Maturity Model Certification program, which has been stewing since 2020 when CMMC 1.0 was released for public comment, is finally becoming an actionable reality in 2026 as CMMC Final Rule (32 CFR). The challenge for many defense suppliers won’t be understanding that they must comply; it will be finding qualified help to get there.
What organizations should expect in 2026
CMMC requirements are rolling out in phases. The CMMC “program rule” establishes the framework and a four-phase implementation approach. This officially began on November 10, 2025, when the DoD acquisition rule became effective. The acquisition rule is the mechanism that puts CMMC requirements into solicitations and awards.
For 2026 specifically, Phase 1 (scheduled for Nov. 10, 2025 – Nov. 9, 2026) focuses primarily on CMMC Level 1 and Level 2 self-assessments, including required affirmations submitted through a Supplier Performance Risk System.
In plain terms, that will require many contractors to spend time now to determine what systems are in scope, create needed documentation and assemble evidence so that self-assessments are accurate and defensible.
Some will be doing it with the specter of more onerous requirements ahead. In Phase 2, beginning November 10, 2026, DoD intends to require a CMMC status of Level 2 for applicable solicitations and contracts as a condition of contract award (with limited discretion to delay to an option period). That’s when a third-party assessment becomes mandatory, and third-party certification capacity becomes an issue.
The capacity problem: Who is qualified to help?
At the certification end of the market, CMMC Level 2 certifications must be performed within the authorized assessment ecosystem. This consists of CMMC Certified Third-Party Assessor Organizations and qualified assessors. DoD has been clear that it cannot assess the 220,000+ companies in the defense industrial base with government resources alone and therefore relies on the ecosystem and a phased approach. The phased rollout helps, but it doesn’t eliminate the bottleneck — especially when more contracts begin requiring third-party certification.
The rules for certification are intentionally narrow on who can certify. Official Level 2 certification assessments must be performed by authorized C3PAOs using The Cyber AB-recognized assessors. Independence is also a factor: People who helped implement CMMC for a company can’t later assess that same company. This is a familiar restriction for many CPA firms.
That’s why many organizations will pursue a two-step approach:
- Readiness and remediation now, and
- Certification later, when contract language requires it
This is where CPA firms, especially those already doing System & Organization Controls readiness, cybersecurity risk work or IT audit, can provide real value.
What CPA firms can do today
Think of CMMC readiness like preparing a client for a financial statement audit: Success depends on scope clarity, control design, consistent operation and evidence that holds up under review. In 2026, CPA firms can realistically offer several engagement types:
1) CMMC scoping and data flow analysis
Help clients determine what’s in scope for FCI vs. CUI; where that data lives; and which systems, vendors and processes touch it. Scoping mistakes could lead to overspending upfront or end with failing a third-party audit later.
2) Gap assessments and remediation road maps
Map current practices to the applicable requirements and produce a prioritized plan tied to owners, timing and budget. This is “audit brain” work: Define what “meets” looks like and then test against it.
3) Evidence readiness (“audit-quality” documentation)
Many organizations can do the right thing but can’t prove they do it. Readiness assessments help as an audit test-run. They help to identify and construct artifacts like policies, procedures, logs, tickets, configurations and/or review sign-offs that can be designed to be collected in a way that supports future efforts.
4) Governance and management reporting
Translate technical gaps into business risk, track remediation and produce reporting that leadership can use. This is an area where CPAs often have a credibility advantage.
Importantly, these are advisory/readiness services that don’t require a CPA firm to become a C3PAO. If a firm wants stronger market signaling and a more formal place in the CMMC ecosystem, there are two credentialing pathways worth understanding: RP/RPO and CCP. All CMMC certification programs are run by The Cyber AB, which is the official accreditation body for the CMMC program.
Pathway 1: RP/RPO – Implementation Consulting
Registered Practitioner and Registered Practitioner Organization designations are aimed at implementation support — helping organizations interpret and implement CMMC before they face assessment.
Registered Practitioner
The Cyber AB outlines an RP process that includes:
- registration and authorization,
- a background check,
- completion of The Cyber AB training and passing course exams, and
- signing a code of professional conduct and an RP agreement.
Planning-level timing and cost is roughly three weeks (including background check), a $600 fee for application/training/testing and $500 annual renewal per person.
Registered Practitioner Organization
At the firm level, an RPO must:
- register and complete an organizational background check,
- associate at least one RP, and
- sign required agreements and professional conduct requirements.
The RPO fee is $6,000 ($5,000 annual renewal) and has a similar three-week duration.
Why RP/RPO fits many CPA firms
RP/RPO is a practical way to build a readiness offering. It doesn’t turn a CPA firm into a certifier, but it does provide structured training, a recognized designation and clearer positioning when clients ask, “Have you done this before?”
Pathway 2: CCP – Assessment Ecosystem On-ramp
The Certified CMMC Professional track sits closer to the assessment ecosystem. It’s also the prerequisite step before pursuing Certified CMMC Assessor.
The CCP pathway includes application steps (including agreeing to professional conduct requirements and agreements), completing training through an approved provider and passing the CCP exam. The Cyber AB’s CCP exam information also outlines common fee components, such as a $200 CCP fee and a $275 exam fee. The Cyber AB materials further reference the need for a DoD Tier 3 determination as part of the assessor pathway requirements.
Why CCP might matter for CPA firms
CCP can be a strong credibility signal for professionals leading readiness engagements because it demonstrates deeper familiarity with how the CMMC model is interpreted in the assessment world. It also opens a path for firms that later want to support (or partner with) C3PAOs who will find that CCP is a recognized entry point into that ecosystem.
Whichever path is taken, independence should be considered! If a firm helps a client implement and prepare for CMMC, it must be careful about later taking on an assessment role for that same client. Document roles clearly and plan partnerships accordingly.
A closing thought for Wisconsin CPAs
CMMC is a cybersecurity program, but it behaves like a controls-and-evidence program. This is territory where CPAs already have credibility. In 2026, clients will be under pressure to self-assess correctly, maintain complete and current documentation and produce reliable artifacts that will survive third-party scrutiny when their contracts require it.
The assessor shortage may shape certification schedules, but it won’t slow client anxiety. The firms that can deliver CMMC services as a practical development process without overselling “certification” will be the ones clients remember when the next DoD solicitation lands.
Jeffrey T. Lemmermann, CPA, CISA, CITP, CEH, is a senior information assurance auditor and consultant at SynerComm Inc. in Brookfield. He has been working in cybersecurity for over 30 years, leading assessments, tabletop exercises and information security program development engagements across many industries. Contact him at 262-373-7100 or [email protected].
