Defense Companies Accelerate CMMC Level 2 Certifications as DoW Continues Three-Year Rollout

May 8, 2026

By Woodrow Bellamy III

More defense companies are obtaining and announcing CMMC Level 2 certification to satisfy new government information sharing requirements. (Image: Dmitry/Adobe Stock)

Defense manufacturers, engineering services providers, and suppliers are increasingly completing the requirements to achieve Cybersecurity Maturity Model Certification (CMMC) Level 2, as the Department of War (DoW) continues a three-year rollout that will embed new information security requirements into defense contract awards.

The final rule implementing CMMC was published on September 10, 2025, and took effect on November 10, 2025, officially launching the three-year phase-in. During this period, government and non-government organizations will begin including CMMC Level 1 and Level 2 requirements in new solicitations and contracts, and companies will be required to conduct self-assessments and submit results in the DoW’s Supplier Performance Risk System (SPRS), as applicable.

DoW’s CMMC 2.0 resources emphasize that the contract-facing rule is implemented through the Defense Federal Acquisition Regulation Supplement (DFARS) in Title 48 of the Code of Federal Regulations and is separate from the CMMC program rule in 32 CFR Part 170. The DFARS clauses expected to appear in solicitations and contracts include 252.204-7021 and 252.204-7025, while underlying cybersecurity obligations remain in effect during the phase-in.

The final rule ties contract cybersecurity requirements to Federal Acquisition Regulation (FAR) 52.204-21 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2 (and, for the highest-priority programs, selected requirements from NIST SP 800-172). These FAR and NIST documents standardize how defense suppliers, contractors, and government agencies handle Controlled Unclassified Information (CUI).

These are the 17 different security families that NIST provides to define the criteria companies must meet to achieve CMMC Level 2 certification. (Image: NIST)

DoW, like other federal agencies, classifies CUI as information that requires safeguarding or dissemination controls pursuant to law, regulation, or governmentwide policy. CUI can include design files, source code, test results, system vulnerabilities, and other information that is critical to the operation of government platforms and assets. At CMMC Level 2, organizations are assessed against the 110 security requirements included NIST SP 800-171 Rev. 2 to protect CUI confidentiality in nonfederal systems.

The requirements include a focus on user access to CUI, mobile device use, information flow, remote access, and the use of external systems — among other controls — aimed at helping organizations understand how to collect, store, transmit, and protect CUI from cyber-attacks. The requirements also define the types of information and data sharing systems that are regulated under the new law.

“When used in the context of the requirements in Sec. 3, the term system is defined to be nonfederal systems or system components that process, store, or transmit CUI or that provide protection for such systems or components. Not all security requirements mention CUI explicitly,” the NIST document notes. “However, the requirements are included because they directly affect the protection of CUI during processing, while in storage, and when in transmission between different locations. Some systems, including specialized systems (e.g., industrial/process control systems, medical devices, computer numerical control machines), may have limitations on the application of certain security requirements.”

The number of defense companies obtaining CMMC Level 2 certifications has surged in recent months following publication of the final rule in September. Exostar , Palantir Technologies , Peraton , Element U.S. Space & Defense , and Dewetron are among the companies that have announced new CMMC Level 2 certifications.

“Achieving CMMC Level 2 certification is a significant accomplishment for our organization and an important assurance for our customers,” said John Radman, Chief Administrative Officer at Element U.S. Space & Defense. “It confirms that we have the people, processes, and technologies in place to protect CUI and to meet the DoW’s most stringent cybersecurity expectations.”

Companies achieve certification by completing an assessment performed by a CMMC Third-Party Assessment Organization (C3PAO). DoW guidance for achieving CMMC Level 2 notes that assessments include examining evidence, interviewing personnel, and testing security controls to determine the extent to which an organization can produce the outcomes required by NIST SP 800-171 Rev. 2. Element, for example, achieved its CMMC Level 2 certification through C3PAO auditor Forvis Mazars.

Machina Labs also became one of the first advanced manufacturing and robotics companies to achieve CMMC Level 2 earlier this year.

“Achieving CMMC Level 2 is an important validation for Machina Labs and a clear signal to our defense partners that we are built to securely support their most demanding programs,” said Edward Mehr, CEO and co-founder of Machina Labs.

ThermOmegaTech, a Pennsylvania-based supplier of thermostatic controls for defense and other applications, is also one of the companies that recently obtained CMMC Level 2 certification. The company produces thermostatic temperature control valves and actuators for military aircraft, uncrewed aerial vehicles, ground support equipment, and tactical vehicles. These valves are used in applications such as thermal bypass, thermal mixing, freeze protection, and fuel cell thermal management, according to the company’s website.

Mark Moore, ThermOmegaTech’s Cyber Security Manager, provided insight into the process the company completed to obtain CMMC Level 2 certification in emailed statements to Aerospace & Defense Technology (A&DT). Instead of relying on outside services, the company built a full IT department to manage the work necessary for certification, Moore said.

"Over about a year and a half, the internal IT team moved every in‑scope platform and service either in house or into a FedRAMP Moderate cloud. Each project brought its own challenges, but migrating the productivity tools into a FedRAMP Moderate cloud was the hardest. This transition affected everyone’s daily work and required stronger security measures along with much stricter controls on how information could be shared. In the end, these changes made the company more resilient, reduced risks, and strengthened the company through improved cybersecurity," Moore said.

ThermOmegaTech’s security team used a governance, risk, and compliance (GRC) tool to review the company’s cybersecurity practices for CMMC Level 1 before moving to Level 2 and its full set of 110 requirements. For each requirement, the team reviewed objectives, completed training, and contacted experts to work through challenges to satisfy all 110 requirements prior to completing the official assessment by a C3PAO.

Moore said the company has not experienced major changes in how defense contract requirements are passed down as a result of the rule so far, but expects changes in the near term.

"So far, we have not seen a major change in how these requirements are passed down to us. However, we expect the contract language to shift once CMMC Phase 2 begins later this year," Moore said.

As more companies complete assessments to demonstrate CMMC Level 2 compliance, an “Amazon Web Services Public Sector Blog” post in late April highlighted a common sticking point for organizations pursuing Level 2 on AWS: control ownership. The post notes that while FedRAMP-authorized environments provide a strong foundation, teams still need to clearly define what AWS covers versus what the customer must implement — and be ready to show evidence for each control.

"If your organization handles Controlled Unclassified Information (CUI) and operates on Amazon Web Services (AWS), you’re well positioned to address CMMC Level 2 requirements, but only if you understand the shared responsibility model and how control ownership works in practice," AWS writes in the blog post. "The critical takeaway is that hosting in a Federal Risk and Authorization Management Program (FedRAMP)-authorized environment doesn’t automatically satisfy CMMC requirements. Every control must answer three questions: who implements the control, where it operates, and what evidence proves it."