What Happens to Your DoD Contract If You Fail CMMC

As of November 10, 2025, CMMC requirements are live in DoD contracts. As of February 2026, only 1,042 out of 76,598 contractors who need Level 2 certification have it. If you’re reading this, you are almost certainly in the 99%.

Most Orange County defense contractors spent years treating CMMC the way they treated every other compliance requirement that kept getting delayed: as something to deal with later.

Later is here.

The US Department of Defense issued its final rule implementing the Cybersecurity Maturity Model Certification program, effective November 10, 2025. CMMC requirements are now being written directly into DoD contracts and solicitations. Starting November 10, 2025, DoD contracting officers are required to include CMMC — at a level dictated by the DoD program office — in solicitations and contracts. No CMMC status in SPRS, no award.

That last sentence is worth reading again. Not “limited contract eligibility.” Not “reduced scoring.” No award.

And Phase 2 — the deadline that eliminates self-assessment entirely and requires mandatory third-party C3PAO certification for all contracts involving Controlled Unclassified Information — goes live November 10, 2026. That is seven months from today.

As of February 2026, only about 1,042 organizations out of 76,598 that need certification have completed it. C3PAO wait times are already stretching past six months.

If you are a defense contractor in Orange County, Los Angeles, or San Diego handling CUI and you have not started your CMMC compliance process — you are not behind. You are in danger of losing your contracts.

What Actually Happens to Your DoD Contract When You Fail a CMMC Assessment

This is the part most articles skip. Not what CMMC requires — but what specifically happens to your business, your contracts, and your revenue when you don’t pass.

Step 1: You Cannot Be Awarded a New Contract

Contractors must have a current CMMC status posted in SPRS at the CMMC Level required by the solicitation to be eligible for award. No CMMC status in SPRS, no award.

This applies to new contracts, new task orders under existing contracts, and recompetes. If your CMMC status isn’t current and at the required level when a solicitation closes, you are ineligible. It doesn’t matter how long you’ve held the relationship. It doesn’t matter what your past performance record looks like. If your certification isn’t there, the contract goes to someone who has it.

Step 2: You Cannot Exercise Option Periods

Contractors must have a current CMMC status posted in SPRS at the required level before the contracting officer can exercise an option or extend the period of performance. This means existing contracts aren’t safe either. When your current contract comes up for an option period renewal, the contracting officer checks your SPRS. If your CMMC status isn’t current — the option doesn’t get exercised. Your existing revenue disappears.

Step 3: Your Prime Contractor Starts Asking Questions

CMMC requirements flow down through the supply chain. Prime contractors are required to ensure their subcontractors meet CMMC requirements. When Phase 2 hits in November 2026, primes will be auditing their subcontractor lists. If you’re a subcontractor on a prime’s program and you don’t have your certification, you become a liability to them. They will find a compliant replacement rather than risk their own contract eligibility.

Step 4: The False Claims Act Clock Starts Ticking

This is the consequence most OC contractors aren’t thinking about — and should be.

The Department of Justice recovered $52 million across nine cybersecurity-related False Claims Act settlements in fiscal year 2025 alone. That figure has more than tripled in each of the past two years.

If your SPRS score is inaccurate — if you attested to a compliance level you haven’t actually achieved — the DOJ considers that a material misrepresentation on a government contract. The False Claims Act imposes penalties of three times the value of the contract plus up to $27,000 per false claim. A $2M contract with an inflated SPRS score isn’t a compliance problem. It’s a $6M+ legal problem.

In January 2026, Deputy Assistant Attorney General Brenna Jenny made it clear at the ACI False Claims Act Forum: cybersecurity enforcement cases are “not about data breaches” — they’re “premised on misrepresentations.”

Step 5: A Conditional Pass Gives You 180 Days — Not Forever

If you undergo a C3PAO assessment and receive a conditional result — meaning you passed most controls but have open items in your Plan of Action and Milestones (POA&M) — companies may resolve conditional CMMC status within 180 days by closing out any outstanding items. 180 days sounds like breathing room. It isn’t. Every open POA&M item must be fully remediated, documented, and verified within that window. If it isn’t, your conditional status expires — and you’re back to Step 1.

What This Means for Orange County and SoCal Defense Contractors Right Now

The OC and LA defense supply chain is one of the densest in the country. Aerospace manufacturers in Anaheim. Electronics suppliers in Fullerton. Naval supply chain vendors supporting San Diego programs. Engineering firms in the Irvine Spectrum working DoD contracts two and three tiers removed from prime contractors.

Almost all of them handle CUI. Almost all of them need Level 2 certification. Almost none of them have it.

Here’s the specific math that should get your attention: achieving CMMC Level 2 requires implementing all 110 NIST 800-171 security controls, building a complete System Security Plan, maintaining a current POA&M, scoring accurately in SPRS, and then passing a C3PAO third-party assessment.

The average SPRS score across the Defense Industrial Base remains at just 60 — far below the required 110. Fewer than 50% have completed foundational documentation like an SSP or POA&M or implemented all NIST 800-171 requirements.

C3PAO assessments take time to schedule. The organizations certified to conduct Level 2 assessments have limited capacity. Wait times are stretching past six months. That means if you start today — April 2026 — and you have significant gaps in your environment, you may not be assessed until after Phase 2’s November 10 deadline.

The window is closing. For some OC contractors, it may already be too narrow to make it before Phase 2 without prioritized, focused remediation starting immediately.

What It Looks Like When a Contractor Waits Too Long

A 35-person aerospace component supplier in Anaheim. DoD subcontractor for 11 years. Clean past performance. Solid relationships up the supply chain.

Their prime sends a compliance questionnaire in August 2026 — three months before Phase 2. The questionnaire asks for their CMMC Level 2 certification status. They don’t have one. They have a self-assessment submitted in SPRS from 2024 with a score of 68. They’ve been meaning to get to the gap remediation. It kept getting deprioritized.

The prime responds: certification required before November 10, 2026. No certification, no inclusion on the next task order.

They call three C3PAOs. The earliest available assessment slot is December 2026 — six weeks after the deadline. Even if they pass, the task order will have already been awarded to a certified competitor.

They begin emergency remediation. There are 22 open controls, incomplete documentation across multiple domains, and an SSP that was written in 2023 and never updated. The realistic timeline to close everything and pass an assessment: four to five months.

November 10, 2026 arrives. They miss it.

The task order goes elsewhere. The prime relationship — eleven years of it — is suspended pending certification. First quarter 2027 revenue takes a $1.2M hit.

All of it was preventable. The gap assessment that would have identified the 22 open controls could have been done in 2025. The remediation could have been underway all year. The certification could have been complete before Phase 2.

This scenario is representative of patterns Intelecis sees regularly across the SoCal defense supply chain.

“CMMC isn’t a cybersecurity problem you can solve after the contract is awarded. By then, the contract went to someone who already solved it.”

What OC Defense Contractors Must Do in the Next 90 Days

• Get a gap assessment — now, not after your next contract bid. A CMMC gap assessment identifies every missing control, every documentation gap, and every POA&M item in your environment. Most contractors who haven’t done one are significantly more exposed than they realize.
• Get your real SPRS score — not a hopeful one. Your SPRS score is a self-reported number that reflects your actual implementation of all 110 NIST 800-171 controls. An inflated SPRS score is the specific scenario the DOJ is now prosecuting.
• Start remediation on your longest-lead controls immediately. Some controls can be implemented quickly. Others — network architecture changes, policy documentation, staff training programs — take months. The controls that take longest need to start first.
• Book your C3PAO slot before you think you need it. Assessment slots are booking out past six months. You don’t book a slot when you’re ready — you book it now and get ready in time for it. If you wait until remediation is complete to start looking for an assessor, you’ve already missed Phase 2.
• Brief your prime contractors on your timeline. If you’re a subcontractor, your prime needs to know you’re pursuing certification and when you expect to have it. Proactive communication preserves relationships. Silence until after a deadline does not.