CMMC in 2026: What Indiana Defense Contractors Need to Know Right Now
Top Three Takeaways
- CMMC 2.0 enforcement is active in 2026; not pending. The DoD finalized CMMC 2.0 in December 2024, and CMMC clauses are already appearing in active solicitations and contract modifications. Indiana defense contractors who are waiting for full rollout before acting are already behind.
- Your current Microsoft 365 plan almost certainly cannot hold CUI. Standard commercial Microsoft 365 tenants, including Business Premium and most Enterprise plans, do not meet the FedRAMP Moderate or High authorization required for Controlled Unclassified Information. Most Indiana defense contractors need to migrate to Microsoft 365 GCC or GCC High before they can credibly self-attest or pass a C3PAO assessment.
- Compliance is a documented process, not just a technical configuration. CMMC Level 2 requires a System Security Plan, a current SPRS score on file in the DoD supplier database, a POA&M for any gaps and documented evidence across 110 NIST SP 800-171 practices. Getting the technology right is necessary, but without the documentation, your posture cannot be assessed or attested.
What Indiana Defense Contractors Need to Know About CMMC in 2026
CMMC 2.0 enforcement is no longer a future concern for Indiana defense contractors: It’s a present contractual requirement. The Department of Defense finalized CMMC 2.0 in December 2024, and as of 2026, CMMC requirements are appearing in active solicitations and contract modifications across all DoD branches. Unfortunately, Indiana defense contractors who have not begun their compliance journey are already behind.
This guide covers what changed, what it means for your organization, and what you need to do now.
What Is CMMC 2.0 and Why Does It Matter to Indiana Defense Contractors?
CMMC (Cybersecurity Maturity Model Certification) is a DoD framework that requires any organization handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to meet defined cybersecurity standards. CMMC 2.0 replaced the original five-tier model with three levels and significantly reduced the compliance burden for most small and mid-sized contractors.
Companies in Fort Wayne, Indianapolis, South Bend and across Indiana hold active DoD contracts or participate in supply chains that carry CUI. CMMC likely applies to you if your business touches any of the following:
- Defense manufacturing
- Aerospace components
- Logistics support
- IT services to prime contractors
- Engineering services
- Any subcontract that flows down CUI handling requirements
What Changed Between CMMC 1.0 and CMMC 2.0?
CMMC 2.0 streamlined the original framework in three important ways that directly affect Indiana defense contractors:
Level reduction from five to three. CMMC 2.0 eliminated Levels 2 and 4 from the original model. Most Indiana defense contractors handling CUI will fall under Level 2, which maps directly to the 110 security practices in NIST SP 800-171.
Self-assessment is permitted at Level 2 in some cases. The DoD allows annual self-assessment for contracts with lower CUI sensitivity, with a senior company official attesting to compliance through the Supplier Performance Risk System (SPRS). However, prioritized acquisitions (contracts deemed critical to national security) still require a third-party Certified Third-Party Assessor Organization (C3PAO) assessment.
Plans of Action and Milestones (POA&Ms) are now permitted. Under CMMC 2.0, companies can pursue contracts with documented deficiencies, provided they meet a minimum score threshold and have an active remediation plan. This is a significant change from the original model’s pass/fail approach, but it is not a loophole. The DoD has reserved the right to limit which practices can appear on a POA&M.
What Level of CMMC Does Your Business Need?
The level required depends on the type of information your contracts involve.
CMMC Level 1
CMMC Level 1 applies to organizations that handle only Federal Contract Information. It requires 17 basic safeguarding practices drawn from FAR 52.204-21 and allows annual self-assessment. Most organizations at this level are lower-tier subcontractors with limited DoD exposure.
CMMC Level 2
CMMC Level 2 applies to organizations that handle Controlled Unclassified Information. It requires compliance with all 110 practices in NIST SP 800-171 and applies to the majority of Indiana defense contractors in manufacturing, engineering and IT services. Depending on contract classification, it may require either annual self-assessment with SPRS attestation or a triennial C3PAO assessment.
CMMC Level 3
CMMC Level 3 applies to organizations supporting the most sensitive DoD programs, particularly those involving information from NIST SP 800-172. It requires a government-led assessment. This level affects a smaller subset of contractors; primarily those supporting advanced weapons programs or intelligence-adjacent contracts.
If you are unsure which level applies to your contracts, that ambiguity is itself a risk. G6 IT works with Indiana defense contractors to review contract language, identify CUI flow-down obligations and determine the correct CMMC level before you spend resources building toward the wrong target.
What Does CMMC Level 2 Actually Require?
CMMC Level 2 is built on NIST SP 800-171, which organizes its 110 practices across 14 control families. Indiana defense contractors pursuing Level 2 compliance must address all of the following:
- Access control: Who can reach what systems and data, under what conditions
- Awareness and training: Documented cybersecurity training for all personnel
- Audit and accountability: Logging of system activity and user actions
- Configuration management: Baselines and change control for systems handling CUI
- Identification and authentication: Multi-factor authentication and account management
- Incident response: Documented procedures and tested response capabilities
- Maintenance: Controls over who performs maintenance and how remote maintenance is conducted
- Media protection: Handling, marking and disposal of physical and digital media containing CUI
- Personnel security: Screening and off-boarding procedures
- Physical protection: Access controls for facilities where CUI is processed
- Risk assessment: Documented assessment processes and vulnerability management
- Security assessment: Internal review of security controls
- System and communications protection: Network segmentation and encrypted transmission
- System and information integrity: Malware protection, patching and security alerts
Most small and mid-sized Indiana defense contractors have gaps in at least several of these areas. The most common deficiencies we tend to see are incomplete audit logging, missing MFA on all accounts with CUI access, absent or undocumented incident response plans, and CUI stored in standard commercial cloud environments that do not meet FedRAMP Moderate or High authorization requirements.
Why Your Current Microsoft 365 Plan May Not Be Enough
This is the most consistently misunderstood issue our team encounters with Indiana defense contractors evaluating their CMMC readiness.
Standard Microsoft 365 commercial plans, including Business Basic, Standard, Premium and even some Enterprise plans, are hosted in Microsoft’s standard commercial cloud. That environment does not meet the data sovereignty and access control requirements for CUI under DFARS 252.204-7012 and CMMC Level 2.
DoD guidance and CMMC assessors generally require that CUI be stored and processed in FedRAMP Moderate or FedRAMP High authorized environments. For Microsoft 365, that means Microsoft 365 Government Community Cloud (GCC) or Government Community Cloud High (GCC High).
The differences are significant:
Microsoft 365 GCC is hosted in Microsoft’s government cloud with U.S.-based data residency and access limited to screened U.S. persons. It meets FedRAMP Moderate and is appropriate for many Level 2 contracts involving CUI that is not subject to export control or other heightened sensitivity designations.
Microsoft 365 GCC High is hosted in a physically separate environment, meets FedRAMP High and supports ITAR/EAR-controlled data. It is required for many contracts involving weapons programs, export-controlled technical data or contracts with ITAR flow-down clauses. GCC High also supports the Microsoft Purview compliance features required for full DFARS and CMMC Level 2 configuration.
If your organization is currently storing CUI, such as technical drawings, contract performance data, design specifications or test results, in a standard Microsoft 365 tenant, that is a material compliance gap. G6 IT manages GCC and GCC High migrations for Indiana defense contractors and handles the full configuration required for CMMC alignment, including audit logging, data loss prevention policies, conditional access and SPRS scoring documentation.
What Is the SPRS Score and Why Does It Matter?
The Supplier Performance Risk System (SPRS) is the DoD database where contractors self-report their NIST SP 800-171 compliance score. Under DFARS 252.204-7019, contractors are required to have a current SPRS score on file before being awarded contracts that involve CUI.
NIST SP 800-171 uses a scoring methodology that starts at 110 points and deducts points for each unimplemented practice. Some practices carry higher point values than others. A perfect score is 110; many organizations score significantly lower. The DoD has not yet publicly defined a minimum passing score, but contracting officers are reviewing SPRS scores as part of source selection, and low scores create risk in competitive procurements.
You must update SPRS scores annually and whenever significant changes occur in your environment. Our team has experience helping Indiana defense contractors calculate an accurate SPRS score, document the methodology and supporting evidence, and develop a POA&M for any gaps. Taking this approach means your self-attestation reflects your actual posture and can withstand scrutiny.
How Long Does CMMC Compliance Take for an Indiana Defense Contractor?
For a small to mid-sized Indiana defense contractor at Level 2, the realistic timeline from assessment to attestation-ready posture is typically four to nine months, depending on the current state of your environment.
The process generally follows this sequence:
Weeks 1 to 4: Gap Assessment
A thorough review of your current environment against all 110 NIST SP 800-171 practices produces a scored baseline, a gap list and a draft POA&M.
Weeks 4 to 12: Remediation Planning and Prioritization
Not all gaps are equal. G6 IT prioritizes remediation based on SPRS score impact, contract timelines and technical complexity. High-impact, lower-effort fixes, such as MFA deployment, conditional access configuration and audit log enablement, are addressed first.
Weeks 8 to 20: Technical Remediation
This is where the bulk of the work happens, including network segmentation, endpoint protection hardening, cloud environment migration (if moving to GCC or GCC High), backup reconfiguration, documentation development and policy implementation.
Weeks 16 to 24: Documentation and Evidence Collection
CMMC assessors evaluate documented evidence, not just technical configurations. System Security Plans (SSPs), POA&Ms, incident response procedures, configuration baselines and training records all require documentation that most small businesses do not have in place.
Final Phase: Self-assessment or C3PAO Assessment Preparation
For self-assessment, this means finalizing SPRS score submission and senior official attestation. For C3PAO assessment, this means readiness review, evidence packaging and assessment support.
Indiana defense contractors with contracts renewing or rebidding in 2026 should begin this process now. Lead times for C3PAO assessments have grown as demand has increased across the defense industrial base.
What Happens If You Don’t Comply?
Non-compliance with CMMC requirements carries escalating consequences for Indiana defense contractors:
Contract Ineligibility
Contracts containing CMMC clauses cannot be awarded to organizations that do not meet the required level. For many Indiana defense contractors, this means losing access to renewals and new awards.
False Claims Act Exposure
Under the DoD Cyber Fraud Initiative, contractors who knowingly misrepresent their cybersecurity posture — including inaccurate SPRS self-attestations — face potential False Claims Act liability. This is not a theoretical risk; the DoJ has brought and settled cases under this theory.
Supply Chain Exclusion
Prime contractors are increasingly flowing down CMMC requirements to subcontractors. If you cannot demonstrate compliance, you risk being removed from subcontract consideration regardless of your technical capabilities.
Incident Liability
A breach occurring in a non-compliant environment, particularly one involving CUI, creates significant exposure under DFARS 252.204-7012 mandatory incident reporting requirements and potential contract termination.
How G6 Supports CMMC Compliance
Our G6 team has delivered managed IT and cybersecurity services to businesses and government-adjacent organizations across Fort Wayne and northeast Indiana, including clients with DoD and Department of Energy relationships.
G6 provides end-to-end CMMC readiness support for Indiana defense contractors:
- NIST SP 800-171 gap assessments and SPRS score calculation
- System Security Plan development and documentation
- Microsoft 365 GCC and GCC High migration and configuration
- MFA, conditional access and endpoint protection implementation
- Audit logging, data loss prevention and Secure Score optimization
- Incident response plan development and tabletop exercise facilitation
- Ongoing governance and monitoring to maintain compliance posture between assessments
- C3PAO assessment preparation and evidence packaging support
As we work with clients, we focus on a structured, forward-looking approach to every engagement. We don’t respond when things break, we plan ahead so they don’t.
If you’re concerned about CMMC readiness, contact us to discuss an initial assessment of your compliance posture, identify the highest-priority gaps and build a realistic roadmap to attestation.
FAQs: CMMC 2026 for Indiana Defense Contractors
What is CMMC and who does it apply to in Indiana?
CMMC (the Cybersecurity Maturity Model Certification) is a DoD framework requiring defense contractors and subcontractors to meet defined cybersecurity standards. It applies to any organization that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under a DoD contract or subcontract. Indiana defense contractors in manufacturing, engineering, IT services, logistics and aerospace are among those most commonly affected. If your organization has any DoD contract that involves technical data, design specifications or other sensitive program information, CMMC likely applies to your business.
Is CMMC 2.0 actually being enforced in 2026?
Yes. The CMMC 2.0 final rule became effective December 16, 2024. As of 2026, CMMC requirements are appearing in active DoD solicitations and contract modifications. The DoD has committed to phasing CMMC into all applicable contracts by fiscal year 2028, but Indiana defense contractors pursuing new awards or contract renewals are already encountering CMMC clauses in solicitations. Waiting for full enforcement to begin before acting is not a viable risk management strategy.
What is the difference between CMMC Level 1 and Level 2?
CMMC Level 1 covers organizations handling only Federal Contract Information and requires 17 basic cybersecurity practices aligned with FAR 52.204-21. It allows annual self-assessment. CMMC Level 2 covers organizations handling Controlled Unclassified Information and requires compliance with all 110 practices in NIST SP 800-171. Depending on the contract, Level 2 requires either annual self-assessment with senior official attestation or a triennial assessment by a Certified Third-Party Assessor Organization (C3PAO). Most Indiana defense contractors in manufacturing and engineering fall under Level 2.
Can I use my current Microsoft 365 Business subscription for CMMC compliance?
No. Standard Microsoft 365 commercial plans are not authorized to store or process Controlled Unclassified Information under DFARS 252.204-7012 and CMMC Level 2 requirements. CUI must reside in a FedRAMP Moderate or FedRAMP High authorized environment. For Microsoft 365, that means migrating to Microsoft 365 Government Community Cloud (GCC) or GCC High. G6 Communications manages these migrations for Indiana defense contractors and handles the full CMMC-aligned configuration of the new environment, including audit logging, conditional access, data loss prevention policies and documentation.
What is a System Security Plan and do I need one?
A System Security Plan (SSP) is a documented description of your information system, the CUI it handles, the security controls you have implemented and the controls you plan to implement. CMMC Level 2 requires an SSP as foundational evidence of your compliance posture. Without an SSP, a self-attestation or C3PAO assessment cannot be properly supported. Most small Indiana defense contractors do not have a compliant SSP in place. At G6, we develop SSPs as part of our CMMC readiness engagements.
What is the SPRS score and what should mine be?
Your SPRS (Supplier Performance Risk System) score is your self-reported NIST SP 800-171 compliance score, submitted to the DoD’s supplier risk database. The scoring methodology starts at 110 and deducts points for each unimplemented practice. Under DFARS 252.204-7019, contractors must have a current SPRS score on file to be awarded CUI-handling contracts. The DoD has not defined a universal minimum passing score, but low scores create competitive risk and regulatory exposure. We help Indiana defense contractors calculate an accurate, defensible SPRS score and develop the documentation to support it.
How much does CMMC compliance cost for a small Indiana defense contractor?
The cost of CMMC compliance varies based on your organization’s size, the current state of your IT environment, the level of remediation required and whether you need a third-party assessment or can self-attest. Technical remediation — particularly cloud migrations to GCC or GCC High, endpoint security hardening and documentation development — typically represents the largest cost. For many small Indiana defense contractors, professional managed services covering the ongoing governance required to maintain compliance are more cost-effective than attempting to staff internal expertise. G6 provides pricing based on a gap assessment, so you get a remediation scope that reflects your actual environment rather than a generic estimate.
How long does it take to become CMMC compliant?
For a small to mid-sized Indiana defense contractor pursuing CMMC Level 2, the realistic timeline from initial gap assessment to self-attestation-ready posture is four to nine months, depending on the scope of remediation required. Organizations that need to migrate to Microsoft 365 GCC or GCC High, build documentation from scratch, and implement significant technical controls will be at the longer end of that range. Indiana defense contractors with contracts renewing or rebidding in 2026 should engage a compliance partner immediately.