If your firm designs, builds, or manages construction on military installations and you have not started thinking about CMMC, this is your signal to start.
NAVFAC Southwest recently posted a notice on SAM.gov making it clear: prospective contractors on IDIQ awards issued on or after November 10, 2026 must demonstrate CMMC Level 2 certification (C3PAO assessed) or higher. The notice goes further, stating that NAVFAC SW anticipates the majority of work under Construction and Architect-Engineering IDIQs will require Level 2 certification after that date.
That is not a suggestion. It is a gate. If your firm is not certified, you will not be eligible for award.
For years, CMMC conversations have centered on traditional defense manufacturers, IT service providers, and technology companies. Architecture, engineering, and construction firms have largely operated on the periphery of those discussions, often assuming that cybersecurity certification was someone else's problem.
This notice changes that assumption. NAVFAC is one of the largest sources of federal A/E/C contract dollars, and they are telling the market directly: certification is coming, and it applies to you.
If your firm holds or pursues NAVFAC IDIQs, or if you work as a subcontractor on NAVFAC task orders, CMMC Level 2 is now part of your competitive qualification. The same applies to firms working under other DoD components. NAVFAC is leading, but the rest of the Department will follow the same trajectory as Phase 2 of the CMMC rollout takes effect in November 2026.
CMMC Level 2 is built on the 110 security requirements in NIST SP 800-171 Rev 2. It is designed to protect Controlled Unclassified Information (CUI) in contractor information systems.
For A/E/C firms, CUI commonly shows up in places people do not expect: building plans for military facilities, site surveys, structural assessments, environmental reports, project schedules with sensitive operational details, and correspondence with government program managers. If your firm handles any of these on DoD projects, you are almost certainly processing CUI, and CMMC Level 2 applies.
A C3PAO (Certified Third-Party Assessment Organization) assessment means an independent assessor verifies your implementation of all 110 controls. This is not a self-attestation. It is a formal audit of your cybersecurity program, your technical environment, your policies, and your operational practices.
November 2026 sounds like it is far away. It is not.
Most organizations that have never gone through a CMMC assessment need 9 to 14 months of preparation, depending on their starting point. That timeline includes scoping the environment, identifying where CUI lives, remediating gaps in both technology and process, building the required documentation (System Security Plan, Plan of Action and Milestones), and then scheduling and completing the actual C3PAO assessment.
C3PAO availability is also a real constraint. As demand increases through 2026, assessment slots will fill. Firms that wait until summer 2026 to start will likely find themselves unable to complete certification before the November deadline.
If your firm intends to compete for NAVFAC work after November 2026, the preparation window is open right now. It will not stay open much longer.
Determine whether you handle CUI. Review your current and recent DoD contracts. Look at the contract clauses, specifically DFARS 252.204-7012 and the new DFARS 252.204-7021. If CUI is present, CMMC Level 2 applies.
Understand your current cybersecurity posture. Many A/E/C firms rely on general IT support that was not designed with NIST 800-171 in mind. A gap assessment against the 110 controls will tell you exactly where you stand and what needs to change.
Scope your CUI environment. The scope of your CMMC assessment depends on which systems process, store, or transmit CUI. Defining that boundary early is critical. It determines the cost, complexity, and timeline of your compliance program.
Build a plan with realistic timelines. Certification is not a technology purchase. It is a program that spans people, process, and technology. Your plan should account for policy development, technical remediation, employee training, and evidence collection, all before the assessment itself.
Engage a qualified partner early. Working with a Registered Practitioner Organization (RPO) that understands both the CMMC framework and the operational realities of A/E/C firms can significantly reduce wasted time and rework. Look for practitioners who hold CCA or CCP credentials through the Cyber AB.
NAVFAC's notice is one signal in a much larger pattern. DoD contracting offices across the Navy, Army, Air Force, and other components are already embedding CMMC requirements in live solicitations. The 48 CFR Final Rule has been in effect since November 2025, and contracting officers have discretion to require C3PAO-assessed Level 2 at any time during Phase 1.
Phase 2, beginning November 10, 2026, makes that requirement mandatory for applicable contracts. A/E/C firms that start now will be positioned to compete. Firms that wait risk losing access to a significant portion of their federal revenue.
This is not a compliance exercise for compliance sake. It is a business decision about whether your firm will remain eligible for the work you have built your practice around.
Stehrling is a CMMC Registered Practitioner Organization (RPO) with the Cyber AB. Every member of our delivery team holds CCA or CCP credentials. We build compliance programs for defense contractors, and we bring the expertise to get you through certification. If your A/E/C firm needs to understand what CMMC means for your business, contact us to start the conversation.
Take our 3-minute Readiness Check and get an instant gap summary based on your environment.
Start Readiness Check →
An independent firm focused exclusively on CMMC compliance for defense contractors and the DIB.