The CMMC acquisition rule embedding cybersecurity certification requirements directly into DoD contract solicitations took effect November 10, 2025. For Texas Triangle manufacturers supplying defense primes in DFW, San Antonio, and Houston, that date carries an immediate operational consequence: any new solicitation issued after that date may carry a CMMC Level 2 certification requirement, and your prime contractor does not have to wait for the federal phase calendar to enforce it on you.
The core sequence — Final Rule effective December 16, 2024; acquisition rule effective November 10, 2025; all new DoD solicitations carrying CMMC requirements by October 31, 2026 — is consistent across multiple secondary sources and warrants immediate planning attention. However, specific milestone dates should be verified against the DoD CMMC Program Office at dodcio.defense.gov and the Federal Register entries for 32 CFR Part 170 and the 48 CFR DFARS acquisition rule before treating them as compliance anchors.
Your Deadline Is Your Next Solicitation, Not October 2026
October 31, 2026 is widely cited as the date by which CMMC requirements will appear in all new DoD solicitations. That framing is operationally misleading for subcontractors.
Prime contractors — Lockheed Martin, L3Harris, Raytheon, and their program offices — are not waiting for DoD to complete its phase calendar before flowing compliance obligations down their supply chains. CMMC flow-down clauses are being embedded in new subcontracts and contract modifications now, during Phase 1. If your prime has already updated their subcontract template language, your effective compliance deadline may be your next task order, recompete, or teaming agreement — not a government-published date eighteen months out.
Actual deadlines depend on when specific contracts are solicited and awarded. That nuance cuts both ways: some subcontractors have more runway than they think; others have far less. One date discrepancy in the available sources is worth flagging: some secondary sources reference November 10, 2026 as a next major Level 2 milestone, conflicting with the October 31, 2026 deadline cited elsewhere. Neither date has been confirmed from primary DoD sources. Use the DoD CMMC Program Office as your authoritative reference.
The 12–18 Month Problem
The structural risk for Texas Triangle mid-market subcontractors is not the federal calendar. It is the implementation timeline.
Organizations starting CMMC Level 2 preparation from a low baseline — no current System Security Plan (SSP), no Plan of Action and Milestones (POA&M), no current SPRS score, and IT systems never scoped against NIST SP 800-171's 110 controls — face an implementation window that industry practitioners broadly estimate at 12 to 18 months. Actual timelines vary based on current IT maturity, the scope of systems that touch Controlled Unclassified Information (CUI), and internal resource capacity. Treat this as a planning range, not a guarantee.
Even at the conservative end of that range, a manufacturer that has not initiated a gap assessment and begins in mid-2026 may not complete Level 2 certification before facing a solicitation that requires it.
Compounding this is the C3PAO capacity constraint. Certified Third-Party Assessment Organizations — the authorized assessors that conduct CMMC Level 2 certifications — have limited scheduling availability. As Phase 2 deadlines approach and more organizations begin queuing assessments, wait times are expected to extend. The Cyber AB assessor directory at cyberab.org is the authoritative source for finding and scheduling C3PAO assessors. If you have not yet scoped an assessment, check scheduling availability now, not after remediation is complete.
What DFARS 252.204-7012 Already Requires
One risk predates CMMC entirely. DFARS clause 252.204-7012 has been active in most DoD contracts for years. It requires contractors to implement NIST SP 800-171 security controls and report cyber incidents. If your current IT environment has not been assessed against those 110 controls and your SPRS score has not been submitted and kept current, you may already be in technical non-compliance with existing contract obligations — independent of whether CMMC has been formally required.
CMMC Level 2 is built on the same NIST SP 800-171 control set that DFARS 252.204-7012 already mandates. The CMMC certification process converts that self-attestation obligation into a third-party verified one. For manufacturers who have maintained current DFARS compliance documentation, Level 2 certification is an incremental step. For those who have let SSP and POA&M documentation lapse, the gap is larger than the CMMC timeline alone suggests.
Four Audits to Run Before Your Next Bid Cycle
Any Tier 2 or Tier 3 defense subcontractor in the Texas Triangle with active or prospective DoD-connected contracts should verify the following before the next solicitation lands:
- FCI and CUI exposure. Does your operation receive, store, process, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)? FCI flows into most DoD subcontracts. CUI — which includes technical specifications, drawings, and program data — triggers Level 2 requirements. If you do not have a current data classification review, this is the starting point.
- Prime contractor flow-down clauses. Pull every active subcontract and teaming agreement tied to a defense prime. Search for CMMC, DFARS 252.204-7019, 252.204-7020, and 252.204-7021 clause references. If any are present, your compliance obligation may already be contractually active, not pending.
- SPRS score. The Supplier Performance Risk System score reflects your self-assessed NIST SP 800-171 posture. It must be submitted and current. A missing or outdated score is a visible compliance gap to any prime conducting supplier qualification checks.
- C3PAO assessment status. If Level 2 certification is required by your contracts or anticipated in upcoming solicitations, a third-party assessment from a CMMC-authorized C3PAO must be scheduled. Given expected capacity constraints as the 2026 phase deadline approaches, scope this earlier rather than later.
Watch
Two items warrant ongoing monitoring.
First, verify the 48 CFR acquisition rule effective dates directly against Federal Register publications and the DoD CMMC Program Office. Secondary sources agree on the core timeline, but the date conflict noted above and the absence of primary documentation mean no secondary blog should serve as a compliance reference.
Second, watch for prime contractor communications about CMMC requirements in contract modifications and new solicitations. The phase calendar sets a floor; prime contractor enforcement will arrive first for most subcontractors. If your contracting officer contact at a defense prime has not raised CMMC yet, that is not confirmation you are exempt — it may mean they have not reached your tier.
Some secondary sources report full Defense Industrial Base compliance expected by 2028, without a primary DoD citation. Do not anchor planning to that figure. For Texas Triangle subcontractors, the practical compliance window is not 2028. It is the next contract cycle.