CMMC Compliance: What GSA Schedule Holders Need to Know in 2026

CMMC Is Here — And It Affects Your GSA Schedule

‍

If you sell to the Department of Defense through your GSA Schedule, the Cybersecurity Maturity Model Certification (CMMC) is no longer something you can put off. The final rule is in effect, phased implementation is underway, and DoD is starting to include CMMC requirements in new solicitations.

‍

I've talked to dozens of GSA Schedule holders who assumed CMMC was only for large defense primes. That's wrong. If you handle Controlled Unclassified Information (CUI) or even Federal Contract Information (FCI) on DoD contracts, CMMC applies to you — regardless of your company size.

‍

Understanding the CMMC Levels

‍

CMMC 2.0 simplified the original five-level model into three:

‍

• Level 1 (Foundational) — 15 basic cybersecurity practices based on FAR 52.204-21. Self-assessment only. This applies if you handle FCI but not CUI.
• Level 2 (Advanced) — 110 practices aligned with NIST SP 800-171. Requires third-party assessment by a C3PAO (Certified Third-Party Assessment Organization) for critical contracts, or self-assessment for non-critical ones.
• Level 3 (Expert) — Based on NIST SP 800-172 with additional enhanced security requirements. Government-led assessment. This is for contractors working on the most sensitive DoD programs.

‍

Most GSA Schedule holders selling to DoD will need Level 1 or Level 2. If you're providing IT services, cybersecurity solutions, or professional services that involve CUI, Level 2 is likely your target.

‍

The Timeline You Need to Know

‍

CMMC implementation is being phased in over several years:

‍

• Phase 1 (2025) — DoD begins including CMMC Level 1 and Level 2 self-assessment requirements in select solicitations.
• Phase 2 (2026) — Third-party assessments for Level 2 start appearing in solicitations for contracts involving critical CUI.
• Phase 3 (2027) — CMMC requirements become standard across all applicable DoD solicitations.
• Phase 4 (2028) — Full implementation including Level 3 for applicable contracts.

‍

Here's the reality: if you wait until 2027 to start your CMMC journey, you're already behind. Certification doesn't happen overnight. Building your System Security Plan (SSP), implementing controls, and scheduling an assessment takes 6-12 months minimum.

‍

How CMMC Intersects with Your GSA Schedule

‍

Your GSA Schedule is a contract vehicle — it gives you access to the federal marketplace. But CMMC is a compliance requirement that sits on top of individual task orders and delivery orders. Here's how they interact:

‍

• GSA Won't Require CMMC for Your Schedule Contract — CMMC is a DoD requirement, not a GSA requirement. Your GSA Schedule itself won't require certification.
• But DoD Orders Off Your Schedule Will — When DoD agencies place orders against your GSA Schedule, those orders can (and increasingly will) include CMMC requirements. If you can't meet the required level, you can't compete for that work.
• It's a Competitive Differentiator — Contractors who get certified early will have a significant advantage. While your competitors are scrambling to meet requirements, you'll already be eligible for DoD task orders.

‍

What You Should Do Right Now

‍

• Determine Your Required Level — Review your current DoD contracts and the types of information you handle. FCI only = Level 1. CUI involved = Level 2.
• Conduct a Gap Assessment — Compare your current cybersecurity posture against NIST SP 800-171 controls. Identify what you're missing.
• Build Your SSP and POA&M — Document your System Security Plan and create a Plan of Action and Milestones for any gaps you need to close.
• Budget for It — CMMC compliance isn't free. Factor in costs for tools, training, potential infrastructure upgrades, and the assessment itself.
• Start Now — The companies that move early will win more work. Period.

‍

The Bottom Line

‍

CMMC is the new cost of doing business with DoD. If your GSA Schedule includes IT, cybersecurity, or professional services SINs and you sell to defense agencies, certification isn't optional — it's essential.

‍

Need help understanding how CMMC affects your GSA Schedule strategy? Blackfyre can help. We work with contractors every day to align their contract vehicles with compliance requirements so they're always ready to compete.