The next generation of CMMC is here. While the requirements themselves should not surprise anyone, their impact will be felt very differently across organizations working to supply the US government. Organizations that approached CMMC as a checklist may find the next phase uncomfortable. Those that invested in a modern, risk‑based cybersecurity program will find themselves well positioned – not just for compliance, but for growth.

To understand why this matters, it is critical to understand what CMMC was designed to do and what it is not intended for. CMMC focuses on meeting NIST 800-171 r2, which, for all practical purposes, is a 2013 cyber standard. While the Department of Defense currently requires r2, in May 2024, r3 was officially released to better align with NIST 800-53 r5 (released in September 2020). These aren’t the bleeding edge of cyber or digital operations.  Why would any organization willingly choose to trust its cyber defense based on standards developed in 2013?

That gap is not merely theoretical – it is already reshaping how governments assess cyber readiness. For example, the Canadian Program for Cyber Security Certification (CPCSC), launched in March 2025, is very similar to CMMC. Its Level 2 (Enhanced) certification requires that Canadian organizations meet ITSP.10.171, which is the equivalent of NIST 800-171 r3. These are your competitors, and the cyber measures they are implementing give them a competitive advantage. 

As of January 2026, the General Services Administration (GSA) requires NIST 800-171 r3 plus additional controls in NIST 800-172 r3 (draft). NIST 800-172 will be used to meet CMMC L3 certification. Currently, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is looking for volunteers to be assessed as DIBCAC figures out its assessment processes, and GSA looks set to require NIST 800-172 before CMMC will.  

GSA will also require that organizations be assessed by GSA-approved organizations (though final requirements aren’t available at this time), which is conceptually the same as C3PAOs under CMMC. A third party will verify that your organization meets NIST 800-171 r3’s requirements and objectives, that you have operationalized it, and that it is working as intended.

As NIST 800-171 r3 rapidly approaches its two-year mark, we here at CohnReznick have been helping more organizations meet the requirements for non-DoD contracts. We see contracts from various agencies that require meeting all the controls and objectives and self-report any exceptions. It doesn’t require third-party verification like CMMC, but it has more modern cyber requirements than CMMC. 

The standards we are measuring our organizations against aren’t current. They reflect a pre‑COVID operating model – before cloud acceleration, remote work at scale, and AI‑driven threats. They don’t account for the tactics, techniques, and procedures (TTP) being used in 2026. And while CMMC was designed to protect CUI, it was never intended to address five of the six CSF 2.0 functions to form a holistic cyber program. You need to layer in NIST 800-171 r3, NIST CSF 2.0, and elements of NIST 800-53 r5, based on your risk profile, along with the NIST Cyber AI profile (NISTIR 8596).  

Make sure your organization is focused on all six functions (Govern, Identify, Protect, Detect, Respond, and Recover) with AI layered in. Use the maturity model built into CSF 2.0 to measure, sustain, and demonstrate cyber maturity over time. Keep it current – the TTPs change daily, so your approach will need to change also. Next‑generation cyber maturity is not about waiting for the next version of CMMC. It is about adopting a holistic, risk‑based approach that aligns governance, operations, and resilience – while integrating emerging technologies such as artificial intelligence. 
CMMC certification is worth celebrating. But it is the foundation, not the finish line. Organizations that take a proactive approach will not only exceed future CMMC requirements – they will demonstrate cyber maturity as a competitive differentiator to government customers and prime contractors alike. If you are ready to empower your business, let CohnReznick help you improve your cyber program.