Deadlines for the Federal Risk and Authorization Management Program (FedRAMP) and Cybersecurity Maturity Model Certification (CMMC) are coming up fast. Are you ready?

With the latest FedRAMP deadline on September 30 and the CMMC deadline on November 10, federal contractors are less than six months away from needing to demonstrate compliance. Companies that are not in compliance risk having their FedRAMP status revoked and may not be able to compete for lucrative contracts within the Department of War (DoW).

Here’s what you need to know about both FedRAMP and CMMC compliance.

FedRAMP: The transition to modernization

FedRAMP governs how cloud service providers handle federal data and it is currently undergoing its most significant modernization in years. This evolution is driven by the transition to NIST SP 800-53 Revision 5, which represents a fundamental reset in cybersecurity expectations for cloud vendors.

There are two applicable deadlines to keep in mind with this program.

By September 30, 2026, vendors must transition their authorization packages into machine-readable formats. This is a strict compliance requirement designed to reduce documentation bottlenecks that have historically slowed the authorization process.

Twelve months later, on September 30, 2027, all authorized vendors must be fully aligned with Revision 5 control baselines. This stage emphasizes configuration management, system hardening, and continuous monitoring. If companies fail to complete this transition by the 2027 deadline, their FedRAMP certification will be revoked.

These requirements have real consequences, especially for vendors in the FedRAMP Preparation Phase. Organizations need to have achieved "Certified" or "Validated" status within 12 months of entering this phase, or risk removal from the marketplace entirely.

CMMC: Mandatory and already in motion

On November 10, 2026, the DoW's Cybersecurity Maturity Model Certification (CMMC) requirement for C3PAO assessments becomes mandatory for all new contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This change marks the end of self-attestation and requires independent, third-party verification of NIST SP 800-171 compliance.

The Department will not award or extend defense contracts without proof of CMMC certification at the required level. There is one exception, however. CMMC does not apply to DoW contracts that are solely for the acquisition of commercial-off-the-shelf (COTS) items. This exception can be nuanced, as it does not apply to services and does not apply when the contractor possesses CUI.

If you miss the deadline, the remediation process is not quick. It involves gap correction, scheduling the C3PAO assessment, and reapplication. C3PAO availability is constrained, and the process can add months to your compliance timeline.

Layered on top of this deadline is another important development for contractors handling CUI.  NIST SP 800-171 Revision 3 will become mandatory for contractors subject to Defense Federal Acquisition Regulation Supplement (DFARS) requirements, and its adoption will have downstream implications  for CMMC 2.0 compliance. Organizations should take steps to prepare now to avoid this requirement becoming an urgent challenge following the November 2026 CMMC deadline.

How to get ready for the deadlines

Organizations that successfully navigate the deadlines tend to have these three things in common: an early start, credible third-party partnerships and a realistic assessment of the gap between their current state and required compliance. Here are some quick tips to get ready.

For FedRAMP: The fall 2026 deadline for machine-readable packages is just around the corner. Review your current authorization package against Rev 5 baselines now. Identify documentation to be converted to machine-readable format and have a C3PAO engaged before the summer.

For CMMC: Make sure you’ve conducted a gap assessment against the required controls of the relevant CMMC level for your contracts. Level 2, which covers most contractors handling CUI, requires a formal assessment by a C3PAO. Scheduling that assessment takes time. Completing the remediation that may follow will take even more.

The federal government has indicated strict enforcement of these deadlines. For defense contractors and subcontractors, the question isn’t whether to comply — it is whether you will be ready on time.

To understand more details about compliance and the deadlines surrounding FedRAMP and CMMC contact immixGroup.

This article is adapted from a commentary that first ran in Washington Technology. To read that commentary in its entirety, click here.