Army Awards $49M to Eight Firms for Next Generation Commercial Operations CMMC Pilot

Army Contracting Command – Rock Island awarded a multiple-award indefinite-delivery, indefinite-quantity contract with a $49 million ceiling on May 12 to eight companies for the Next Generation Commercial Operations pilot program — a cross-functional professional services vehicle specifically structured to test the implementation of Cybersecurity Maturity Model Certification Level 2 requirements on active Army contracts. The eight awardees include companies operating in logistics advisory, financial management support, program management support, and information technology services, providing a broad sample of task order types across which CMMC Level 2 requirements will be assessed during the pilot period. The IDIQ has a two-year base period with two one-year option periods and will be managed by the Army's Program Executive Office Enterprise Information Systems. The pilot program is designed to generate real-world data on CMMC compliance costs, assessment timelines, and the operational impact of mandatory certification requirements before DoD scales Level 2 requirements across the full professional services contract base in the second half of fiscal year 2026.

CMMC Level 2 and the Professional Services Context

CMMC Level 2 requires that a contractor implement all 110 security requirements contained in NIST SP 800-171 and have that implementation validated by a CMMC Third Party Assessment Organization — a C3PAO — before the company can be awarded a covered DoD contract. The professional services sector presents a distinctive CMMC implementation challenge compared to traditional defense manufacturing: professional services firms typically process controlled unclassified information in office environments, on commercial cloud platforms, and across distributed remote-work configurations that were not designed with NIST 800-171 controls in mind. A defense manufacturer can isolate its CUI-handling systems in a dedicated facility with defined access controls; a professional services firm providing, say, financial management support may find that CUI flows across its entire office infrastructure because financial data related to government programs is the core of its work product. The Army pilot is intended in part to assess what adjustments CMMC assessors are applying in the professional services context — particularly regarding physical access controls, multi-factor authentication implementation, and cloud service provider authorization baselines — before those interpretive practices are standardized across the full Level 2 program.

Industry Implications and the CMMC Assessment Pipeline

The eight-company pilot pool will generate the first real-world CMMC Level 2 assessment data for professional services task orders, producing practical information about how long C3PAO assessments take, what remediation findings are most common, and what the total compliance cost looks like for companies at different revenue scales. DoD's CMMC program office has acknowledged that the C3PAO assessment capacity constraint is the binding limitation on how quickly mandatory certification requirements can be expanded — there are currently fewer than 100 authorized C3PAOs, and the assessment backlog for companies seeking Level 2 certification is already measured in months. The Army pilot will add eight companies to the certified pipeline and generate lessons about assessment process efficiency that the CMMC program office can use to identify bottlenecks and prioritize C3PAO capacity development. Firms in the broader professional services sector that have not yet begun CMMC Level 2 preparation should note that the pilot timeline suggests DoD is on track for broader Level 2 enforcement in the second half of FY 2026 and that the assessment pipeline will only become more congested as the deadline approaches.

What It Means for Contractors

The Army CMMC pilot represents the leading edge of mandatory Level 2 enforcement across professional services and provides a visible data point for companies assessing their own certification timelines.

• Professional services firms on Army contracts that handle any category of controlled unclassified information — including program management data, financial records related to government contracts, or personnel information — should begin their CMMC Level 2 preparation immediately; the assessment process is typically a six-to-twelve-month undertaking from initial gap assessment to certification issuance.
• C3PAO selection is a critical decision: firms should evaluate assessors on their professional services experience, not just their manufacturing sector credentials, as the assessment interpretations applied in an office-environment CUI context differ meaningfully from those applied in a manufacturing environment.
• The pilot's two-year base period will generate publicly available assessment data that smaller companies can use to benchmark their own compliance programs; monitoring the Army pilot outcomes through SAM.gov contract action notices and CMMC program office publications will provide early insight into assessment trends.
• Companies that hold multiple DoD contracts across different services should assess whether a single CMMC Level 2 certification covers all their covered systems or whether they need separate assessments for organizational units that operate distinct IT environments; the CMMC rules on organizational scoping have practical implications for companies with complex corporate structures.

C3PAO Assessment Process and the Scope Determination Challenge

The most consequential decision in a CMMC Level 2 assessment is the scoping determination — the process of identifying which of the contractor's IT systems, facilities, and personnel are within the assessment boundary and therefore subject to all 110 NIST 800-171 security requirements. The scoping rules under CMMC allow contractors to segment their IT environments, placing only the systems and personnel that actually process, store, or transmit controlled unclassified information within the assessment boundary and treating everything outside the boundary as out-of-scope. A contractor that can demonstrate clean separation between its CUI-handling environment and its general corporate IT infrastructure can significantly reduce the scope of its Level 2 assessment — and thus its compliance costs — by designing its network architecture and information flow so that CUI never touches general corporate systems. The Army CMMC pilot's professional services focus makes scoping particularly important and particularly difficult: unlike a manufacturer with a discrete production environment, a professional services firm's CUI typically flows through the same email systems, document management platforms, and collaboration tools that all employees use for general business purposes. The pilot will generate real C3PAO assessment data on how assessors handle professional services scoping decisions — whether they accept logical segmentation within shared platforms or require physical separation — data that will be valuable to the thousands of professional services firms that must navigate the same scoping question before their own CMMC certifications. Firms monitoring the pilot's outcomes through SAM.gov task order notices and CMMC program office publications can use this information to make better-informed scoping decisions before investing in their own assessment preparation.

Sources

• DoD Contracts Announcement, May 12, 2026 — Globalsecurity.org mirror (May 12, 2026)
• CMMC Program — Office of the Under Secretary of Defense for Acquisition
• CMMC Documentation and Assessor Resources — DoD CIO