Michigan's public institutions issued roughly eight distinct cybersecurity procurement solicitations in the last 30 days, a volume that would be unremarkable except for what's driving two of them: the University of Michigan Health System has posted an explicit RFP for a CMMC C3PAO third-party assessment, the certification that every DoD contractor and university research lab handling Controlled Unclassified Information must hold by November 10, 2026. U of M's move is a signal flare for the rest of the state's defense ecosystem, which has roughly five months to book assessment slots that are already running short nationwide.
The deadline is structural, not negotiable. Under the DoD's 48 CFR final CMMC rule, published September 10, 2025 and enforced from November 10 of that year, Level 2 certification by an accredited third-party assessment organization becomes mandatory for any contract touching CUI starting November 10, 2026. That covers not just the prime contractors and machine shops of Macomb County, which received $3.21 billion in DoD contracts in 2024, but also the federally funded research labs at Michigan's flagship universities. Michigan State University's research security office and U of M's compliance infrastructure are both now staring down the same certification gauntlet as a mid-size fabricator in Sterling Heights.
The problem is the math. CMMC Level 2 remediation, the process of closing security gaps before an assessor even walks in the door, typically takes 6 to 18 months. That timeline means any Michigan contractor or university lab not already deep into the remediation process is at serious risk of missing the November cutoff. C3PAO assessment slots are already backlogged as of early 2026, a predictable outcome when a federal mandate drops simultaneously on thousands of contractors across the entire defense industrial base. Michigan's contractor population skews toward small and mid-sized firms, for whom a $50,000 to $200,000 assessment is a significant budget item and who typically lack the in-house compliance staff that primes maintain.
Source: NationGraph.
U of M's pair of solicitations, a Cybersecurity Capability Maturity Program Assessment RFP first posted May 13 and the C3PAO assessment RFP first seen May 21, represent some of the first explicit public evidence of CMMC procurement activity at Michigan's research universities. MSU's research security office has separately flagged CMMC obligations for its labs. The compliance challenge at a major research university is meaningfully harder than at a manufacturer: a single university may run dozens of discrete DoD-funded projects across multiple colleges, each potentially handling CUI under different contract terms, requiring scoping decisions that a typical machine shop never faces.
Running parallel to the CMMC pressure is a separate deadline tied to federal cybersecurity grant money. Michigan received $4.78 million in FY2022 State and Local Cybersecurity Grant Program funds from DHS, and sub-recipient project deadlines for that cohort expire between August and November 2026. The recent cybersecurity solicitations from the City of Big Rapids, Grosse Ile Township, and Ann Arbor Public Schools all reference SLCGP-funded procurement, meaning local governments are also racing a clock, just a different one. Michigan's total SLCGP allocation across FY2022 through FY2025 exceeds $23 million; the pressure to spend the earliest tranche is now acute.
For a Michigan resident, the practical stakes are two-fold. First, the defense supply chain concentrated in southeast Michigan, including automotive suppliers that also manufacture defense components, faces a genuine eligibility cliff: firms that miss certification lose the ability to bid on new CUI contracts, and some may be excluded from existing contract renewals. Second, the university research pipeline is at risk. DoD-funded research at U of M and MSU generates billions in economic activity and supports graduate training across engineering and sciences; labs that cannot certify may be forced to wind down or restructure projects.
The next signal to watch is whether the DoD's CMMC program office expands the authorized C3PAO roster fast enough to absorb Michigan's demand, and whether any formal extension or phased enforcement grace period emerges before fall. Neither is guaranteed. What is certain is that the five-month window is shorter than the minimum remediation timeline for organizations starting now, which means for a meaningful slice of Michigan's defense ecosystem, the real deadline passed quietly sometime earlier this year.
