For the past three weeks, the University of Michigan has posted a new pair of cybersecurity assessment solicitations every single business day. The pace is mechanical and deliberate: 48 cybersecurity RFPs have appeared in Michigan's procurement system in the trailing 30 days, against a 12-month baseline of roughly 1.9 per month. That is a 2,404% spike, and 46 of the 48 solicitations come from a single institution.
The proximate cause is $155.6 million. That is the total obligated value of the University of Michigan's 146 active Department of Defense grants, all of which are now subject to a compliance clock that stops on November 10, 2026. On that date, DoD's Cybersecurity Maturity Model Certification Phase 2 takes effect, replacing the current self-attestation regime with mandatory third-party audits by authorized Certified Third-Party Assessment Organizations, known as C3PAOs. The 48 CFR DFARS final rule was published in the Federal Register on September 10, 2025, and became enforceable that November. Phase 2 is six months out. Compliance remediation takes six to twelve months. The math is uncomfortable.
Of UM's 46 RFPs, 42 are solicitations for Cybersecurity Capability Maturity Program assessments covering UM Health hospital systems, with responses due June 8, 2026. Four more seek C3PAO third-party assessors directly, due two days later. The daily posting cadence is not bureaucratic routine, it reflects a deliberate sweep across UM's physically and organizationally distinct environments: research labs, clinical facilities, and hospital IT systems that each present their own surface area of Controlled Unclassified Information.
Source: NationGraph.
The urgency is compounded by a supply problem that no amount of institutional urgency can solve alone. Nationally, roughly 80 authorized C3PAOs serve an estimated 80,000 contractors requiring Level 2 certification. Many assessors are already booked through the end of 2026, and industry analysts project wait times could exceed 18 months by the third quarter of this year. Assessment fees that currently run $31,000 to $76,000 per engagement are expected to climb to $75,000 to $150,000 as demand outpaces capacity. An organization that has not engaged an assessor by spring 2026 is, according to Michigan-based compliance advisors, statistically likely to miss the certification window entirely.
No other Midwestern state is moving at anything close to this pace. Ohio issued one cybersecurity RFP in the same 30-day window. Illinois issued one. Minnesota issued two. Michigan's 48 reflect not a statewide wave but a single institution making a coordinated institutional bet that procurement volume can outrun assessor scarcity.
The University of Michigan's position in Michigan's defense economy makes this more consequential than a single university procurement story. Michigan's defense-industrial base is split between a large manufacturing supply chain, auto-to-defense converters concentrated in Oakland County, Novi, and Auburn Hills, and a research university whose hospital system has become a major DoD contractor in its own right. UM's Economic Growth Institute already runs programs to help Michigan firms offset the cost of CMMC gap assessments, meaning UM is simultaneously one of the state's largest defense contractors and part of the infrastructure helping smaller contractors comply. If UM's own certification sprint fails, it affects not just the university's federal funding but a broader compliance ecosystem the university helps anchor.
For smaller Michigan defense contractors watching this, the signal is pointed. The CMMC compliance window that looked distant when the final rule was published last fall is effectively closed for any organization that has not begun remediation. An institution with UM's legal, financial, and procurement infrastructure is posting RFPs every day and still racing. Contractors without dedicated compliance staff face the same November deadline with fewer resources and, likely, longer waits for the same finite pool of assessors.
The June 8 and June 10 response deadlines on UM's RFPs are the next concrete markers to watch. Whether the university receives qualified bids, and how many, will be an early signal of how tight the assessor market has actually become. If solicitations come back with limited responses or inflated pricing, it will confirm what the procurement calendar already implies: that the bottleneck is not motivation or money, but the simple arithmetic of too many contracts chasing too few auditors before a hard federal deadline.
