CMMC Phase 2 Deadline: What DIB Contractors Must Do Before November 10, 2026
November 10, 2026 is the CMMC Phase 2 deadline — the point at which the Department of Defense can begin including CMMC Level 2 third-party assessment requirements in new solicitations and contract renewals. After that date, self-attesting your NIST SP 800-171 score is no longer enough for contracts that specify C3PAO certification. Your organization needs a passing assessment from a Certified Third-Party Assessment Organization.
The problem is the math. A C3PAO assessment requires months of preparation, months of scheduling lead time, and weeks of on-site and remote evaluation. Contractors starting from scratch today have six months until the Phase 2 cliff — which is barely enough time if everything goes right, and leaves no margin for the C3PAO queue that will form as the deadline approaches.
This post covers what Phase 2 actually changes versus Phase 1, who is in scope, what the typical 12–18 month certification timeline looks like, the C3PAO capacity bottleneck, and exactly what you should be doing right now.
What is CMMC Phase 2?
The CMMC Final Rule (32 CFR Part 170), published October 15, 2024, defines a phased rollout that incrementally introduces third-party assessment requirements into DoD contracting. Each phase expands which organizations need formal certification and what type of assessment satisfies that requirement. [89 FR 77190, Oct. 15, 2024]
- Phase 1 (in effect, Dec 16, 2024): DoD may include CMMC Level 1 self-assessment and Level 2 self-assessment requirements in solicitations. No C3PAO required yet. Contractors self-attest via SPRS and submit an annual affirmation.
- Phase 2 (November 10, 2026): DoD may begin requiring CMMC Level 2 C3PAO third-party assessments in solicitations. Self-assessment is no longer sufficient for contracts that specify C3PAO certification. Conditional certification (180-day POA&M window) is available.
- Phase 3 and beyond: Progressive expansion of CMMC Level 3 requirements and full enforcement across the Defense Industrial Base.
Phase 2 does not flip a switch that retroactively modifies existing contracts. The requirement appears in new solicitations and renewals issued after the Phase 2 date. But any contractor pursuing CUI-handling DoD work after November 2026 will encounter C3PAO language in RFPs, and any prime that flow-downs the requirement will pass it to subcontractors in their next agreement cycle.
Phase 1 vs. Phase 2: What actually changes?
The core difference is who evaluates your cybersecurity posture. In Phase 1, you evaluate yourself. In Phase 2, a DoD-authorized assessor evaluates you.
| Requirement | Phase 1 (now) | Phase 2 (Nov 10, 2026+) |
|---|---|---|
| Who assesses? | Contractor (self-assessment) | Authorized C3PAO |
| SPRS submission | Required | Still required |
| Annual affirmation | Required (senior official) | Still required |
| 110-practice assessment | Self-scored, NIST methodology | C3PAO-scored, CAP methodology |
| Evidence reviewed by | No one (internal only) | C3PAO assessors |
| Certification result | No formal certificate | Full or conditional L2 certificate |
| POA&M allowed? | Yes (internal, not submitted) | Yes (180-day conditional window) |
| Verification by DoD | DIBCAC spot check possible | C3PAO assessment result in CMMC database |
Under Phase 1, the honesty of your self-assessment is the only safeguard. False certifications carry False Claims Act liability — the DoJ has signaled active enforcement — but the mechanics still rely on contractor self-reporting. Phase 2 replaces that with an adversarial evaluation by a third party whose Cyber AB authorization depends on their assessment accuracy. [dodcio.defense.gov/CMMC/]
Who is in scope for CMMC Level 2?
CMMC Level 2 applies to any organization in the Defense Industrial Base that processes, stores, or transmits Controlled Unclassified Information (CUI) in performance of a DoD contract. The trigger is the CUI handling, not the contract value.
Specifically, if your organization is subject to DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and you handle CUI, you are a CMMC Level 2 candidate. This includes:
- Prime contractors with CUI-handling contract line items
- Subcontractors who receive CUI from primes under flow-down provisions — the prime cannot pass the requirement on and accept weaker security from their supply chain
- Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) who operate within or have privileged access to a contractor's CUI environment
- Cloud service providers hosting CUI that don't have FedRAMP Moderate or equivalent authorization
CMMC Level 1 (self-assessment only, no C3PAO) covers contractors handling only Federal Contract Information (FCI) but not CUI. The DoD estimated approximately 77,000 organizations will require some level of CMMC compliance. [89 FR 77190]
The C3PAO bottleneck reality
The structural problem with Phase 2 is capacity. The Cyber AB authorizes C3PAOs through a rigorous certification process, which means the supply of available assessors is finite and grows slowly. Against a DIB of tens of thousands of organizations all facing the same deadline, the math is straightforward: demand will outpace supply as November 2026 approaches. [cyberab.org]
What this means in practice:
- Booking lead time. C3PAOs are already reporting multi-month scheduling queues. [UNVERIFIED exact current wait times — check directly with C3PAOs listed on the Cyber AB marketplace.] Contractors who begin outreach in Q3 2026 will find calendars full through 2027 at many firms.
- Assessment scope drives timeline. A small organization with 30 users and a tightly-scoped CUI environment might complete assessment in two to three weeks of active engagement. An enterprise with 500 users, multiple sites, and a complex cloud/on-prem hybrid can take six to eight weeks. Plan accordingly.
- C3PAO quality varies. Not all authorized C3PAOs have the same depth of technical expertise. An assessor who primarily does SOC 2 work will approach your CMMC engagement differently than one who has done ten CMMC assessments. Ask for references and specific CMMC experience before signing an agreement.
- Conditional certification still requires a C3PAO. If you plan to use the 180-day POA&M window to earn a conditional Level 2 cert while closing remaining gaps, you still need a C3PAO assessment first. Conditional cert is not a bypass — it's a post-assessment instrument.
The practical rule: every month you delay booking a C3PAO assessment after today is a month you're betting the queue stays short. It won't.
The realistic 12–18 month certification timeline
From initial scoping to receiving a CMMC Level 2 certificate in hand, contractors typically need 12 to 18 months. Here is what that timeline looks like for an organization starting from a partial NIST 800-171 implementation:
Months 1–2: Scope and baseline
Define your CUI authorization boundary. Every system, service, and person that touches CUI is in scope. Every system that can reach those systems is also in scope unless you segment it out. A tight boundary reduces your assessment surface; a vague boundary guarantees expensive scope creep during the C3PAO engagement. See the CUI Boundary Guide for the documentation approach that survives assessor scrutiny.
Months 2–4: Gap assessment against all 110 practices
Walk every NIST SP 800-171 Rev 2 practice using the DoD Assessment Methodology. Score each as MET, NOT MET, or POA&M. Track the SPRS weighted score as you go — it tells you your aggregate risk posture and identifies where remediation effort buys the most points. Run this against your actual environment, not a hypothetical target state. False self-assessments are False Claims Act territory. Use the SPRS Simulator to model remediation priority.
Months 4–9: Remediation
Close the highest-weight NOT MET practices first. The five-point practices (multi-factor authentication, encryption, audit logging, incident response, system and communications protection) are both the highest-scoring and the most likely to be on the non-deferrable list — meaning they must be MET before conditional certification can be issued. See SPRS Score Explained for the full domain weight breakdown.
Compliance-as-code dramatically compresses this phase. When controls are implemented as Terraform modules and validated by OPA policies and Steampipe queries, remediation is a pull request and a pipeline run, not a six-week project with manual screenshots. Evidence is a signed pipeline artifact, not a scheduled screenshot. That difference matters enormously when your C3PAO asks for proof that the control has been consistently MET, not just MET this morning.
Months 9–11: Readiness assessment and evidence collection
Conduct an internal mock assessment before your C3PAO arrives. Walk every practice, collect the evidence artifact you would present to an assessor, and identify remaining gaps. This is when you build your POA&M if you intend to pursue conditional certification. Every POA&M entry needs a specific named owner, dated milestones, allocated resources, and a defined evidence artifact that proves closure. Vague entries ("address MFA gaps") give C3PAOs grounds to reject the POA&M entirely. See the POA&M guide for the entry structure that C3PAOs accept.
Months 10–12: Book and prepare for C3PAO assessment
Do not wait until remediation is complete to contact C3PAOs. Book your assessment slot during the remediation phase — you can always reschedule if you need more time, but you can't manufacture an available slot two weeks before your contract renewal deadline. Confirm the assessment scope, logistics, and evidence format with the C3PAO before their kick-off call. Show up prepared, not reactive.
Months 12–15: C3PAO assessment
The CMMC Assessment Process (CAP) document governs how C3PAOs evaluate each of the 110 practices. Assessors will interview personnel, review documentation, and test technical controls. Evidence gaps discovered during the assessment become POA&M candidates or, if they're on the non-deferrable list, hard blockers. Plan for two to eight weeks depending on scope.
Months 15–18: POA&M closure (if conditional certification)
If you receive conditional Level 2 certification, the 180-day window starts the day the certificate is issued. Every POA&M item must be closed, evidence collected, and C3PAO confirmation received before the window lapses. Miss the window and you restart with a new C3PAO assessment. Treat Day 120 as the real deadline, not Day 180.
What to do right now
Prioritized by impact and time-sensitivity:
- Submit your SPRS score if you haven't. The score doesn't need to be positive — it needs to be submitted. Non-submission signals non-compliance more loudly than a negative score. Log into the Supplier Performance Risk System and submit your current assessment. [sprs.csd.disa.mil]
- Define your CUI boundary in writing. If you don't have a documented system boundary that covers every CUI touchpoint, write one this week. This document is the foundation of every subsequent assessment conversation. C3PAOs review it first.
- Run a gap assessment against all 110 practices. Use the DoD Assessment Methodology (version 1.2.1 or later). Score MET, NOT MET, or POA&M for each practice. If you haven't done this formally, use the Assessment Checklist as a structured starting point.
- Close the non-deferrable practices first. Multi-factor authentication, encryption in transit and at rest, audit log generation, and incident response capability are the practices that must be MET before any C3PAO can issue even a conditional certificate. Everything else can go on a POA&M; these cannot.
- Book a C3PAO assessment now. Visit the Cyber AB marketplace at cyberab.org and contact at least three C3PAOs this week. Ask for available slots in Q3 2026. Expect queues. Book anyway. You can always reschedule forward; you cannot create availability that doesn't exist.
- Move controls to code. For every NOT MET practice, the fastest path to a defensible MET result is an automated check that runs on every commit — not a policy document and a screenshot. Terraform + OPA + Steampipe gives you the continuous evidence trail that transforms a conditional cert into a renewable one.
Not sure where you stand against Phase 2?
We run structured gap assessments against all 110 NIST SP 800-171 Rev 2 practices, scored using the DoD methodology, with a remediation roadmap ordered by Phase 2 deadline impact. If you need an honest picture of your current posture before committing to a C3PAO, start here.
Get your Phase 2 gap assessment →References
- U.S. Department of Defense. Cybersecurity Maturity Model Certification (CMMC) Program. 32 CFR Part 170, 89 FR 77190 (Oct. 15, 2024). federalregister.gov
- National Institute of Standards and Technology. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST SP 800-171 Rev. 2, February 2020. doi.org/10.6028/NIST.SP.800-171r2
- U.S. Department of Defense. NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1. OUSD(A&S), June 2020. dodcio.defense.gov/CMMC/
- U.S. Department of Defense. CMMC Assessment Process (CAP). Office of the Under Secretary of Defense for Acquisition & Sustainment. dodcio.defense.gov/CMMC/
- The Cyber AB. CMMC Certified Third-Party Assessment Organization (C3PAO) Marketplace. cyberab.org
- Defense Federal Acquisition Regulation Supplement. Safeguarding Covered Defense Information and Cyber Incident Reporting. DFARS 252.204-7012. acquisition.gov