The CMMC Phase 2 deadline is November 10, 2026. On that date, defense contracts that handle Controlled Unclassified Information (CUI) will start requiring third-party CMMC Level 2 certification. If you have been telling yourself self-attestation is enough, the next 180 days end that conversation.
The short answer: The CMMC Phase 2 deadline is November 10, 2026. Small defense contractors handling CUI must obtain a third-party Level 2 certification from an accredited C3PAO (CMMC Third-Party Assessor Organization) by then. The 180-day scheduling window is closing. Most contractors have not started. Start now.
What the CMMC Phase 2 Deadline Changes on November 10, 2026
CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of Defense’s (DoD’s) mandatory cybersecurity framework for defense contractors. The Defense Industrial Base (DIB) is the network of private-sector companies that support U.S. military capabilities. If your company touches defense contracts, you are part of the DIB.
The legal mechanism is DFARS clause 252.204-7021, published in the Defense Federal Acquisition Regulation Supplement (DFARS). That clause is the contractual hook. When DoD inserts it into a solicitation, the contractor must meet the specified CMMC level before receiving award.
Per DFARS 252.204-7021, the certification requirement flows down to subcontractors who handle Federal Contract Information (FCI) or CUI. FCI is information provided by or generated for the government under a contract. CUI is a broader category: technical drawings, export-controlled data, law enforcement records, and dozens of other information types that the government designates as sensitive but not classified.
The CMMC program rule is codified at 32 CFR Part 170, published as a final rule in the Federal Register on October 15, 2024. The rule established a four-phase rollout at 32 CFR 170.3(e). Phase 2 is the critical threshold for most small contractors.
| Phase | Effective Date | What It Requires | Who Is Affected |
|---|---|---|---|
| Phase 1 | November 10, 2025 | DFARS 7021 inserted into solicitations; Level 1 self-attestation and Level 2 self-attestation permitted where designated | Contractors handling FCI at Level 1; select CUI contracts at Level 2 (self-attest) |
| Phase 2 | November 10, 2026 | Level 2 C3PAO third-party certification required where designated in contract. Level 3 (DIBCAC) becomes available at DoD’s discretion. | Contractors handling CUI on designated contracts |
| Phase 3 | November 10, 2027 | Level 2 C3PAO becomes condition of contract award (extends to option exercises on existing contracts). Level 3 (DIBCAC) becomes mandatory as a condition of award for designated high-sensitivity programs. | All Level 2 CUI contractors; Level 3 contractors with critical programs |
| Phase 4 | November 10, 2028 | Full CMMC implementation; DFARS 7021 in all contracts handling FCI or CUI | Entire defense industrial base |
The dates above come from 32 CFR 170.3(e), which sets each phase to begin one calendar year after the previous. Verify the current phase status against dodcio.defense.gov/CMMC/ before making business decisions; DoD publishes any program updates there first.
Two things to read carefully from the table. First: Level 3 (DIBCAC-conducted) assessments become AVAILABLE in Phase 2, at DoD’s discretion. They become MANDATORY as a condition of contract award in Phase 3. If your work touches high-sensitivity programs, the DoD program office may include a Level 3 requirement in your contract starting November 10, 2026; you will not have until November 10, 2027 to prepare. Second: Phase 3 also extends the Level 2 C3PAO requirement to option exercises on existing contracts. If you hold an option-renewable contract and have not certified by November 10, 2027, the agency cannot exercise your option.
How Small Businesses Know If Phase 2 Applies to Them
Not every defense contractor needs Level 2 certification. The question comes down to three things: what information you handle, what your contract says, and what your prime requires.
Start with the CUI question. Log into your contract and look for references to Controlled Unclassified Information, technical data, export-controlled information (ITAR/EAR), or any data labeled under the CUI Registry categories. If your Statement of Work involves engineering drawings, software source code tied to defense systems, manufacturing specs, or sensitive program information, you almost certainly handle CUI.
Next, check the contract for DFARS clause 252.204-7021. If it is there and specifies CMMC Level 2, the requirement applies to you directly. If you do not see it but you are a subcontractor, ask your prime. That clause flows down to every subcontractor who touches CUI in the performance of the work. Your prime is legally required to flow it down. If they have not asked you about your CMMC status yet, that conversation is coming.
The practical reality: if you have cleared personnel, handle technical drawings, work on defense system components, or provide IT services to defense agencies that store CUI on government systems, assume you need Level 2 and proceed accordingly. Getting an assessment and finding out you only needed Level 1 is a much better outcome than losing a contract because you waited.
The SPRS Score Reality
Before scheduling a C3PAO assessment, you need to know where you stand. That means understanding your SPRS score.
SPRS stands for Supplier Performance Risk System. It is the DoD database where contractors self-report their cybersecurity posture score based on NIST SP 800-171, the National Institute of Standards and Technology Special Publication that defines 110 security controls for protecting CUI. Your SPRS score is calculated by starting at 110 points and deducting points for each unmet control. The scoring weights vary: some controls cost one point, others cost three or five points depending on impact.
DCMA, the Defense Contract Management Agency, operates DIBCAC, the Defense Industrial Base Cybersecurity Assessment Center. DIBCAC conducts spot-check audits of contractor-reported SPRS scores. The DIBCAC audit findings have consistently shown that contractor self-reported scores overstate actual posture. Audited contractors typically score substantially below their self-reported numbers, with many landing in negative territory once unmet controls are deducted point-by-point.
What matters for Phase 2 is that a C3PAO assessment will measure your actual score, not the one you self-reported. If your assessed score is substantially negative, you will not pass. The assessment itself is not the remedy. Getting your score up before the assessment is.
The C3PAO Scheduling Reality
A C3PAO is a CMMC Third-Party Assessor Organization. These are firms accredited by the Cyber AB (the CMMC Accreditation Body) to conduct official CMMC Level 2 assessments. Only accredited C3PAOs can produce certifications that DoD will accept under Phase 2.
Here is the bottleneck: the Cyber AB’s accredited C3PAO marketplace listed approximately 97 to 103 accredited C3PAOs as of early 2026 (verify the current count at cyberab.org, as accreditations are added monthly). The 32 CFR 170 Regulatory Impact Analysis projects approximately 80,000 Organizations Seeking CMMC (OSCs) across the full rollout through November 2028, of which approximately 76,000 (the ~95% subset handling CUI) will require C3PAO Level 2 assessment. The math is simple and uncomfortable: a queue measured in the tens of thousands of contractors meeting a supply measured in the low hundreds of assessors.
Important framing note: The ~80,000 OSC / ~76,000 C3PAO-assessed figure is the full-implementation projection through November 2028, not a Phase 2-only figure. Demand will phase in as DoD inserts the requirement into successive solicitations. Phase 2 demand will be a subset of the C3PAO-needing population, concentrated on contracts where DoD has designated Level 2 as a condition of award. The cumulative number through Phase 4 is what creates the long-term assessor supply pressure.
Each assessment takes weeks. Scheduling queues at many C3PAOs already run 90 to 120 days out. If you contact a C3PAO in September 2026 hoping for a November certification, you will be told no. The contractors who get certified in November 2026 are the ones who scheduled assessments in the first half of 2026.
Your prime knows this. That email asking when your C3PAO assessment is scheduled is not a courtesy check. It is a subcontract risk management question. Primes who cannot document their supply chain’s CMMC status are exposed.
The 30-Day Move
Do these two things in the next 30 days. Both can happen in parallel.
Run your SPRS gap analysis. Pull NIST SP 800-171 Revision 2 (the current version as of 2026) from csrc.nist.gov. It contains 110 security requirements across 14 control families. Work through each one and mark it as met, partially met, or not met. For each gap, note the SPRS point value at risk. Total the deductions. That is your realistic score before a C3PAO walks in.
If you already have a current System Security Plan (SSP) and Plan of Action and Milestones (POA&M), those documents are your gap analysis baseline. If you do not have them, building them IS the gap analysis. An SSP describes how your organization meets each control. A POA&M documents what is not met and the plan to fix it.
Request quotes from at least three C3PAOs. Go to the Cyber AB marketplace and identify firms. Contact at least three. Ask each one: What is your earliest available assessment slot? What does your scoping process look like? What is your estimated cost range for a company of our size and environment? What do you need from us before the assessment?
Getting three quotes serves two purposes. It gives you pricing reality and scheduling reality. Some C3PAOs specialize in small business assessments and have faster turnaround. You will not know until you ask.
The 60-Day Move
With your gap analysis in hand, focus the next 30 days on control gaps that are both fixable and high-point-value.
The NIST 800-171 control families where small businesses most commonly have recoverable gaps include:
- Access Control (AC): Multi-factor authentication (MFA) for all users, especially remote access. If you do not have MFA on your remote access systems, implement it. This is a high-deduction gap that is technically straightforward to close.
- Configuration Management (CM): Documented baseline configurations for your IT systems. Most small businesses operate without formal baselines. Creating and documenting them closes multiple controls.
- Identification and Authentication (IA): Password policies, account management procedures, and privileged access controls. These are policy and procedure gaps as much as technical ones.
- Media Protection (MP): Controls around how CUI is stored, transported, and disposed of. Many small businesses have no documented media handling policy.
- System and Communications Protection (SC): Network segmentation separating CUI systems from general business systems. This is where enclave strategy becomes relevant (more on that below).
For every gap you cannot close in 60 days, add it to your POA&M with a realistic completion date. C3PAOs do not require perfection. They require that you know what you have not met, have a credible plan to close it, and have not claimed you met controls you have not.
A POA&M with 15 open items and honest timelines is far better than an SSP claiming 110/110 that falls apart under audit. DIBCAC has seen the inflated self-attestation. C3PAOs know what to look for.
The 90-Day Move
By day 90, you should be doing one of two things: scheduling your C3PAO assessment or executing a scope-reduction strategy.
If you are scheduling the assessment: Confirm your slot in writing. Provide the C3PAO with your SSP and POA&M. Ask for their pre-assessment checklist and complete it before their team arrives. Treat the assessment like an audit, because it is one. Have your evidence ready: configuration screenshots, access control logs, training records, policy documents. The assessment team will ask for specific evidence for each control. If you cannot produce it, the control is marked as not met.
If you are pivoting to an enclave strategy: An enclave is a separately secured environment within your overall IT infrastructure where all CUI handling occurs. Instead of certifying your entire company network, you certify only the enclave. This dramatically reduces the scope of the assessment because your assessors only evaluate the systems inside the enclave boundary.
Several managed service providers offer CUI enclave solutions: essentially a pre-built, pre-configured environment that meets NIST 800-171 controls and is hosted in a FedRAMP Authorized cloud. You access it to work with CUI, and you keep your regular business operations separate. The enclave provider handles most of the technical controls. Your assessment scope shrinks to how you access and use the enclave, not your entire IT environment.
Vendor monthly fees for managed CUI enclave services have been reported in industry benchmarks in the range of $500 to $2,000 per month, varying significantly by user count, included services, and the provider’s FedRAMP authorization level. For a small business with five to 20 employees handling CUI, an enclave may be the most practical path to certification within the Phase 2 timeline. Get current pricing from at least three enclave vendors before committing.
What If the Cost Still Does Not Work
The 32 CFR 170 Regulatory Impact Analysis estimates small-entity assessment costs cluster around a $50,000 median for the assessment-only component, with total three-year compliance costs (assessment plus baseline remediation) projected around $104,670 for small entities starting from a partial baseline. Contractors starting from zero may face higher total costs. Vendor practitioner ranges of $30,000 to $100,000 for the assessment and $50,000 to $200,000 for total investment before bidding on Phase 2 contracts are practitioner-reported ranges, not RIA-anchored figures; use them as directional inputs and verify against current C3PAO quotes for your specific environment.
If the cost genuinely does not work, you have three honest options.
Subcontract through a CMMC-certified prime. Find a prime contractor who already holds Level 2 certification and can put you under their umbrella as a subcontractor on scoped work that does not require you to handle CUI directly. You provide the labor, skills, or products. The prime handles the CUI-touching portions. This is a legal and common arrangement. It keeps you in defense work without bearing the full certification cost.
Pursue FAR-only commercial work. Not all government contracting requires CUI handling. Federal Acquisition Regulation (FAR) contracts for commercial items, professional services, and non-sensitive work do not trigger CMMC. State and local government contracts do not trigger it at all. If your capabilities translate to civilian agency work, that market does not close on November 10, 2026.
Exit defense contracting. This is the option no one wants to say out loud, but it belongs in an honest analysis. If your company’s defense revenue does not justify a $50,000-plus compliance investment, and you cannot structure around it through teaming or scope reduction, exiting the DIB before your certifications lapse is better than losing contracts because you could not meet Phase 2 requirements mid-performance. Plan the transition on your own timeline, not DoD’s.
Whatever you decide, decide now. Every week of delay narrows your options. The contractors who wait until October 2026 to research their path forward will find all three doors significantly harder to open.
Frequently Asked Questions
Does Phase 2 apply to every DoD contract starting November 10, 2026?
No. Phase 2 applies to contracts where DoD has designated CMMC Level 2 as a requirement and inserted DFARS clause 252.204-7021 into the solicitation. Not every defense contract handles CUI. Contracts for commercial off-the-shelf products, services that do not involve sensitive data, and non-CUI work may not require Level 2 certification. Read your contract clause by clause.
Can I still self-attest for CMMC Level 2 after Phase 2 begins?
No, not for contracts designated as requiring third-party assessment. During Phase 1, some Level 2 contracts permitted self-attestation. Phase 2 removes that option for designated contracts. Where DFARS 7021 specifies a C3PAO assessment, only a C3PAO-issued certification is accepted. Self-attestation remains valid for Level 1 contracts under 32 CFR 170.15, which requires the OSA (Organization Seeking Assessment, the term 32 CFR 170 uses for Level 1 self-assessors) to conduct an annual self-assessment and submit results in SPRS.
When does Level 3 (DIBCAC) certification become required?
Level 3 (DIBCAC) assessments become AVAILABLE during Phase 2 (November 10, 2026), at DoD’s discretion. DoD may include a Level 3 requirement in solicitations for high-sensitivity programs starting on that date. Level 3 becomes MANDATORY as a condition of contract award during Phase 3 (November 10, 2027). If your work touches programs with elevated CUI sensitivity, do not assume you have until 2027 to prepare for Level 3; the requirement can appear in a Phase 2 solicitation.
What is an OSCAL system security plan and do I need one?
OSCAL stands for Open Security Controls Assessment Language. It is a machine-readable format for security documentation developed by NIST. Some C3PAOs and contracting systems accept or require SSPs in OSCAL format. Check with your specific C3PAO before your assessment. Most small business assessors accept human-readable SSPs in Word or PDF format, but OSCAL compatibility is becoming more common as the program matures.
My prime has not mentioned CMMC at all. Should I bring it up?
Yes. Your prime is required under DFARS 7021 to flow the certification requirement down to subcontractors who handle CUI. If they have not asked about your status, either they do not know they are required to, or they have not started their own CMMC process. Either situation puts your subcontract at risk. Bring it up now. Asking your prime what CMMC level this work requires of subcontractors is a professional and necessary question.
How long does a CMMC Level 2 certification last?
Three years per 32 CFR 170.17(a)(1). After your initial C3PAO assessment produces a certification, it is valid for three years from the CMMC Status Date provided you maintain your security posture. You must conduct annual affirmations under 32 CFR 170.22 confirming your continued compliance. A significant change in your IT environment, a breach, or a material change in how you handle CUI may trigger an earlier reassessment requirement.
What happens if my company cannot get certified before a Phase 2 contract award?
You cannot receive award on a contract requiring Level 2 certification without holding that certification. There is no grace period after Phase 2 begins. For existing contracts awarded before Phase 2, the requirement applies to new awards and options exercised after the effective date. Phase 3 specifically extends the Level 2 requirement to option exercises on existing contracts; if you are up for a contract option renewal after November 10, 2027, talk to your contracting officer and your prime now about the timeline.
Where does my SPRS score need to be before a C3PAO assessment?
There is no formal minimum SPRS score required to begin a C3PAO assessment. However, a significantly negative score signals that you have major control gaps. C3PAOs assess your actual posture, not your self-reported score. Going into an assessment with large gaps and no remediation plan is expensive: you will pay for the assessment and likely need to remediate and reschedule. Close the highest-value gaps first.
Next Steps
The 180 days between now and November 10, 2026 are enough time to get certified if you start this week. They are not enough time if you start in August.
For a foundation-level review of the CMMC certification process for small businesses, start with CMMC Certification for Small Businesses. That article covers the certification structure, level definitions, and the overall program framework that Phase 2 is built on.
If you are a defense contractor with government billing questions or need to set up a cost accounting system that satisfies both DCAA and your prime’s requirements, DCAA-Compliant Accounting Systems for Small Businesses covers what your books need to look like before your first audit.
The clock is running. Get your gap analysis started this week.
