CMMC Phase 2 November 2026 Deadline: What DoD Contractors Must Do Right Now
CMMC Phase 2 enforcement begins November 10, 2026. On that date, new DoD contracts and contract renewals requiring Level 2 certification will mandate that contractors hold a valid CMMC Level 2 certification from an authorized C3PAO (Certified Third-Party Assessment Organization). Contractors without certification cannot bid on or renew affected contracts.
The supply problem is acute: approximately 80,000 contractors need Level 2 certification, but only around 80 authorized C3PAOs exist to conduct assessments. Each assessment takes several weeks of calendar time, and most C3PAOs have backlogs extending into late 2026. If you have not booked an assessment, the window to achieve certification before November 10, 2026 is closing rapidly for organizations with significant remediation work ahead.
CMMC 2.0 Structure: Which Level Applies to You
CMMC 2.0 has three levels. Determining which applies to your contracts is the first step before any remediation work.
Level 1 (Foundational): 17 practices, annual self-assessment Applies to contractors handling only Federal Contract Information (FCI), not Controlled Unclassified Information (CUI). Self-assessment and annual affirmation to DoD. No third-party certification required.
Level 2 (Advanced): 110 practices, third-party assessment Applies to contractors handling CUI on contracts subject to DFARS 252.204-7012. The 110 practices align directly to NIST SP 800-171 Rev 2 security requirements. Requires assessment by an authorized C3PAO every three years. This is the level affecting the vast majority of the 80,000 contractors in scope.
Level 3 (Expert): 130+ practices, government-led assessment Applies to contractors on the most sensitive DoD programs, typically those in the Defense Industrial Base supporting critical capabilities. Requirements are based on NIST SP 800-172 in addition to 800-171. Government-led assessments by DCSA (Defense Contract Security Agency). Affects a smaller subset of contractors.
How to determine your level:
- Check your existing contracts for DFARS clause 252.204-7012 (Safeguarding CUI): this clause governs CUI protection requirements and indicates you are likely in the Level 2 scope
- Look for explicit CMMC requirements in contract solicitations (Section L or Section M in RFPs)
- Review your System Security Plan (SSP) to identify whether your systems handle CUI
- Consult with your Contracting Officer if uncertain about your CUI scope
Note on CUI scope creep: Organizations frequently discover they handle more CUI than they thought during the SSP development process. CUI includes technical drawings, contract performance data, export-controlled information, and many other categories beyond classified information. CUI Registry (archives.gov) is the authoritative source.
The 110 NIST SP 800-171 Controls: Common Gap Areas
CMMC Level 2 requires implementing all 110 security requirements from NIST SP 800-171 Rev 2, organized across 14 control families. A full gap assessment against all 110 is required before booking a C3PAO assessment. These are the families where most contractors have significant gaps:
Access Control (AC): 22 requirements Most common gaps: insufficient separation of duties for CUI access, lack of documented access control policies, no multi-factor authentication for remote access, and overly broad CUI access rights. Mobile device management for remote access is frequently incomplete.
Audit and Accountability (AU): 9 requirements Common gaps: audit logs not covering all required event types (failed logins, privileged actions, CUI access), log storage less than 90 days, no log review process, and no protection of log integrity against tampering.
Configuration Management (CM): 9 requirements Gaps: no formal baseline configurations documented, no security impact analysis process for configuration changes, and unauthorized software (shadow IT) not controlled.
Identification and Authentication (IA): 11 requirements Most common critical gap: MFA not implemented for all accounts with access to CUI systems, especially service accounts. Password complexity and rotation requirements frequently not enforced via technical controls.
Incident Response (IR): 3 requirements Gaps: no documented incident response plan, no incident response testing (tabletop exercise), and no process for reporting incidents to DoD per DFARS 252.204-7012 requirements (72-hour reporting).
System and Communications Protection (SC): 16 requirements Gaps: CUI not encrypted in transit or at rest, no network segmentation separating CUI systems from general IT, and no controls on use of external information systems for CUI.
System and Information Integrity (SI): 7 requirements Gaps: no formal patch management with documented SLAs, no malicious code protection (or coverage gaps for Linux/Mac systems in Windows-centric environments).
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Finding and Booking a C3PAO Before November 2026
The C3PAO capacity constraint is the most urgent practical problem for contractors who have not yet started. Here is how to navigate it.
Step 1: Confirm C3PAO authorization status
Only organizations authorized by the Cyber AB (the CMMC Accreditation Body) can conduct CMMC Level 2 assessments. The authorized marketplace is at cyberab.org/Marketplace. Verify any C3PAO you are considering is listed there and holds active authorization. Several companies market CMMC assessment services without proper Cyber AB authorization.
Step 2: Understand what C3PAOs are actually booking
Most C3PAOs are currently booking assessments for Q3-Q4 2026. As of mid-2026, late-2026 slots are becoming scarce. Expect assessment timelines of 4-8 weeks for a typical contractor with 50-500 employees, plus 2-4 weeks for report generation and scoring. If you need a certification letter before November 10, 2026, and your assessment has not started by mid-September 2026 at the latest, your timeline is extremely tight.
Step 3: Complete your SPRS score submission
The DoD's Supplier Performance Risk System (SPRS) requires a self-assessment score for NIST SP 800-171 prior to C3PAO assessment. Your current SPRS score represents your self-assessed compliance posture. C3PAOs will review your SPRS submission as part of the assessment process. Ensure your SSP and SPRS submission are complete and accurate before engaging a C3PAO.
Step 4: Get a pre-assessment readiness review
Most C3PAOs offer a pre-assessment readiness review (sometimes called a 'mock assessment' or 'gap analysis') that identifies deficiencies before the formal assessment. This is strongly recommended: the formal assessment score is submitted to DoD, and a poor score creates a remediation burden and potential contract impact. The readiness review is not submitted to DoD and gives you a remediation roadmap before the official assessment.
Typical C3PAO Assessment Timeline
Kickoff and document review (1-2 weeks), on-site or remote technical assessment (1-2 weeks of active assessment days), evidence collection and gap identification (1 week), report drafting and contractor review (2-3 weeks), final report submission to CMMC portal (1 week). Total elapsed time from kickoff to certificate: 6-10 weeks for a typical mid-size contractor.
Cost Range for Level 2 Assessments
C3PAO assessment costs vary significantly based on contractor size, complexity of the CUI environment, and the specific C3PAO. Typical ranges: $50,000-$150,000 for small contractors (under 100 employees), $100,000-$300,000 for mid-size (100-500 employees). Costs are higher for contractors with complex IT environments, multiple locations, or significant cloud infrastructure. Get quotes from multiple C3PAOs and clarify what is included (travel, report generation, scoring activities).
Your Remediation Roadmap: What to Fix Before the Assessment
The practical remediation sequence for a contractor with significant gaps follows a logical dependency order. Do not try to fix everything simultaneously: prioritize by assessment impact and implementation dependency.
Priority 1: Multi-Factor Authentication (Week 1-4)
MFA is required for all accounts with access to CUI systems (IA.3.083). This is one of the most commonly failed requirements and one of the highest-impact. Deploy MFA for all remote access, VPN, email, and any cloud services handling CUI. Microsoft 365 MFA (via Entra ID) and Duo Security are common implementations. Do not wait to deploy MFA: it is a prerequisite for passing multiple IA and AC requirements.
Priority 2: System Security Plan (SSP) Documentation (Week 2-6)
Every CMMC Level 2 requirement must be documented in your SSP: what the requirement is, how you meet it, and evidence that demonstrates compliance. The SSP is the central artifact of your assessment: assessors review it first and use it to guide technical testing. Use the NIST SP 800-171A assessment objectives as the template for your SSP sections. CMMC assessors are required to use 800-171A to evaluate each practice.
Priority 3: CUI Enclave Boundary Definition (Week 2-8)
Define the boundary of your CUI environment: which systems process, store, or transmit CUI? The assessment scope is defined by this boundary. Organizations with CUI spread across all systems face far larger assessment scope and remediation cost than those who have defined a bounded CUI enclave. If possible, restrict CUI to a defined set of systems (the 'CUI enclave') before the assessment to reduce scope.
Priority 4: Patch Management and Vulnerability Scanning (Week 4-8)
All systems in scope require vulnerability scanning and patch management with documented SLAs (SI.1.210, SI.2.214). Implement authenticated vulnerability scanning (not just network scans) for all CUI-scope systems. Document your patch management SLAs: Critical: 30 days, High: 90 days is a common defensible posture. Evidence of patching (scanner results before and after) must be available for assessors.
Priority 5: Incident Response Plan and Testing (Week 6-10)
An Incident Response Plan is required (IR.2.092, IR.2.093). It must address DFARS 72-hour reporting requirements to DoD's DIBNet portal. Conduct a tabletop exercise to test the plan (IR.3.098 for Level 3, but documented testing strengthens the IR.2.093 assessment). The plan must cover detection, containment, eradication, recovery, and notification procedures specific to CUI incidents.
What Happens If You Miss the November 2026 Deadline
CMMC certification is a contract requirement, not a voluntary program. The consequences of non-compliance depend on how the CMMC requirement appears in your specific contracts.
For new contracts and renewals (post-November 10, 2026): Solicitations will include CMMC certification requirements in Section L (Instructions to Offerors) or Section M (Evaluation Factors). Contractors without certification cannot submit compliant proposals for contracts requiring CMMC Level 2. Proposals will be rejected.
For existing contracts: If your current contract includes a CMMC requirement with a phased-in date, failure to meet that date puts you in violation of contract terms, which can lead to cure notices, stop-work orders, and ultimately termination for cause. Review your existing contracts for CMMC clauses and their effective dates.
Plan of Action and Milestones (POA&M): CMMC allows limited use of POA&Ms for certain requirements that cannot be immediately implemented. However, there are constraints: some requirements cannot be POA&M'd (MFA cannot be deferred), and POA&Ms have a maximum closure timeline. POA&Ms must be accepted by the C3PAO and are reviewed at the time of assessment. A conditional certification can be issued with open POA&Ms, but the POA&Ms must be closed within the allowed timeframe.
The practical advice: If you cannot achieve full Level 2 certification by November 2026, focus on the requirements with the highest assessment failure risk (MFA, audit logging, CUI boundary definition) and document your POA&M for remaining gaps. A conditional certification with documented POA&Ms is better than a failed assessment or no assessment at all.
The bottom line
CMMC Phase 2 enforcement on November 10, 2026 is not a soft deadline. It is a contractual requirement that gates your ability to bid on and retain DoD contracts. The practical urgency is driven by C3PAO capacity: 80 authorized assessors for 80,000 contractors means the window to get scheduled before the deadline is already narrow. If you have not started, take three actions this week: verify whether your contracts require CMMC Level 2 (check for DFARS 252.204-7012 and emerging CMMC clauses), conduct a gap assessment against NIST SP 800-171 Rev 2 to understand your remediation scope, and contact at least three C3PAOs for availability and quotes. Organizations that move now can realistically achieve certification; those waiting another quarter face serious risk of missing the enforcement deadline.
Frequently asked questions
What is CMMC Phase 2 and what does it require?
CMMC (Cybersecurity Maturity Model Certification) Phase 2 enforcement begins November 10, 2026. It requires DoD contractors handling Controlled Unclassified Information (CUI) to obtain a CMMC Level 2 certification from an authorized third-party assessment organization (C3PAO). Level 2 requires implementing all 110 security requirements from NIST SP 800-171 Rev 2. The certification is valid for three years and must be renewed. Phase 2 is significant because it makes third-party certification a mandatory contract requirement, not just a self-assessment affirmation.
How do I know if my company needs CMMC Level 2 certification?
CMMC Level 2 applies to contractors that handle Controlled Unclassified Information (CUI) in DoD contracts. Indicators that you are in scope: your contracts include DFARS clause 252.204-7012 (Safeguarding Covered Defense Information), your work involves technical specifications, export-controlled data, controlled research, or other information marked as CUI, or new solicitations you are pursuing include explicit CMMC requirements in Section L or M. If uncertain, review the CUI Registry at archives.gov/cui for the full list of CUI categories, and consult with your Contracting Officer or a CMMC consultant to assess your specific contract scope.
What is a C3PAO and how do I find an authorized one?
A C3PAO (Certified Third-Party Assessment Organization) is an organization authorized by the Cyber AB (CMMC Accreditation Body) to conduct official CMMC Level 2 assessments. Only C3PAOs listed in the Cyber AB Marketplace (cyberab.org/Marketplace) can issue valid CMMC certifications. Beware of companies offering CMMC assessment services without Cyber AB authorization: their assessments are not recognized by DoD. When evaluating C3PAOs, consider their experience with organizations of similar size and industry, availability for your needed timeline, and references from previous assessment clients.
Can my company pass CMMC Level 2 with a Plan of Action and Milestones (POA&M) for missing requirements?
Yes, with significant caveats. CMMC 2.0 allows conditional certification with open POA&Ms for requirements that cannot be immediately implemented, but certain requirements cannot be POA&M'd (including MFA for CUI system access and some audit logging requirements). POA&Ms must have specific closure timelines, typically 180 days maximum from certification date for most items. Open POA&Ms require a conditional certification, which some contracting officers may scrutinize. The best approach is to close as many gaps as possible before the assessment, use POA&Ms only for genuinely complex remediation items that cannot be completed in time, and have concrete implementation plans with dates for each open item.
What does a CMMC Level 2 assessment actually involve?
A CMMC Level 2 assessment follows NIST SP 800-171A assessment procedures. The C3PAO team reviews your System Security Plan (SSP) and related policies and procedures, interviews personnel responsible for security controls, tests technical controls (vulnerability scanning, access control verification, log review demonstrations, incident response plan walkthrough), and validates evidence of implementation for all 110 practices. Assessments typically run 5-15 assessment days depending on organization size and complexity. Evidence artifacts (screenshots, configuration exports, policies, training records) must be prepared in advance. The final score is submitted to the CMMC portal and becomes part of your SPRS record visible to contracting officers.
What is the SPRS score and how does it relate to CMMC?
SPRS (Supplier Performance Risk System) is DoD's contractor risk management portal. Contractors handling CUI are required to submit a self-assessment score for their NIST SP 800-171 compliance, ranging from -203 (no requirements met) to 110 (all requirements met). The SPRS self-assessment score is NOT a CMMC certification: it is a self-reported affirmation currently required under DFARS 252.204-7019. After CMMC Phase 2 enforcement, C3PAO assessment results will also be recorded in SPRS, and contracting officers can see both self-assessment scores and certification status. Ensure your current SPRS score is accurate and up to date: a false self-assessment score can expose your company to False Claims Act liability.
What is the difference between CMMC Level 1 and Level 2?
CMMC Level 1 covers 17 basic cybersecurity practices aligned with FAR clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems). It applies to contractors handling Federal Contract Information (FCI) but NOT CUI. Level 1 uses annual self-assessment with no third-party certification requirement. CMMC Level 2 covers all 110 NIST SP 800-171 requirements and applies to contractors handling CUI. Level 2 requires third-party assessment by an authorized C3PAO every three years. The practical difference for most defense contractors: if you handle technical drawings, contract specifications, research data, or other CUI categories in your DoD work, you need Level 2, not Level 1.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.