Background

What Is CMMC Phase 2?

CMMC — the Cybersecurity Maturity Model Certification — is the DoD's mandatory framework for defense industrial base (DIB) cybersecurity. It replaces the honor-system self-attestation model with independently verified certification, enforced through DFARS contract clauses.

Phase 1 (CMMC Level 1) covers 17 basic cyber hygiene practices drawn from FAR 52.204-21. Companies can self-attest annually. Phase 1 is already in effect.

Phase 2 (CMMC Level 2) requires certification for the full 110 security requirements in NIST SP 800-171 Rev 2. These controls span 14 domains: access control, configuration management, incident response, audit and accountability, media protection, personnel security, physical protection, risk assessment, security assessment, system communications protection, system information integrity, awareness and training, identification and authentication, and maintenance.

Level 2 certification must be performed by an authorized C3PAO — a third-party assessor accredited by the Cyber Accreditation Body (Cyber AB). No self-attestation is allowed for Level 2. Certificates are valid for 3 years, after which reassessment is required.

The final CMMC rule was published in the Federal Register on December 26, 2023 (source: dodcio.defense.gov). Phase 2 requirements go live November 10, 2026 — exactly three years after the rule's effective date. VERIFIED

Scope

Who Is Affected?

CMMC Level 2 applies to any company in the Defense Industrial Base (DIB) that processes, stores, or transmits Controlled Unclassified Information (CUI) under a DoD contract. This includes prime contractors and their subcontractors — there are no small-business exemptions.

You are almost certainly in scope if your contract includes DFARS 252.204-7012 (Safeguarding Covered Defense Information) or DFARS 252.204-7021 (CMMC requirement). If unsure, search your contract for the word "CUI" or ask your contracting officer.

Prime contractors Any prime with DFARS 252.204-7012 or 7021 in the contract
Subcontractors Any sub that receives, processes, or stores CUI on behalf of a prime
IT/MSP providers Managed service providers who touch CUI systems must comply too
Cloud/SaaS vendors Any cloud provider handling DoD CUI needs FedRAMP or equivalent
Research institutions Universities and labs with DoD research contracts involving CUI
Small businesses No exemptions for size — CMMC is contract-specific, not company-size-specific
HowTo Checklist

The 7 Things to Do Before November 10, 2026

In order of urgency. Steps 4–5 are time-critical — C3PAO availability is the longest pole in the tent.

  1. Determine if CMMC Level 2 applies to you
    Review your contracts for DFARS 252.204-7012 and 252.204-7021 clauses. Audit whether you receive, process, store, or transmit CUI. If yes — you're in scope. Start your SPRS score if you haven't already. VERIFIED
  2. Run a NIST SP 800-171 self-assessment
    Score yourself against all 110 controls across 14 domains. Document your findings in a System Security Plan (SSP). Record gaps and remediation timelines in a Plan of Action & Milestones (POA&M). This baseline drives everything downstream. AI-GENERATED
  3. Submit your SPRS score
    Upload your self-assessment score to the Supplier Performance Risk System at sprs.apps.mil. A current SPRS score is required before any new DoD contract award under DFARS 252.204-7019. Scores range from −203 (all controls failed) to +110 (full compliance). VERIFIED
  4. Close your highest-priority gaps first
    Focus on the controls that most commonly fail assessments: multi-factor authentication (3.5.3), CUI encryption at rest and in transit (3.13.8, 3.13.10), audit logging (3.3.x), incident response plan (3.6.x), and system access controls (3.1.x). Fix these before anything else. AI-GENERATED
  5. ⚠ Select and book a C3PAO — do this now
    Only Cyber AB-authorized C3PAOs can conduct CMMC Level 2 assessments. Assessment slots are booking 3–6 months out as of April 2026. Book by June 2026 at the latest to guarantee certification before November 10. Find authorized assessors at cyberab.org/marketplace. AI-GENERATED
  6. Complete your formal C3PAO assessment
    The assessment involves reviewing your SSP, testing technical controls, interviewing staff, and validating evidence. A passing result gets you a CMMC Level 2 certificate valid for 3 years, entered by the C3PAO into eMASS (Enterprise Mission Assurance Support Service). AI-GENERATED
  7. Flow down requirements to subcontractors
    As a prime, you are responsible for ensuring your subcontractors who touch CUI are also CMMC-compliant. Review teaming agreements, add CMMC flow-down clauses to subcontracts, and verify subs have current SPRS scores. Non-compliant subs are your risk. AI-GENERATED
Timeline Reality

6–18 Months Average. Book Your C3PAO by June 2026.

The CMMC Level 2 process isn't a weekend project. For most SMBs starting from a low NIST 800-171 baseline, the realistic timeline is 12–18 months from gap assessment to certified. Companies with mature IT and existing SPRS scores have cleared it in 6–9 months. Either way, time is already short.

The critical constraint is C3PAO availability — not remediation. Even if you complete all 110 controls tomorrow, you still need an assessor slot. With limited authorized assessors and 79,200 companies needing Level 2, expect a queue. AI-GENERATED

Now — Apr 2026
Gap assessment + SPRS score + begin remediation
⚡ May — Jun 2026
Book C3PAO NOW
Last chance for Nov deadline
Jul — Sep 2026
Finish remediation + pre-assessment readiness review
Sep — Oct 2026
C3PAO assessment window
🔴 Nov 10, 2026
CMMC Phase 2 Enforcement Begins
Cost Benchmark

CMMC Level 2 Costs $75K–$150K for Most SMBs

Here's a realistic cost breakdown for a typical defense SMB (25–200 employees) with moderate IT complexity. Costs vary significantly based on your current posture, IT environment, and C3PAO selected. AI-GENERATED SEEK EXPERT ADVICE

Cost Category Estimated Range (SMB) Notes
Gap assessment & consulting $15,000 – $40,000 Initial NIST 800-171 assessment + SSP/POA&M development
Technical remediation $20,000 – $80,000 MFA, encryption, logging, access controls. Highly variable by starting posture.
C3PAO assessment fee $20,000 – $50,000 Formal third-party assessment by Cyber AB-authorized C3PAO
GRC tooling (annual) $5,000 – $15,000 Compliance management platform (or DefenseBizStack from $99/mo)
Employee training $2,000 – $8,000 CMMC awareness training across affected staff
Total (typical SMB) $75,000 – $150,000+ Larger or more complex orgs: $200K–$500K+

Free CMMC Readiness Check

Answer 8 questions. Get your gap score across all 14 NIST 800-171 domains — with prioritized remediation steps. No credit card. No sales call.

Check your readiness for free → View pricing
Frequently Asked Questions

CMMC Phase 2 FAQs

If your contracts require CMMC Level 2 and you don't have certification by the contract-specified date, you lose eligibility to bid on or hold those DoD contracts. Existing contracts with DFARS 252.204-7021 clauses will require demonstrated compliance by the date in the clause. New solicitations after November 10, 2026 will require CMMC Level 2 certification at award. Missing the deadline means losing contract eligibility — not just a fine. VERIFIED — DFARS rule 2019-D041
The full CMMC Level 2 process — from gap assessment to certified — typically takes 6 to 18 months for most SMBs. The timeline depends on your current NIST 800-171 posture, IT complexity, and C3PAO availability. C3PAO assessment slots are booking 3–6 months out as of early 2026. Budget 12 months minimum if you're starting from scratch. AI-GENERATED estimate
A C3PAO (Certified Third-Party Assessor Organization) is an organization authorized by the Cyber Accreditation Body (Cyber AB) to conduct official CMMC Level 2 assessments. You need a C3PAO if your contract requires CMMC Level 2 certification — you cannot self-attest for Level 2. Find authorized C3PAOs at cyberab.org/marketplace. VERIFIED — cyberab.org
No. CMMC Level 2 requires a third-party assessment by an authorized C3PAO — you cannot self-attest. Self-attestation is only allowed for CMMC Level 1, which covers 17 practices from FAR 52.204-21. If your contracts involve CUI, you need Level 2 with a C3PAO. VERIFIED — 32 CFR Part 170
SPRS (Supplier Performance Risk System) is the DoD database where contractors upload their NIST SP 800-171 self-assessment scores. You must have a current SPRS score to be eligible for DoD contracts — this is a separate requirement from CMMC certification but uses the same 110 controls. CMMC Level 2 requires independent C3PAO verification rather than self-reporting. Access SPRS at sprs.apps.mil. VERIFIED — DFARS 252.204-7019
CMMC Level 2 typically costs $75,000–$150,000 total for most SMBs, including gap remediation, consulting, and the C3PAO assessment fee ($20,000–$50,000). Remediation costs vary widely based on your current NIST 800-171 posture. Larger or more complex organizations can see costs of $200,000–$500,000+. AI-GENERATED estimate SEEK EXPERT ADVICE
Data Integrity Notice: Content on this page is labeled [VERIFIED] where it cites primary government sources (dodcio.defense.gov, DFARS, 32 CFR Part 170), or [AI-GENERATED] where estimates are derived from industry analysis. Timeline and cost estimates are approximations and vary by organization. This page does not constitute legal, compliance, or regulatory advice. [SEEK EXPERT ADVICE] from a qualified CMMC Registered Practitioner Organization (RPO) or attorney for your specific situation. Dates verified against dodcio.defense.gov/CMMC/Policy/. Last updated: April 2026.