What Is CMMC Phase 2?

CMMC Phase 2 is the second of three phases in the DoD's Cybersecurity Maturity Model Certification (CMMC) program. It marks the point where third-party assessment becomes mandatory for all contractors handling Controlled Unclassified Information (CUI) at CMMC Level 2.

Enforcement begins November 10, 2026 — approximately 137 days from today. After that date, any contractor who does not hold a valid CMMC Level 2 certificate (verified by an authorized C3PAO) will be ineligible for new DoD contract awards that require Level 2. Self-attestation is no longer accepted for Level 2 in Phase 2.

Contract Risk

Prime contractors cannot flow CUI to uncertified subcontractors without a waiver. Missing certification means losing contract opportunities — not civil penalties, but the same outcome: no more DoD work.

The Five CMMC Levels

CMMC 2.0 consolidates the original five levels into three practice tiers with five specific maturity levels. The levels represent increasing cybersecurity requirements tied to the sensitivity of the information a contractor handles.

Foundational

Basic cybersecurity hygiene for Federal Contract Information (FCI).

Self-Assessment Only

Advanced

NIST SP 800-171 alignment for CUI. 110 security controls across 14 domains.

C3PAO Assessment

Expert

NIST SP 800-172 for high-value assets and critical programs.

Government-Led Assessment

Level 1 — Foundational

Requires 15 security practices covering basic safeguarding of Federal Contract Information (FCI). Organizations complete an annual self-assessment and submit results to SPRS. Most relevant for contractors that handle FCI but no CUI.

Assessment type: Self-attestation (annual)
DFARS clause: 252.204-7019 (Level 1)
Who needs it: Contractors with FCI in their environment
SPRS requirement: Score submitted via SPRS annual assessment

Level 2 — Advanced

The most common requirement for defense contractors. Requires full compliance with all 110 practices from NIST SP 800-171 Rev 2. Formal third-party assessment by an authorized C3PAO is required. This is the Phase 2 focus.

Assessment type: Third-party C3PAO assessment (triennial)
DFARS clause: 252.204-7021 (Level 2)
Who needs it: Contractors processing, storing, or transmitting CUI
NIST requirement: All 110 NIST SP 800-171 Rev 2 controls
eMASS submission: Required after passing C3PAO assessment

C3PAO Booking Window

C3PAO assessment slots are filling. The current wait time for a C3PAO assessment booking is 2–4 months. If you haven't started the process yet, you risk missing the November 10, 2026 deadline.

Level 3 — Expert

Requires a subset of practices from NIST SP 800-172 plus all Level 2 controls. Assessment is led by the DoD rather than a C3PAO. Reserved for contractors working on the most sensitive programs.

Assessment Requirements by Level

Phase 2 fundamentally changes what's required for Level 2. The shift from self-attestation to third-party certification means contractors must demonstrate operational evidence — not just policies on paper.

Requirement	Level 1	Level 2	Level 3
Assessment Type	Self-Assessment	C3PAO Third-Party	DoD-Led Assessment
Frequency	Annual	Triennial (with annual DCSA review)	Ad hoc / program-determined
NIST Controls	15 practices (FCI)	110 controls (NIST 800-171 Rev 2)	110 + subset of NIST 800-172
DFARS Clause	252.204-7019	252.204-7021	252.204-7021
SPRS Score	Required	Required	Required
eMASS Submission	Not required	Required	Required
SSP Required	Not required	Required	Required
POA&M Required	Not required	Required	Required

What C3PAO Assessors Look For

Unlike a self-assessment, a C3PAO assessment examines operational evidence — what's actually running in your environment, not just what's documented. Assessors look for:

User authentication records — MFA enrollment logs, access control lists, privileged account inventories
System configuration baselines — evidence that CMMC-required settings are actually enforced
Incident response records — documented procedures, test results, and actual response logs
Media handling documentation — records of sanitization, destruction, and transport logs
Audit logs — evidence that log review occurs and anomalies are acted upon
Personnel security records — onboarding, background checks, security awareness training completion

AI-Generated Content Notice

This guide was authored with AI assistance. CMMC compliance is a complex, evolving regulatory area. All claims about DFARS clauses, NIST standards, and timelines should be verified against current official sources: dodcio.defense.gov/CMMC, the Federal Register, and a licensed C3PAO assessor.

DFARS Clauses Tied to Each Level

Each CMMC level is enforced through a specific DFARS clause. Understanding which clause applies to your contracts is the first step in determining your compliance obligations.

Clause	Requirement	CMMC Level	Who It Affects
252.204-7012	Safeguarding Covered Defense Information — requires NIST SP 800-171 compliance, SPRS score, incident reporting	Pre-CMMC	All contractors with covered defense information
252.204-7019	Notice of CMMC Requirements — requires Level 1 self-assessment and SPRS score for contract award	Level 1	Contractors handling FCI
252.204-7020	CMMC Requirements — requires Level 2 self-assessment at minimum, CMMC certificate in eMASS	Level 2 (Phase 1)	Contractors handling CUI — self-attestation in Phase 1
252.204-7021	CMMC Level 2 — requires C3PAO assessment, CMMC certificate, all Level 2 practices implemented	Level 2 (Phase 2)	Contractors handling CUI — third-party assessment from Nov 2026

252.204-7012 — Safeguarding Covered Defense Information

The original DFARS clause that started the CMMC conversation. Requires contractors to implement NIST SP 800-171 controls, report cyber incidents within 72 hours, and submit a SPRS score. While now largely superseded by the CMMC-specific clauses, it remains the baseline standard for all covered defense information handling.

15-day cyber incident reporting to DoD
Media protection and sanitization requirements
FIPS 140-2 validated encryption
SSP and POA&M documentation

252.204-7019 — Notice of CMMC Requirements

This clause introduced the CMMC requirement into contract language. It requires a current SPRS self-assessment score as a condition of contract award for Level 1. It sets the stage for CMMC-level enforcement by formally incorporating the CMMC model into contract requirements.

252.204-7020 — CMMC Requirements

Extends the notice clause to include Level 2 self-assessment requirements. In Phase 1 (now through October 2026), this allows contractors to self-attest to Level 2 compliance. After November 10, 2026, this clause will require third-party C3PAO certification under 7021.

252.204-7021 — CMMC Level 2

The Phase 2 enforcement clause. Requires a valid CMMC Level 2 certificate issued by an authorized C3PAO as a condition of contract award. No exceptions for self-assessment. The certificate must be recorded in eMASS before contract award.

Prime Contractor Flow-Down

Primes are responsible for flowing CMMC requirements to subcontractors. If your prime requires CMMC Level 2, your subcontract agreement must include the same DFARS clauses — and your certification is non-negotiable if CUI flows to you.

6-Month CMMC Level 2 Roadmap

With 137 days remaining, here is a realistic, compressed roadmap for contractors starting from scratch. Each phase assumes some parallel work — do not tackle these sequentially if your timeline is tight.

1

Confirm CUI Scope and Required Level

Review every active DoD contract for DFARS clauses. Identify all systems, people, and processes that touch CUI. This determines your actual scope — which is often smaller than people fear, but must be accurately documented.
2

Run a SPRS Self-Assessment

Score your current posture against NIST SP 800-171 using the SPRS tool. A score below 80 means significant work ahead. Above 80 still means remediation before C3PAO assessment. Record the score in SPRS — it's required for contract eligibility.
3

Complete Your SSP and POA&M

The System Security Plan documents your security environment. The Plan of Action and Milestones (POA&M) tracks every gap against NIST 800-171. These are the first things a C3PAO assessor reviews — and gaps here will cost you.
4

Remediate the 20% That Causes 80% of Failures

The most common C3PAO assessment failures come from: MFA for privileged users, audit log review and retention, incident response plan testing, media protection documentation, and CUI data flow mapping. Fix these first.
5

Book Your C3PAO Now

Don't wait until you're ready to book an assessment. C3PAO calendars are 2–4 months out. Book early, then use the wait time to complete your documentation and remediation. Pre-assessment readiness reviews from your C3PAO are worth the investment.
6

Submit to eMASS After Assessment

After passing C3PAO assessment, submit your CMMC certificate to eMASS within 30 days. Failure to record in eMASS means your certificate doesn't count for contract award purposes — regardless of what your C3PAO issued.

DefenseBizStack Assessment Tool

Use the CMMC Readiness Assessment — a free 3–5 minute self-assessment that scores your current security posture against NIST 800-171 controls and identifies your highest-priority gaps before you engage a C3PAO.

How DefenseBizStack Helps

DefenseBizStack provides the intelligence layer that makes CMMC compliance faster and more predictable for defense contractors. Here's how each product applies to your Phase 2 obligations:

Tool	Phase 2 Use Case
CMMC Readiness Assessment	Free self-assessment scoring your security posture against all 110 NIST 800-171 controls. Identifies gap areas and gives you a realistic timeline to Level 2 certification.
C3PAO Locator	Search and filter authorized C3PAOs by availability, location, and sector specialization. Includes direct booking links and assessment scope guidance.
SPRS Score Guide	Step-by-step walkthrough of SPRS scoring methodology with a 5-question estimator that maps your environment to a projected SPRS score before you run the full assessment.
DFARS Cybersecurity Clauses Guide	Full breakdown of 7012/7019/7020/7021 — what each clause requires, which applies to your contracts, and what happens if you miss the deadline.
NIST 800-171 Rev 3 Guide	Updated guidance covering the new NIST 800-171 Rev 3 requirements, Operational Design Parameters (ODPs), and the Rev 2 vs Rev 3 gap analysis for contractors transitioning before Phase 2.

Maintaining CMMC Certification After Phase 2

Passing your C3PAO assessment is the beginning, not the end. CMMC Level 2 certification must be maintained through:

Annual self-assessment: Level 2 certificate holders must complete an annual self-assessment and resubmit to SPRS. This is a lower burden than a full C3PAO assessment but must be completed every 12 months.
Triennial C3PAO reassessment: Your Level 2 certificate expires after three years. Begin the renewal process 6 months before expiration.
POA&M updates: As new controls are implemented or gaps are closed, your POA&M must be kept current. Stale POA&Ms are a red flag in C3PAO assessments.
NIST 800-171 Rev 3 transition: NIST 800-171 Rev 3 introduces new controls and modifies existing requirements. Contractors must plan for this transition — Rev 2 and Rev 3 are not equivalent.

Bottom Line

137 days is tight, but it's not over. Contractors who start now — with a clear CUI inventory, a realistic SPRS score, and a C3PAO booked — can still make November 10, 2026. The risk is for contractors who wait until Q3 2026 to begin.

Start Your CMMC Phase 2 Preparation Today

Run the free CMMC Readiness Assessment — score your current security posture, identify your highest-priority gaps, and get a realistic timeline to Level 2 certification.

Run Free Assessment →

[AI-GENERATED] Content generated with AI assistance. CMMC requirements are subject to change. Verify all regulatory claims against current DoD policy at dodcio.defense.gov/CMMC and consult a licensed C3PAO assessor before making compliance decisions.

CMMC Phase 2 Compliance Guide