CMMC Phase 2 enforcement begins November 10, 2026, per the CMMC Final Rule (32 CFR Part 170). Defense contractors who process, store, or transmit Controlled Unclassified Information (CUI) must achieve CMMC Level 2 certification from an authorized C3PAO before that date to remain eligible for DoD contract awards. CMMC Level 2 requires full compliance with all 110 security practices in NIST SP 800-171 Rev 2 across 14 domains. Subcontractors who touch CUI are also covered. NAVFAC Southwest embedded a November 10, 2026 hard gate in solicitations as early as 2025. C3PAO booking wait times are 2–4 months; contractors must initiate the process no later than June 2026. Consequences of non-compliance: ineligibility for covered DoD contract awards — not fines. VERIFIED
CMMC Phase 2 Timeline: Key Dates
The CMMC implementation timeline follows three phases defined in 32 CFR Part 170. The dates are fixed — they are tied to the Final Rule publication date of December 26, 2023. VERIFIED: 32 CFR Part 170, Federal Register Vol. 88 No. 247
-
✓December 26, 2023CMMC Final Rule Published
32 CFR Part 170 published in the Federal Register. Three-year phased implementation begins. Replaces earlier CMMC 2.0 interim rule. Self-assessment requirements for CMMC Level 1 and a subset of Level 2 take effect. VERIFIED
-
✓Now (Phase 1 — Active)Phase 1: Self-Attestation Required
DoD contracts may begin requiring CMMC Level 1 (self-attestation for 17 practices) and CMMC Level 2 self-attestation for lower-risk programs. Contractors must post an annual affirmation in SPRS. This phase is already in effect. VERIFIED
-
!June 2026 (recommended cutoff)C3PAO Booking Deadline
This is not a regulatory date — it's operational. C3PAO assessment wait times are 2–4 months. To receive certification before November 10, 2026, you must have a C3PAO engagement in place no later than early-to-mid June 2026. This window is closing. AI-ESTIMATE
-
!November 10, 2026Phase 2 Enforcement Begins — Hard Gate
DoD contracting officers begin requiring CMMC Level 2 certification at contract award for all acquisitions that include CUI. NAVFAC Southwest has already embedded this date as a hard gate in solicitations. Uncertified contractors cannot be awarded covered contracts. VERIFIED: 32 CFR Part 170 §170.4
-
3November 10, 2027Phase 3: Full Implementation
All DoD acquisitions requiring CMMC are fully implemented. Remaining DoD contract types phased in. Phase 3 represents the end state of CMMC rollout. VERIFIED: 32 CFR Part 170 §170.4
NAVFAC Southwest embedded a November 10, 2026 CMMC Level 2 hard gate in solicitation language as early as 2025 — before Phase 2 formally takes effect. This is not an isolated case. Review every active solicitation for CMMC requirement language. If you see the November 10, 2026 date or DFARS clause 252.204-7021, the clock is already running.
What CMMC Level 2 Requires
CMMC Level 2 is a direct 1-to-1 mapping to NIST SP 800-171 Rev 2. There are 110 security practices organized across 14 domains. Every practice must be fully implemented to pass a C3PAO assessment. VERIFIED: NIST SP 800-171 Rev 2, 32 CFR Part 170 §170.14
Key Documentation Requirements
In addition to implementing all 110 practices, CMMC Level 2 requires specific documentation before a C3PAO can begin your formal assessment:
- System Security Plan (SSP) — Documents your system boundary, hardware, software, users, connections, and how each of the 110 practices is implemented. Must accurately reflect your actual environment, not a hypothetical ideal state.
- Plan of Action & Milestones (POA&M) — Documents any practices not yet fully implemented, with remediation timelines. Limited POA&M use is permitted under the Final Rule, but assessors will scrutinize scope and timelines carefully.
- SPRS Score in PIEE — Your self-assessment score (ranging from -203 to +110) must be posted to the Supplier Performance Risk System before contract award. An accurate, current SPRS score is required.
- eMASS Record — After a successful C3PAO assessment, your certification is recorded in eMASS (Enterprise Mission Assurance Support Service). Contracting officers verify certification through eMASS, not from documents you provide.
Based on C3PAO community reporting, these five practice areas cause the most assessment failures: (1) Multi-factor authentication for all privileged and non-privileged accounts (AC.L2-3.1.x); (2) Audit logging on all in-scope systems including cloud and endpoints; (3) CUI data flow documentation — where CUI lives, who touches it, how it moves; (4) Incident response plan testing — plans that exist but have never been exercised; (5) Configuration management baselines that don't match actual deployed configurations. Prioritize these before engaging a C3PAO. AI-GENERATED
Who Is Affected by CMMC Phase 2
The CMMC requirement applies to any organization in the defense industrial base (DIB) that handles Controlled Unclassified Information. The scope is broader than many contractors assume. VERIFIED: 32 CFR Part 170 §170.3, DFARS 252.204-7012
| Organization Type | CMMC Level Required | Trigger |
|---|---|---|
| Prime contractors with CUI | Level 2 required | DFARS 252.204-7012 + CUI in environment |
| Subcontractors receiving CUI from prime | Level 2 required | Prime must flow down CMMC via subcontract clause |
| IT Managed Service Providers (MSPs) | Level 2 required | If MSP manages systems that store or process CUI |
| Cloud Service Providers (CSPs) | Level 2 required | FedRAMP Moderate equivalent required if processing CUI |
| Prime contractors without CUI (FCI only) | Level 1 (self-attestation) | DFARS 252.204-7012 but no CUI — 17 practices only |
| COTS product suppliers | Exempt | No CUI touches — purely commercial product supply |
The critical question is: does CUI pass through your environment? CUI is not just classified information — it encompasses a wide range of technical, legal, financial, and infrastructure data that the government generates or shares under contract. If your systems store drawings, specs, contract data, or technical manuals that came from a DoD prime or agency, you likely handle CUI.
Prime contractors are legally responsible for ensuring their subcontractors who touch CUI meet CMMC requirements. If you award a subcontract that involves CUI and the subcontractor is not CMMC Level 2 certified, you are potentially in violation of DFARS 252.204-7021. Review your supplier base and add CMMC flow-down clauses to all relevant teaming agreements and subcontracts now — not after Phase 2 takes effect.
10-Step CMMC Readiness Checklist
This is the sequence that matters. Do not skip steps or reorder — each one builds on the last. Timeline estimates assume a small-to-mid-size contractor starting from a partial baseline. AI-GENERATED timeline estimates
-
1
Determine if CMMC Level 2 Applies to You
⏱ 1–2 weeksReview all active contracts and current solicitations for DFARS clause 252.204-7012. Conduct a CUI inventory — identify every system, user, and process that touches data marked CUI. If you have CUI and DFARS 7012, CMMC Level 2 is mandatory. Use our free CMMC Readiness Assessment to determine your scope quickly.
-
2
Define Your Assessment Boundary
⏱ 2–4 weeksDocument every system, network, cloud service, and endpoint that processes, stores, or transmits CUI. This is your "assessment boundary" — the scope your C3PAO will evaluate. A larger boundary = longer assessment = higher cost. Isolating CUI to a well-defined segment reduces scope and cost significantly. This decision has major financial implications.
-
3
Run a NIST SP 800-171 Gap Assessment
⏱ 2–6 weeksScore your organization against all 110 NIST SP 800-171 Rev 2 practices. Document findings for each practice: Met, Not Met, or Partially Met. Record gaps in a POA&M. Your resulting score (range: -203 to +110) becomes your SPRS score. Start with our free CMMC assessment tool — it maps your responses to the 110 practices and flags high-priority gaps.
-
4
Write or Update Your System Security Plan (SSP)
⏱ 4–8 weeksYour SSP must describe how each of the 110 practices is implemented in your specific environment. Generic SSP templates that don't match your actual system architecture will fail assessment. The SSP is the primary artifact your C3PAO will review — invest time here. Include network diagrams, user roles, data flows, and system interconnections.
-
5
Submit Your SPRS Self-Assessment Score
⏱ 1 week (after gap assessment)Post your self-assessment score to the Supplier Performance Risk System (SPRS) at sprs.apps.mil. You must have a PIEE account. Your score and assessment date are visible to contracting officers. An honest, current score is required — submitting an inflated score is a False Claims Act risk. See the SPRS Score Guide for the complete scoring methodology.
-
6
Remediate High-Priority Gaps
⏱ 3–9 monthsFocus remediation on the highest-weighted practices first: multi-factor authentication, audit logging, configuration management, CUI encryption at rest and in transit, and access control. These practices have the most scoring weight and are the most common assessment failures. Do not schedule a C3PAO assessment until critical gaps are closed — arriving unprepared wastes $30K–$200K in assessment fees.
-
7
Select and Book an Authorized C3PAO
⏱ 4–8 weeks to book, 2–4 months waitOnly C3PAOs authorized by the Cyber AB can conduct CMMC Level 2 assessments. Find authorized assessors at marketplace.cyberab.org. Request quotes from at least 3 organizations — pricing varies significantly by scope and size. C3PAO wait lists are 2–4 months. Book by June 2026 at the latest to receive certification before the November 10 deadline. See the C3PAO Assessment Guide for selection criteria and pricing benchmarks.
-
8
Complete Pre-Assessment Preparation
⏱ 4–8 weeks before assessmentIn the weeks before your formal assessment: conduct an internal pre-assessment using your SSP, verify all POA&M items are on track, test your incident response procedures, confirm audit logs are complete and retrievable, and brief all staff who will be interviewed. Many organizations hire an authorized CMMC Registered Practitioner Organization (RPO) for pre-assessment support — this often reduces assessment failure rates significantly.
-
9
Complete the Formal C3PAO Assessment
⏱ 2–8 weeks (active assessment)Your C3PAO team reviews your SSP, tests technical controls, observes system configurations, and interviews staff. They evaluate evidence against each of the 110 practices. Findings go through adjudication by the Cyber AB. A passing assessment results in a CMMC Level 2 certificate valid for 3 years, recorded in eMASS.
-
10
Flow Down to Subcontractors and Maintain Certification
⏱ OngoingOnce certified: (1) add CMMC flow-down clauses to all subcontracts involving CUI; (2) verify subcontractors who touch CUI are certified or have a plan; (3) maintain your security posture — letting controls degrade can invalidate certification; (4) post annual affirmations in SPRS; (5) plan for reassessment at the 3-year mark. Use Bid Matcher to track new solicitations with CMMC requirements and stay ahead of renewal windows.
Know Your CMMC Score in 15 Minutes
Our free CMMC Readiness Assessment maps your answers to all 110 NIST SP 800-171 practices, calculates your estimated SPRS score, and flags your highest-priority gaps — before you pay a C3PAO to find them.
Run Free CMMC Assessment → Find CMMC ContractsCMMC Level 2 Cost Ranges
CMMC Level 2 certification involves three cost categories: preparation and remediation, C3PAO assessment, and ongoing maintenance. Understanding all three prevents budget surprises. AI-GENERATED cost estimates based on published C3PAO rates and industry surveys
| Cost Category | Small Contractor (<50 employees) | Mid-Size (50–300 employees) | Large (>300 employees) |
|---|---|---|---|
| Preparation & remediation | $15,000–$75,000 | $50,000–$300,000 | $200,000–$1M+ |
| C3PAO assessment fee | $30,000–$80,000 | $80,000–$200,000 | $200,000–$500,000+ |
| Annual maintenance | $10,000–$30,000/yr | $25,000–$75,000/yr | $75,000–$200,000/yr |
| Reassessment (year 3) | Similar to initial | Similar to initial | Similar to initial |
The single highest-impact cost lever is your assessment boundary. Contractors who isolate CUI processing to a well-defined, documented enclave — separate network segment, limited users, controlled access — can reduce assessment scope dramatically. A 10-user CUI enclave costs a fraction of a 200-user flat network. Define your boundary before remediating — remediating the wrong systems wastes money.
Frequently Asked Questions
CMMC Phase 2 enforcement takes effect on November 10, 2026. This is when DoD contract solicitations begin requiring CMMC Level 2 certification at award for contractors handling CUI. The CMMC Final Rule (32 CFR Part 170) was published December 26, 2023, with a 3-year phased implementation. Phase 2 enforcement is already being embedded in specific solicitations ahead of the formal date — review every active solicitation for CMMC language. VERIFIED: 32 CFR Part 170 §170.4
CMMC Level 2 requires full compliance with all 110 security practices in NIST SP 800-171 Rev 2, verified by an authorized C3PAO. The 110 practices span 14 domains: Access Control (22), Awareness & Training (3), Audit & Accountability (9), Configuration Management (9), Identification & Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System & Communications Protection (16), and System & Information Integrity (7). You must also have a complete SSP, POA&M, current SPRS score in PIEE, and a passing assessment recorded in eMASS. VERIFIED: NIST SP 800-171 Rev 2, 32 CFR Part 170 §170.14
Any organization that processes, stores, or transmits Controlled Unclassified Information (CUI) under a DoD contract. This includes: prime contractors with DFARS 252.204-7012 clauses and CUI in scope; subcontractors who receive CUI from a prime; IT MSPs managing CUI-handling systems; and cloud service providers storing CUI. Organizations with only Federal Contract Information (FCI) and no CUI qualify for Level 1 self-attestation. COTS product suppliers with no CUI may be exempt. The trigger is CUI — conduct a CUI inventory first. VERIFIED: 32 CFR Part 170 §170.3, DFARS 252.204-7012
Total timeline from starting preparation to receiving a certificate is typically 6–18 months. Organizations with strong existing security (SPRS above 80, SSP in place, MFA deployed) can complete in 6–9 months. Organizations starting from a low baseline (SPRS below 50) should plan 12–18 months. The C3PAO assessment itself takes 2–8 weeks; scheduling wait times are 2–4 months. The June 2026 C3PAO booking cutoff is critical — contractors who have not started preparation by May 2026 face serious risk of missing the November 10 deadline. AI-ESTIMATE
Contractors without CMMC Level 2 certification after November 10, 2026 will be ineligible for award of DoD contracts that require it. This is a contract eligibility gate, not a fine. In practice: contracting officers reject proposals from uncertified organizations; primes cannot legally flow CUI to uncertified subcontractors without a waiver; self-attestation no longer satisfies Level 2. Limited national security waivers exist but are not routine and require senior DoD approval. Do not plan around waivers. VERIFIED: 32 CFR Part 170 §170.4, §170.7; DFARS 252.204-7021
Use the free CMMC Readiness Assessment to get a personalized gap analysis based on your actual environment — not a generic checklist. It maps to all 110 practices and flags your highest-priority remediation items. No email required to run the assessment.