CMMC Phase 2 begins November 10, 2026, making third-party certification a condition of award for CUI contracts. The assessor bottleneck changes your timeline. Here is the current state and the plan.
For years, CMMC lived in the future tense. That ended on November 10, 2025, when the CMMC acquisition rule took effect and contracting officers began writing CMMC requirements into Department of Defense solicitations as a condition of award. The program is now in Phase 1 of a four-phase rollout, and the date that should be circled on every defense contractor’s calendar is November 10, 2026, when Phase 2 begins.
What Phase 2 actually changes
Under Phase 1, most contracts touching Controlled Unclassified Information have required a Level 2 self-assessment: the contractor evaluates itself against the 110 requirements of NIST SP 800-171, submits its score to the Supplier Performance Risk System (SPRS), and affirms compliance. Phase 2 ends the self-attestation era for most CUI contracts. Beginning November 10, 2026, the DoD may require Level 2 certification conducted by an authorized Certified Third-Party Assessment Organization, a C3PAO, as a condition of award, with discretion to impose Level 3 for the most sensitive programs.
The mechanics matter. A solicitation provision tells you before award which level is required: Level 1 self, Level 2 self, Level 2 C3PAO, or Level 3. The contract clause then governs life after award: maintaining your status, flowing requirements down to subcontractors, keeping your CMMC identifier current in SPRS, and filing annual affirmations. Which means there is no single day when every contractor must hold a certificate; your enforceable deadline arrives with your next solicitation, option exercise, or prime flow-down. Phase 2 simply makes that arrival overwhelmingly likely for CUI work from November onward.
The bottleneck nobody can consult their way around
The hard constraint in 2026 is arithmetic, not regulation. Roughly one hundred C3PAOs are authorized to conduct certification assessments, serving a population of contractors needing Level 2 certification that the DoD estimates in the tens of thousands. The certified assessor workforce is similarly thin relative to demand. The practical consequences are already visible: C3PAO calendars booking out months ahead, rising assessment pricing, and industry projections of long waits for organizations starting now. A certification is not a document you request. It is the final step of a multi-month program, and the queue for that final step is itself becoming the longest lead-time item.
The other pressure: enforcement
Self-attestation was never free of consequence. An inaccurate SPRS score or compliance affirmation is a representation to the government, and False Claims Act activity around cybersecurity representations has moved from theory to filed cases. Contractors carrying optimistic self-assessments into Phase 2 face a double exposure: ineligibility for new awards without certification, and legal risk on the representations already on file. The gap between a submitted score and a score that survives a C3PAO’s scrutiny is, for much of the industrial base, substantial, particularly where scores were calculated years ago and POA&M items have sat open since.
What to do with the five months
- Resolve scope first. Establish where CUI actually lives, flows, and is stored. Everything downstream, cost included, follows from scope, and a tightly scoped enclave is often the difference between a manageable assessment and an unaffordable one.
- Recalculate your SPRS score honestly. If your score on file predates your current environment, it is a liability, not an asset. An accurate score with a credible plan beats an inflated one every time.
- Close the non-negotiables. Certain requirements are not eligible for POA&Ms at assessment; those gaps fail outright and must be closed before assessment day, not promised after it.
- Treat documentation as implementation. Assessors validate 320 assessment objectives through documents, interviews, and testing. In an assessment, a control that is practiced but not documented scores the same as one that does not exist.
- Rehearse before it counts. A mock assessment run at real rigor, by people credentialed in how the scoring actually works, converts assessment day from discovery into confirmation.
The contractors who will still be bidding in 2027 are the ones treating the next five months as an execution window rather than a waiting period. The requirement only broadens from here: Phase 3 brings Level 3 assessments in 2027, and Phase 4 completes the rollout in 2028 with CMMC in essentially all FCI and CUI contracts. The program is no longer coming. It is here, and the queue is forming.
Daytol prepares defense contractors and subcontractors for CMMC with certified CMMC professionals and assessors on staff, from first scoping through mock assessment. If your assessment window is 2026 or 2027, the planning conversation should be this quarter.