by Mojave Research

CMMC Phase 2 Countdown: What November 2026 Means for Your Contracts

Phase 2 mandatory C3PAO assessments begin November 10, 2026. With assessment backlogs running 6–12 months and only 431 of ~80,000 companies certified, contractors who haven't started are already behind.

What Changes on November 10, 2026?

Phase 1 has been live since November 2025. If you’re a defense contractor handling CUI, your Contracting Officer can already check your SPRS score during source selection. That part isn’t new.

What changes with Phase 2 is the assessment model itself. Starting November 10, 2026, DoD will require mandatory C3PAO third-party assessments for Level 2 contracts across most CUI-handling acquisitions. Self-assessments — which many contractors are banking on as their compliance path — become the exception. DoD has said this explicitly: Level 2 self-assessments will be rare.

Phase 2 also opens the door for Level 3 DIBCAC assessments at DoD’s discretion, targeting the most sensitive programs. Phase 3 follows in November 2027, making C3PAO certification universal.

The three dates that matter:

  • November 10, 2025 — Phase 1. Self-assessments required. Already in effect.
  • November 10, 2026 — Phase 2. Mandatory C3PAO assessments for most Level 2 contracts.
  • November 10, 2027 — Phase 3. Universal C3PAO certification. No exceptions.

How Many Contractors Are Actually Ready?

Not many. As of October 2025, only 431 organizations held Level 2 CMMC certificates — out of an estimated 80,000 companies that will need Level 2 C3PAO assessments. That’s roughly half a percent.

The CyberSheath State of the DIB Report (2025) put it bluntly: 99% of the defense industrial base is not fully ready for CMMC. The gap between where contractors are and where they need to be is not a rounding error. It’s a structural problem.

And the math gets worse. Approximately 80 accredited C3PAOs serve the entire DIB. Even running at full capacity, the throughput cannot absorb 80,000 assessments in a compressed timeline. Assessment scheduling backlogs already stretch 6 to 12 months. Preparation timelines — the work required before you can even schedule an assessment — run 4 to 24 months depending on your current security posture.

If you’re starting from scratch today, you’re looking at a best-case scenario of late 2026 for assessment readiness. That assumes you start this month.

What Does Phase 2 Mean for Subcontractors?

Here’s the part that catches people off guard. DFARS 252.204-7021 requires prime contractors to flow CMMC requirements down to subcontractors at every tier. Your prime doesn’t have a choice — it’s a contractual obligation, not a preference.

What this means in practice: primes are already auditing their supply chains. Subcontractors who can’t demonstrate CMMC readiness risk losing their positions — not because of a government enforcement action, but because their prime can’t afford the risk of a non-compliant sub dragging down their own certification.

Industry analysts predict a 15–20% contraction in the defense industrial base as smaller contractors who can’t fund compliance exit the market or get acquired. Whether that number holds remains to be seen, but the direction is clear. The supply chain is consolidating around compliance.

What Does CMMC Level 2 Actually Require?

Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2 — not Revision 3. This matters. NIST finalized Rev 3 in 2024, but DoD has not authorized it for CMMC assessments, SPRS scoring, or compliance reporting. Implementing Rev 3 prematurely can actually create audit problems. Stay on Rev 2 for now; prepare for the transition later.

The 110 requirements break down into 320 assessment objectives across 14 control families — Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, and ten others. Each one needs documented policy, implemented procedures, and evidence of ongoing operation.

To pass, you need a minimum SPRS score of 88 (which earns conditional certification with a 180-day POA&M window) or a perfect 110 for full compliance. Scores below 88 mean you don’t qualify — no conditional path, no workarounds.

A word on POA&Ms: they’re only allowed for controls worth a single point. If you’re banking on POA&Ms to close major gaps, that strategy won’t survive contact with an assessor.

What Are Assessment Costs Running in 2026?

First-year Level 2 compliance costs currently range from $75,000 to $250,000, depending on environment complexity, existing security maturity, and the number of systems in scope. C3PAO assessment fees alone run $31,000 to $76,000 — and those fees are expected to roughly double by late 2026 as demand outstrips supply.

For a small machine shop running a 50-person operation with one enclave? Maybe $75K total. For a mid-tier subcontractor with multiple CUI-handling systems, cloud services, and a distributed workforce? Closer to $200K. Level 3 engagements start north of $500,000 and involve DIBCAC directly.

Waiting makes everything more expensive. Assessment slots get scarcer. Remediation timelines compress. And the consultancies that actually know what they’re doing fill their calendars first.

What Should Contractors Do Right Now?

Start with the work that takes the longest: scoping your CUI boundary, documenting your System Security Plan, and identifying your control gaps. These aren’t tasks you can rush in 30 days. CUI scoping alone — understanding exactly where controlled information lives in your email, file shares, backup systems, collaboration tools, and print queues — is the single highest-impact activity for reducing assessment cost and complexity.

Here’s a realistic sequence:

  1. Scope your CUI environment. Define exactly which systems process, store, or transmit CUI. Over-scoping drives up cost; under-scoping creates compliance gaps.
  2. Run a gap analysis against NIST 800-171 Rev 2. Identify where you stand on each of the 110 requirements. Be honest — assessors will be.
  3. Build a remediation plan with real deadlines. Not a PDF that sits in a SharePoint folder. A plan with owners, milestones, and a completion date that puts you in the C3PAO queue before Q3 2026.
  4. Schedule your C3PAO assessment early. The queue is already long. Waiting until you’re “ready” means waiting even longer once you get in line.

Our team has a CMMC Registered Practitioner on staff, and we’re booking engagements now — while many established RPOs are backlogged into Q4. If you’re behind on CMMC, a 30-minute readiness triage will tell you exactly where you stand and what it takes to get assessment-ready before Phase 2 hits.

The deadline doesn’t move. The only variable is when you start.