The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path →
Check your CMMC deadline pathReadiness Checklist

CMMC Deadlines 2026: The Full Implementation Timeline (and the One Date That Actually Applies to You)

By The Defense Compliance Report Editorial Team

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance.

Last verified: June 15, 2026 · Jump to what we verified ↓

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

We are not affiliated with the Department of Defense, DCMA DIBCAC, The Cyber AB, or any U.S. government agency. This article is educational and is not legal, contracting, or compliance advice. For a binding interpretation of your solicitation or clause, talk to your contracting officer and qualified counsel.

Here’s the short version on CMMC deadlines 2026: the date that matters most is November 10, 2026 — the start of Phase 2, when the Department of Defense (DoD) begins adding a requirement for Level 2 certification by a third party (a C3PAO) to applicable contracts that involve sensitive information. That date is written into the current rule, and nothing in the 2026 rulemaking suggests it’s slipping. But here’s the part almost every page leaves out: there is no single, universal deadline that applies to every defense contractor on the same day.

Your enforceable deadline is set by your solicitation, contract award, option exercise, or prime flow-down — not by a public calendar. Phase 2 tells you what DoD intends to put in applicable contracts starting November 10, 2026. Your clause tells you what you actually must hold, and when.

We read the rules so you don’t have to guess. The phased schedule below comes straight from the CMMC Program Rule at 32 CFR § 170.3(e) and the DoD CIO’s CMMC program page, both re-checked on June 15, 2026. The “what triggers my deadline” answer comes from the actual contract language in DFARS 252.204-7025.

The 30-second answer: which 2026 date is yours?

If this is youThe 2026 answerYour next move
You handle FCI only (no CUI)Usually Level 1 (Self) if a contract requires CMMCConfirm you truly have no CUI; complete the Level 1 annual self-assessment
You handle CUI, contract says Level 2 (Self)A Level 2 self-assessment against 110 controlsBuild your evidence and post the required status in SPRS
You handle CUI, contract says Level 2 (C3PAO)A third-party assessment — far more common starting Nov 10, 2026Finish readiness before you contact an assessor
You're a subcontractorYour prime's flow-down may be your real deadlineAsk the prime exactly what FCI/CUI you'll handle and what level flows down
You're not sure you have CUIDon't guess — this changes everythingStart with scoping, not a quote

Check your 2026 CMMC deadline path →
Answer a handful of non-sensitive questions — your role, whether you handle FCI or CUI, your award window, and your current SPRS status — and map the public timeline to the date that actually binds your contracts. Please do not enter CUI, drawings, export-controlled files, or contract attachments.

CMMC Readiness Checklist →

Only buying commercial off-the-shelf (COTS) items? Check whether CMMC even applies to you ↓ before you read further — you may be off the hook.

What is the real CMMC deadline in 2026?

The headline date is November 10, 2026, when Phase 2 of the CMMC rollout begins and Level 2 certification by a C3PAO becomes a likely condition of award for applicable contracts involving Controlled Unclassified Information (CUI). But your company’s enforceable deadline is set by your solicitation, award, option exercise, or prime flow-down — not by a universal date. CMMC is phase-based at the program level and contract-triggered at the company level.

Let’s be straight with you about something, because it’s the fastest way to build the trust this decision deserves.

A deadline article — including this one — cannot tell you your exact contractual deadline without seeing your clause language. That sounds like a dodge. It isn’t. It’s the actual answer, and once you internalize it, you’ll understand this program better than most of the people selling against it. There is no day in 2026 when every defense contractor simultaneously must hold a certificate. What exists instead is a rule phase (the government’s rollout schedule) layered on top of contract-triggered requirements (the clause that appears in your specific solicitation or award).

If you genuinely have no current or pending DoD work that touches Federal Contract Information (FCI) or CUI, no 2026 date forces you to do anything today. For everyone else, read on — because the date you should be planning toward is rarely November 10, 2026. It’s usually earlier.

Rule-stated date vs. your contract-triggered deadline

Rule-stated (the program)Contract-triggered (your company)
The datePhase 2 begins Nov 10, 2026 (32 CFR § 170.3(e))Your next award, option, or flow-down that carries a CMMC requirement
What it setsWhat DoD intends to include in applicable solicitationsWhat you must actually hold to be eligible
The requirementLevel 2 (C3PAO) added to the menuThe exact level your solicitation names (DFARS 252.204-7025)
Who verifies itThe phased rule and the contracting officerThe contracting officer, against your status in SPRS
Your actionKnow the scheduleWork backward from your award date

Why you keep seeing “October 31, 2026”

You’ll find pages citing “October 2026” or “October 31, 2026” as the hard deadline. We won’t publish that as the controlling date, because we can’t tie it to the primary-source rule text the way we can tie November 10, 2026 to 32 CFR § 170.3(e) and the DFARS rule’s effective date. Treat “October 2026” as planning shorthand if it helps you build a buffer — buffers are smart. But the codified Phase 2 date is November 10, 2026.

The date that actually matters: your award, option, or flow-down date

Here’s the mechanism, in plain terms. Two DFARS provisions do the work, and they do different jobs:

  • DFARS 252.204-7025 (“Notice of Cybersecurity Maturity Model Certification Level Requirements”) is a solicitation provision — it appears before award. It’s where the contracting officer writes in the required level: Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). The clause states plainly that this level “is required prior to award.”
  • DFARS 252.204-7021 (“Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements”) is the contract clause — it governs life after award. It requires you to maintain your status, flow requirements down to subcontractors, keep your CMMC unique identifier (CMMC UID) current in SPRS, file annual affirmations, and report changes.

So the question “when is my deadline?” really means: when is my next award, option exercise, or subcontract that carries a -7025 notice — and what level does it demand? Work backward from that date. Not from a blog headline.

Turn your clause into a deadline plan →
If you know your likely award or option date, your expected level, and whether you handle FCI or CUI, the checklist tells you whether your next step is scoping, readiness, an SPRS cleanup, or assessment planning. It’s a two-minute gut check, not a sales call.

CMMC Readiness Checklist →

The full CMMC implementation timeline: Phase 1, 2, 3, and 4

CMMC is rolling out in four phases over a three-year period, one phase per year, defined in 32 CFR § 170.3(e). Phase 1 began November 10, 2025; Phase 2 begins November 10, 2026; Phase 3 begins November 10, 2027; and Phase 4 — full implementation — begins November 10, 2028. Each phase widens what DoD intends to include in applicable solicitations and contracts; it does not flip a switch that instantly re-papers every existing contract.

1
Phase 1
Nov 10, 2025
L1 & L2 Self
2
Phase 2KEY
Nov 10, 2026
Adds L2 C3PAO
3
Phase 3
Nov 10, 2027
L2 C3PAO broadens; L3 begins
4
Phase 4
Nov 10, 2028
Full implementation
PhaseCalendar windowWhat DoD intends to includeWhat it means in practice
Phase 1Nov 10, 2025 – Nov 9, 2026Level 1 (Self) and Level 2 (Self) in applicable solicitations/contracts; Level 2 (C3PAO) may be required at DoD discretionSome contractors already need a current SPRS status and affirmation before award — today
Phase 2 ▲Nov 10, 2026 – Nov 9, 2027Adds Level 2 (C3PAO) as a condition of award for applicable contracts; may delay the requirement to an option periodThe big 2026 inflection point — a self-assessment no longer satisfies a contract that requires a C3PAO
Phase 3Nov 10, 2027 – Nov 9, 2028Level 2 (C3PAO) broadens across solicitations and option exercises; Level 3 (DIBCAC) begins for applicable contractsThird-party assessment becomes common; Level 3 gets real for high-sensitivity programs
Phase 4Begins Nov 10, 2028Full implementation across all applicable solicitations and contracts, including option periods on earlier awardsCMMC is fully baked into applicable DoD contract actions (COTS-only contracts remain excluded)

Source: phased schedule per 32 CFR § 170.3(e), the DFARS final rule effective date (Nov 10, 2025), and the DoD CIO CMMC page; verified June 15, 2026.

The two rules behind the timeline (and why the order matters)

CMMC became real in two steps, and contractors constantly conflate them:

  1. The CMMC Program Rule — 32 CFR Part 170 — was published October 15, 2024 and became effective December 16, 2024. This rule built the program: the levels, the assessment types, the scoring, the POA&M rules, the affirmation requirements.
  2. The DFARS CMMC Acquisition Rule was published in the Federal Register on September 10, 2025 (DFARS Case 2019-D041) and became effective November 10, 2025. This rule made CMMC a contract gate by amending DFARS 252.204-7021 and adding the solicitation provision DFARS 252.204-7025.

The first rule wrote the standard. The second gave contracting officers a way to requireit before they hand you an award. Phase 1 starts on the DFARS rule’s effective date, and each later phase follows one year after. That’s the whole arithmetic behind “November 10.”

Phase 1: where we are right now (and the trap in it)

Phase 1 leans on self-assessments — Level 1 and Level 2 (Self). But do not read “Phase 1” as “no third-party assessments until 2026.” The rule lets DoD require Level 2 (C3PAO) at its discretion during Phase 1.The practical trap: a contractor assumes they have until late 2026, then a solicitation lands this quarter with a Level 2 (C3PAO) notice and an award date they can’t possibly hit.

Phase 2: November 10, 2026

This is the date most CUI-handling contractors should plan around. Starting November 10, 2026, the rule adds Level 2 (C3PAO) certification to the set of requirements DoD may put in applicable solicitations and contracts as a condition of award — on top of the Phase 1 requirements that already exist. A self-assessment won’t satisfy a solicitation that specifically requires Level 2 (C3PAO). What Phase 2 does not mean: it does not make every existing contract suddenly demand a C3PAO, and it does not retroactively void a self-assessment that was correct for your prior-award level.

Phase 3: November 10, 2027

Level 2 (C3PAO) requirements broaden across applicable solicitations and option exercises, and Level 3 — assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), part of the Defense Contract Management Agency — begins applying to applicable contracts. Level 3 requires a final Level 2 (C3PAO) status first (32 CFR § 170.18). It’s a build-on, not a parallel track.

Phase 4: November 10, 2028

Full implementation. CMMC requirements apply across all applicable DoD solicitations and contracts, including option periods on awards that pre-date Phase 4.“Applicable” still does real work here — the requirement lands where FCI or CUI is processed, stored, or transmitted on contractor systems, subject to the rule’s exclusions (notably COTS-only contracts).

Can the assessment system even handle a 2026 rush? Our gap analysis

As of the March 2026 Cyber AB Town Hall, roughly 103 organizations were authorized to perform CMMC assessments (C3PAOs), and about 178 new Level 2 certifications were issued that month — against an estimated 76,000 to 80,000 organizations expected to eventually need Level 2. The bottleneck heading into Phase 2 is not a shortage of rules or even a shortage of assessors. It’s that the defense industrial base is roughly 1% certified to Level 2, and the pipeline that turns “not ready” into “certified” is narrow.

The Defense Compliance Report CMMC Phase 2 readiness gap

MetricMost recent figureAs ofSource
Phase 2 start (Level 2 C3PAO becomes a likely award condition)November 10, 2026Rule32 CFR § 170.3(e)
Authorized C3PAOs103Mar 2026Cyber AB Town Hall
C3PAO count, three-month trend97 → 98 → 103Jan → Feb → Mar 2026Cyber AB Town Halls
Certified Assessors (CCAs)~759Mar 2026Cyber AB Town Hall
New Level 2 certificates issued in one month~178Mar 2026Cyber AB Town Hall
Organizations certified to Level 2 (cumulative)~1,000Mar 2026Cyber AB Town Hall / Marketplace analysis
Organizations estimated to need Level 2~76,000–80,0002026Cyber AB Town Hall figures
Typical Level 2 readiness duration6–18 monthsDCR estimateDCR provider-quote dataset
C3PAO accreditation runway~13-month initial authorization; 27 months before accreditation is mandatoryRule32 CFR / Cyber AB Town Hall

Methodology: We recorded the C3PAO count, assessor counts, monthly certifications issued, and cumulative Level 2 certifications reported at the January, February, and March 2026 Cyber AB Town Halls, and cross-checked the population estimates against figures cited at those Town Halls. The ~1% figure is our calculation:roughly 1,000 organizations certified ÷ the ~76,000–80,000 estimated to need Level 2 ≈ about 1%. The “6–18 months” readiness range is our editorial estimate from provider quotes and reviews, not a regulatory figure. We re-verify these numbers after each Cyber AB Town Hall.

An honest note on the numbers. Sources disagree on the demand side. The total defense industrial base is widely cited near 118,000 organizations, while the subset specifically expected to need a Level 2 third-party certification is cited anywhere from about 76,000 to 80,000. Certification counts are reported per assessed organization or information system, while population estimates count organizations — so treat the ~1% as a directional readiness signal, not a precise ratio.

Now the math we won’t sensationalize. At March 2026’s pace of roughly 178 new Level 2 certifications a month, clearing the remaining tens of thousands of organizations would take years at the current rate. We’re deliberately not printing a single scary “X years” headline, because the rate is climbing and not every contractor needs a C3PAO certificate — plenty are Level 1 (Self) or Level 2 (Self). But the honest takeaway is unavoidable: the assessment pipeline cannot absorb a late-2026 surge. Industry reporting through early 2026 consistently described authorized assessors booking months out, with waitlists stretching past a year. So your real constraint usually isn’t the November date — it’s whether you can get an assessment scheduled in time for the award you care about.

Download the CMMC Readiness Checklist (mapped to all 14 control families) →
It’s the same 110-requirement structure a Level 2 assessment uses, organized so you can see where you stand. Free, no routing required — keep it whether or not you ever talk to a provider.

Download the Readiness Checklist →

Which CMMC level and assessment type is your deadline for?

Your level is set by the information you handle: Level 1 for FCI, Level 2 for CUI, Level 3 for CUI tied to the most sensitive programs. Level 1 is an annual self-assessment of 15 basic safeguarding requirements (FAR 52.204-21). Level 2 maps to the 110 requirements of NIST SP 800-171 Revision 2, organized into 14 control families, and is assessed either by self-assessment or a C3PAO depending on the contract. Level 3 adds 24 selected requirements from NIST SP 800-172 and is assessed by DIBCAC. Which one is your deadline depends entirely on what you handle and what the solicitation requires.

LevelInformationRequirementsStandardAssessmentPOA&Ms?
Level 1FCI15 basic safeguardsFAR 52.204-21Self, annualNot allowed
Level 2CUI110NIST SP 800-171 Rev. 2 (14 families)Self or C3PAO (per contract); 3-year cycle + annual affirmationLimited (see below)
Level 3CUI on critical programs110 + 24 selected+ NIST SP 800-172DIBCACLimited

Read your solicitation: the contract-wording decoder

The -7025 provision spells out exactly one of four phrases. Here’s what each one means for you.

If the solicitation says…It means you need…Where the result livesTalk to this category first
Level 1 (Self)An annual Level 1 self-assessment, FCI onlySPRSReadiness / IT provider (often light)
Level 2 (Self)A Level 2 self-assessment against the 110 controlsSPRSRPO / readiness provider
Level 2 (C3PAO)A third-party certification assessmenteMASS → SPRSReadiness first, then an authorized C3PAO
Level 3 (DIBCAC)A government DIBCAC assessment (final Level 2 first)eMASS → SPRSSpecialized readiness + DIBCAC path

Level 1 is not “CMMC-lite” for CUI

Level 1 exists for FCI-only situations. It’s an annual self-assessment against the 15 safeguarding requirements in FAR 52.204-21, and — this trips people up — it allows no plans of action and milestones. Every Level 1 requirement has to be met. If you touch CUI, Level 1 is not your shortcut; you’re in Level 2 territory. For a full breakdown, see our guide on CMMC Level 1 vs Level 2.

Level 2 is the common CUI path — and it’s Revision 2, not Revision 3

Here’s a correction we see ranking pages get wrong, including some that should know better: CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. The controlling rule says so plainly — 32 CFR § 170.24 scores Level 2 against “NIST SP 800-171 R2,” the 110 requirements across 14 control families. NIST did publish Revision 3 in May 2024, and within NIST’s own library it supersedes Revision 2. But DoD has not updated CMMC to incorporate Revision 3, and any change would come through a future rulemaking — not automatically. Build your System Security Plan (SSP), your POA&M strategy, and your SPRS score against Revision 2 today. We checked this against the rule and NIST on June 15, 2026.

Level 2 Self vs Level 2 C3PAO is a contract requirement — not your choice

You don’t get to pick the cheaper, faster self-assessment if the solicitation calls for a C3PAO. The -7025 provision tells you which one the contracting officer inserted. Self-assessment results go into SPRS; third-party (C3PAO) results flow through the government’s eMASS system and populate SPRS. Same 110 requirements either way — the difference is who validates them. For a deeper look, see RPO vs C3PAO: which do you need?

Level 3 is not the normal 2026 path for a small contractor

Level 3 is for the most sensitive CUI, it requires a final Level 2 (C3PAO) status as a prerequisite (32 CFR § 170.18), and it’s assessed by DIBCAC — a government body — not a commercial C3PAO alone. If you’re a small supplier wondering whether you need Level 3 in 2026, you almost certainly don’t unless a contract explicitly says so.

Find your CMMC level before you commit to readiness work →
The wrong scope makes every quote, timeline, and assessment plan wrong. If you’re unsure whether you handle FCI, CUI, or both, start with a non-sensitive level-and-scope check. See who needs CMMC certification and a full CMMC levels breakdown.

CMMC Readiness Checklist →

What has to be in SPRS before you can win the award?

If a solicitation requires a CMMC level, you generally need a current CMMC status in SPRS at that level — plus a current affirmation — before award. The Supplier Performance Risk System (SPRS) is the government’s database of record; the -7025 provision makes a current SPRS status a condition of eligibility, and the -7021 clause requires you to keep it current, flow it down, and re-affirm it annually. A certificate PDF in a drawer is not the deliverable. The status in SPRS is.

ItemWho it matters forWhy it matters
Required CMMC levelAll applicable offerorsThe solicitation (DFARS 252.204-7025) states the level and assessment type
Current CMMC statusAll applicable offerorsAward eligibility hinges on a current status in SPRS
Current affirmationAll applicable offerorsAn affirming official must affirm continuous compliance
CMMC UIDLevel 2/3 and assessed systemsIdentifies the specific assessed information system
CAGE code alignmentMulti-entity contractorsPrevents status mismatches across contracts and systems
POA&M status (if any)Conditional Level 2/3Must close within 180 days (see below)
Subcontractor statusPrimes and subsFlow-down applies wherever subs handle FCI/CUI

A CMMC status is not just a certificate

The entire acquisition rule is built around a current status in SPRS that matches the required level and assessment type. Contracting officers are barred from awarding, extending, or exercising options on covered contracts unless SPRS reflects that status. So the operational goal isn’t “get a certificate” — it’s “have the right, current, defensible status visible in SPRS by your award date.” For a full walkthrough, see how SPRS scoring works.

Annual affirmations don’t end at the assessment

CMMC is not assess-once-and-forget. Both Level 2 paths (Self and C3PAO) and Level 3 require annual affirmations to maintain status. A senior company official — the Affirming Official — signs that affirmation, and that signature carries weight.

The affirmation has teeth: False Claims Act risk

When your Affirming Official attests to your CMMC or NIST compliance, that’s a representation to the federal government. A false cybersecurity affirmation can create False Claims Act risk for the company and, in appropriate cases, for individuals. That’s not theoretical: the Department of Justice’s Civil Cyber-Fraud Initiative uses the False Claims Act to pursue contractors and grant recipients who knowingly misrepresent their cybersecurity practices, and it has produced multimillion-dollar settlements. This is the legitimate reason you don’t paper over gaps: the consequence of a false affirmation isn’t just a lost bid. It can be a fraud claim against your company and the person who signed.

Can you win a 2026 award on a conditional status or a POA&M?

Sometimes — but within strict limits. Level 1 allows no POA&Ms at all. For Level 2, a Conditional status requires a score of at least 88 of 110 (80%), with gaps allowed only on lower-weighted requirements, and every POA&M item must close within 180 days. For Level 2 and Level 3, a conditional status is sufficient to receive an award; Level 1 requires a final status before award.A POA&M is a narrow closeout mechanism, not a strategy for starting late.

LevelPOA&M allowed?Conditional periodCloseout actorAward on conditional?
Level 1NoN/AN/ANo — final status required
Level 2 (Self)Limited180 daysSelf-assessment closeoutYes
Level 2 (C3PAO)Limited180 daysAuthorized C3PAO closeoutYes
Level 3Limited180 daysDCMA DIBCACYes (final Level 2 required first)

Each of the 110 Level 2 requirements is weighted 1, 3, or 5 points by importance. You start at 110 and subtract the assigned value for each requirement scored NOT MET, which can drive the score negative. Partial credit exists only in two limited cases: multifactor authentication (IA.L2-3.5.3) and FIPS-validated encryption (SC.L2-3.13.11). A score of 88 to 109 can earn a Conditional status; a perfect 110 with everything met is a Final status. Source: 32 CFR § 170.24 and § 170.21, read June 15, 2026.

What you cannot put on a POA&M

This is where late starters get caught. POA&Ms are limited to 1-point requirements — with one narrow exception, the CUI encryption requirement (SC.L2-3.13.11), which can sit on a POA&M at a 3-point value if you’re using encryption that isn’t yet FIPS-validated. Beyond that, every 3- and 5-point requirement must be fully met at the assessment — and so must six specific 1-point requirements that the rule excludes by name:

Cannot be deferred to a POA&M
Every 5-point requirement (e.g., the highest-risk access, identification, and incident-response controls)
Every 3-point requirement
AC.L2-3.1.20 — external system connections
AC.L2-3.1.22 — control of publicly posted information
CA.L2-3.12.4 — System Security Plan
PE.L2-3.10.3, PE.L2-3.10.4, PE.L2-3.10.5 — physical access controls

Source: 32 CFR § 170.21(a)(2). The majority of the 110 requirements have to be fully implemented before an assessor scores them. That’s why a POA&M can’t rescue a weak starting position — it can only finish a strong one.

Level 3 is scored on its own scale

Don’t apply the 88/110 math to Level 3. Level 3 is built on the 24 selected NIST SP 800-172 requirements, and a Conditional Level 3 (DIBCAC) status requires the Level 3 assessment score divided by the total Level 3 requirements to be at least 0.8 (32 CFR § 170.21(a)(3)), plus an existing final Level 2 (C3PAO) status for the same scope and a Level 3 affirmation in SPRS. Same 180-day closeout rule applies, with DCMA DIBCAC running the closeout.

A POA&M is not a rescue plan

If your conditional items don’t close within 180 days, your status expires — and that can break your eligibility right when an award or option is on the line. The companies that get burned are the ones who treated a POA&M as a way to start late. Treat it as what it is: a way to finish a strong assessment, not begin a weak one. For deeper coverage, read our post-gap assessment guide.

Compare readiness vs. assessment-ready paths →
A C3PAO assessment is not the same thing as implementation help. If your scope, SSP, evidence, and control ownership aren’t stable, you need readiness support first — not an assessor. See which provider category fits your situation.

Do subcontractors face the same 2026 CMMC deadline?

Yes — though not always on the same date as the prime, and not always at the same level. CMMC requirements flow down through the supply chain to every tier where a subcontractor processes, stores, or transmits FCI or CUI, and the prime’s flow-down can become your practical deadline, sometimes ahead of the public phase.Your required level depends on the information you actually handle, which can be lower than the prime’s. A subcontractor doesn’t get an exemption just for not being the prime.

Your role in the supply chainLikely CMMC level
Subcontractor handling FCI onlyGenerally Level 1 when CMMC applies — confirm the exact flow-down language
Subcontractor receiving CUI from a primeLikely Level 2; if prime is Level 2 (C3PAO) and you handle CUI, you may need Level 2 (C3PAO) too
Prime responsible for sub compliancePrime remains responsible even without direct access to sub’s SPRS records
Prime’s ability to waive CMMC for a subNone — a prime has no authority to waive CMMC flow-down requirements

What to ask your prime before you accept a deadline

Don’t accept a vague “you’ll need CMMC.” Send this. (Copy it.)

  1. Will this subcontract require us to process, store, transmit, create, or access CUI — or only FCI?
  2. Which DFARS clauses and which CMMC level and assessment type are being flowed down to us?
  3. Is the required CMMC status needed before subcontract award, before any CUI transfer, or before a later option or task order?
  4. What specific CUI categories, if any, will we receive?

The answers turn “someday” into a date — and tell you which provider category you actually need.

For a full look at how requirements move through the supply chain, see our CMMC flow-down requirements guide.

Map your prime flow-down to an action plan →
Use the checklist with non-sensitive facts only — prime or sub, FCI/CUI, award window, required level, current SPRS status — and get a backward plan from your real trigger date.

CMMC Readiness Checklist →

What to do now, based on how much runway you have

Work backward from the contract event, not the public deadline. If your award, option, or flow-down is inside the next few months, verify the clause, level, SPRS status, affirmation, and scope immediately. If your likely trigger is after November 10, 2026, use the time to finish scoping, remediation, evidence, and — if you’ll need a C3PAO — assessment scheduling, because the queue is the constraint. The single most expensive mistake is planning from a blog date instead of your own award date.

Your deadline windowRiskWhat to do now
0–90 daysHighVerify the clause, required level, SPRS status, and affirmation; determine whether a conditional status is even possible for you
3–6 monthsHigh / moderateFinish scope, SSP, evidence, and gap remediation; choose your provider category
6–12 monthsModerateBuild or harden the environment, close control gaps, and — if needed — get in an assessor's queue early
12+ monthsManageable if you start nowBuild a sustainable CMMC program instead of a last-minute evidence scramble
UnknownHigh until clarifiedIdentify your FCI/CUI, ask the prime or contracting officer for specifics, and document your assumptions

If you're FCI-only: Confirm there's no CUI → map to the 15 FAR 52.204-21 safeguards → complete the Level 1 self-assessment → submit and affirm in SPRS if required → reaffirm annually.

If you handle CUI but only need Level 2 (Self): Confirm CUI scope → build your SSP → score against NIST SP 800-171 Rev. 2 → remediate the high-impact (3- and 5-point) gaps first → post and maintain your SPRS status and affirm.

If you expect Level 2 (C3PAO): Complete scoping → finish implementation and remediation → build your evidence library → run a readiness review (a mock assessment) → engage an authorized C3PAO only when you're genuinely assessment-ready → plan for annual affirmations.

If you don't know whether you have CUI: Stop. Do not buy a C3PAO assessment to answer a scoping question. First determine whether your contracts require you to create, receive, access, store, or transmit CUI. Scope drives the boundary, the cost, the provider category, the assessment type, and the schedule.

Which provider category fits your 2026 CMMC deadline?

If you’re still scoping, remediating, or building evidence, you need readiness help — a Registered Provider Organization (RPO), a CMMC-focused managed service or security provider (MSP/MSSP), a virtual CISO, a documentation/SSP/POA&M provider, a Microsoft GCC High or CUI-enclave implementer, or a governance/risk/compliance (GRC) workflow tool. If your scope, controls, SSP, evidence, and SPRS status are stable, then a C3PAO assessment path is appropriate.The right category depends on the problem you’re actually solving — not on whoever markets hardest.

Your problemBetter-fit categoryWhy
"We don't know our level or scope"RPO / readiness advisorLevel and scope must come before any quote
"We have CUI in Microsoft 365 Commercial"CMMC-focused MSP / GCC High / enclave implementerYour environment architecture likely needs remediation
"We need an SSP, evidence, and POA&M help"Readiness provider / GRC workflow toolAssessment readiness requires documented evidence
"We need monitoring, logging, security operations"MSSP / managed compliance providerOperational controls have to be sustained, not just installed
"We're ready for the certification assessment"Authorized C3PAOA formal assessment is separate from implementation
"We may need Level 3"Level 2 (C3PAO) path, then DIBCAC readinessLevel 3 requires a final Level 2 first

Readiness help is not the same as assessment help

This matters for more than tidiness — it’s a conflict-of-interest line in the program. Do not assume the firm that implements your controls can also perform your certification assessment. The Cyber AB’s CMMC Assessment Process and Code of Professional Conduct address assessor conflicts of interest, and a C3PAO that runs a practice (“non-certification”) assessment faces strict conditions before it can later certify the same organization. Keep readiness/implementation and formal assessment appropriately separated, and ask any C3PAO to disclose and mitigate conflicts before you engage. See how to find an authorized C3PAO.

A reality check on software

No GRC tool, on its own, makes you CMMC compliant. Software helps you organize evidence, track controls, and run continuous compliance — it’s a supporting layer, not the whole solution. If a platform implies otherwise, that’s your cue to slow down.

What to verify before you pay anyone

  • Their provider category (readiness, implementation, software, or assessment — and which they’re not)
  • Their Cyber AB Marketplace status, where relevant — use the Cyber AB Marketplace as the public place to check it, and ask the provider to reconcile anything you can’t find
  • Whether they implement, assess, or both in separate engagements
  • Whether they actually understand your contract clause and your CUI scope
  • What deliverables you receive, and whether and how they’ll handle CUI
  • Any compensation or referral relationship — including with us

When not to call a C3PAO yet

If your CUI scope, SSP, evidence library, control ownership, cloud boundary, or SPRS assumptions are unstable, you’re probably not assessment-ready. Calling an assessor now mostly burns calendar and budget. Get readiness help first, then schedule the assessment. Our CMMC provider categories guide covers each category in detail. For curated options, see best CMMC consultants for defense contractors and our who to hire first framework.

Get matched with source-checked CMMC provider options →

Tell us your level, scope, timeline, and whether you need readiness, implementation, software, or assessment support, and we’ll help identify the provider categories that fit your situation — and the source-checked options within them. Please don’t submit CUI or sensitive contract documents through the form.

Find My CMMC Provider →

Do COTS-only contracts and DoD waivers change your deadline?

Yes, for a narrow set of contractors. Contracts solely for the acquisition of commercially available off-the-shelf (COTS) items are excluded from CMMC. Separately, in very limited circumstances a senior DoD acquisition executive may waive inclusion of CMMC requirements for a specific solicitation or contract — but a waiver is rare, time-bound, and does not erase your other cybersecurity obligations. Neither is a strategy; both are exceptions.

COTS-only is out. The DFARS rollout applies to applicable solicitations and contracts except those solely for COTS items (DFARS Subpart 204.75). If everything you sell on a contract is a COTS product, CMMC’s clause and provision generally don’t attach. Confirm it against your actual solicitation language before you rely on it.

Waivers are real but rare. Under 32 CFR § 170.5(d), “in very limited circumstances,” a Service Acquisition Executive or Component Acquisition Executive (or a delegate) may elect to waive inclusion of CMMC Program requirements in a solicitation or contract. Two things to keep in mind: a waiver covers that procurement, not your company at large; and even with a waiver, you remain obligated to comply with applicable cybersecurity and information-security requirements — including the DFARS 252.204-7012 safeguarding and incident-reporting duties tied to NIST SP 800-171. Do not plan around a waiver you don’t have in writing.

What we verified for this CMMC deadlines 2026 guide

We verified the deadline framework against primary or authoritative sources — 32 CFR Part 170, the DFARS rule and clause text on Acquisition.gov and the eCFR, the Federal Register, DoD CIO CMMC guidance, NIST publication references incorporated by the rule, and Cyber AB material — on June 15, 2026. We did not use Reddit, LinkedIn, or vendor blogs as authority for any regulatory claim.

ClaimSource typeSource checkedLast verified
CMMC program established under 32 CFR Part 170 (eff. Dec 16, 2024)Primary (rule)Federal Register / eCFRJune 15, 2026
Phase 1–4 schedule; Phase 2 one year after Phase 1Primary (rule)32 CFR § 170.3(e) + DFARS effective dateJune 15, 2026
DFARS rule effective Nov 10, 2025 (DFARS Case 2019-D041)Primary (rule)Federal Register 2025-17359June 15, 2026
CMMC status required prior to award; offeror ineligible without itPrimary (clause)DFARS 252.204-7025June 15, 2026
Maintenance, flow-down, CMMC UID, annual affirmationsPrimary (clause)DFARS 252.204-7021June 15, 2026
Conditional OK for award at L2/L3; L1 needs final; COTS excludedPrimary (rule)DFARS Subpart 204.75June 15, 2026
Level 2 = NIST SP 800-171 Rev. 2; scoring & partial-credit casesPrimary (rule)32 CFR § 170.24June 15, 2026
POA&M limits, 88/110 threshold, named exclusions, 180-day closeoutPrimary (rule)32 CFR § 170.21June 15, 2026
Level 3 prerequisite (final Level 2) and Level 3 scoring thresholdPrimary (rule)32 CFR § 170.18 + § 170.21June 15, 2026
DoD waiver authority (very limited circumstances)Primary (rule)32 CFR § 170.5(d)June 15, 2026
False Claims Act / cybersecurity fraud enforcementAuthoritative (DOJ)DOJ Civil Cyber-Fraud InitiativeJune 15, 2026
C3PAO count, assessor counts, certifications (Mar 2026)Ecosystem sourceCyber AB Town Halls (Jan/Feb/Mar 2026)June 15, 2026
~1% readiness rate; 6–18-month readiness rangeDCR analysisDCR calculation / DCR provider datasetJune 15, 2026
What we did not verify
  • We did not verify any named provider’s live Cyber AB Marketplace status on this page — this is a timeline page, and we don’t feature named providers here.
  • We did not verify your contract’s CMMC requirement, review your CUI scope, or assess your environment.
  • We did not provide legal, contracting, or compliance advice — for a binding interpretation of your clause, talk to your contracting officer and qualified counsel.
  • The ecosystem figures are the most recent we could confirm as of the March 2026 Cyber AB Town Hall; we refresh them after each Town Hall.

CMMC deadlines 2026: FAQ

The short version: November 10, 2026 is the major Phase 2 CMMC date, but your enforceable deadline is whatever your solicitation, contract, option, or prime flow-down requires. These are the follow-ups that usually send contractors back to searching.

What is the CMMC deadline in 2026?
The key 2026 date is November 10, 2026, when Phase 2 begins and Level 2 (C3PAO) certification becomes a likely condition of award for applicable contracts involving CUI. There is no single universal deadline — your enforceable requirement is set by your solicitation, award, option, or prime flow-down.
Is the CMMC deadline October 31 or November 10, 2026?
Use November 10, 2026 as the primary-source Phase 2 date, tied to 32 CFR § 170.3(e) and the DFARS rule's effective date. "October 2026" is planning shorthand some pages use, not the codified trigger.
Do existing contracts have to meet CMMC in 2026, or only new awards?
The requirement attaches through new solicitations, new awards, and — as the phases progress — option exercises that carry the CMMC clause. Phase 4 (Nov 10, 2028) explicitly reaches option periods on contracts awarded earlier. An existing contract without the clause isn't retroactively re-papered, but your next option or recompete can pull CMMC in.
Do option periods after November 10, 2026 trigger CMMC?
They can. Contracting officers are barred from exercising options unless SPRS reflects your current required status, and Phase 3 specifically extends Level 2 (C3PAO) to option exercises. Treat an upcoming option like an award date when you plan.
Are COTS-only contracts excluded from CMMC?
Yes. Contracts solely for commercially available off-the-shelf (COTS) items are excluded under DFARS Subpart 204.75. Confirm your solicitation is truly COTS-only before relying on the exclusion.
Can DoD waive a CMMC requirement?
Rarely. Under 32 CFR § 170.5(d), a senior DoD acquisition executive may waive CMMC for a specific procurement in very limited circumstances — but you remain bound by your other cybersecurity obligations, and a prime cannot waive CMMC for a subcontractor.
Is CMMC mandatory in 2026?
It can be, whenever an applicable solicitation, contract, option, or flow-down requires it. Phase 1 is already active, and Phase 2 begins November 10, 2026.
Do all Level 2 contractors need a C3PAO in 2026?
No. Some Level 2 work is self-assessed (Level 2 Self) and other Level 2 work requires a C3PAO. The assessment type is set by the contract via DFARS 252.204-7025, not by your preference.
Can DoD require a C3PAO assessment before November 10, 2026?
Yes. During Phase 1, DoD may require Level 2 (C3PAO) at its discretion for applicable solicitations and contracts.
Do subcontractors need CMMC?
Yes, if they process, store, or transmit FCI or CUI under an applicable DoD contract or subcontract. The required level depends on the information handled and the prime's flow-down, and a prime's deadline can apply to a subcontractor ahead of the public phase.
Can a POA&M get us through award?
Sometimes, for Level 2 or Level 3, within strict limits — a minimum Level 2 score of 88 of 110, gaps only on eligible 1-point requirements, closed within 180 days. Level 1 allows no POA&Ms. A conditional Level 2/3 status can support an award; Level 1 needs a final status.
Does CMMC use NIST SP 800-171 Rev. 2 or Rev. 3 in 2026?
The current rule maps Level 2 to Revision 2 (110 requirements, 14 control families). Don't treat Revision 3 as controlling unless and until DoD updates the rule.
What should we do first if we're behind?
Confirm whether you handle FCI, CUI, or both. Then check the solicitation or flow-down language, identify the required level and assessment type, verify your current SPRS status, and build a plan backward from your award or option date.
Can a C3PAO implement our controls and then assess us?
Don't assume that. Treat readiness and formal assessment as separate engagements and verify the conflict-of-interest rules before you hire. Per the Cyber AB, only Authorized C3PAOs can conduct certification assessments.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Please do not submit CUI, export-controlled files, drawings, source code, sensitive contract attachments, or controlled technical information through this form.

Find My CMMC Provider →

Related reading

Last verified: June 15, 2026. We re-verify this page after each Cyber AB Town Hall and whenever the Federal Register or eCFR text changes. If you believe a claim is outdated or incorrect, see our corrections policy.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Department of Defense, DCMA DIBCAC, The Cyber AB, or any U.S. government agency. This page is educational and is not legal, contracting, or compliance advice.