The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Phase 2 Deadline: What November 10, 2026 Actually Means for Your Contracts

By The Defense Compliance Report Editorial Team · Last reviewed: · Last verified:

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

If you searched CMMC Phase 2 deadline, you already have a date stuck in your head: November 10, 2026.So here’s the bottom line before you read another word.

November 10, 2026 is the day CMMC Phase 2 begins — the point at which the Department of Defense (DoD) intends to start requiring CMMC Level 2 (C3PAO) certification (an independent, third-party assessment, not a self-assessment) as a condition of award for applicable contracts that involve Controlled Unclassified Information (CUI). It is not a universal deadline requiring every defense contractor to hold a certificate by that day. Your real deadline is the moment a CMMC requirement lands in a solicitation, contract, option period, or prime flow-down you actually need. If you handle only Federal Contract Information (FCI) and never touch CUI, Level 1 (Self) — not Level 2 (Self) or Level 2 (C3PAO) — is the CMMC path to check.

There’s one word buried in the regulation that most “deadline” articles skip right over. It’s the single word that separates Phase 2 from Phase 3, and it’s the reason your timeline may look nothing like your competitor’s. We read the rule line by line. Here’s what it actually says — and what to do about it.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.


Which CMMC Phase 2 situation are you in?

Your Phase 2 deadline depends on what you handle, what your contract says, and whether you’re a prime or a sub. Find your row first, then keep reading for the detail and the primary sources behind each one.

CMMC Phase 2 situation finder — find your row and first move
If this is youWhat November 10, 2026 likely meansYour first move
You handle only FCI, no CUINot a Level 2 certification event. Level 1 (Self) is your lane.Confirm no CUI is in scope; verify Level 1 self-assessment status
You handle CUI, contract says Level 2 SelfNo C3PAO required for that contract unless it says soValidate scope, SSP, SPRS score, and annual affirmation
You handle CUI, contract says Level 2 (C3PAO)This is the core Phase 2 population — plan for third-party certificationStart readiness now; book a C3PAO only when you’re actually ready
Your prime is asking earlyFlow-down can create an earlier practical deadline than the DoD’sGet the required level, assessment type, and CUI scope in writing
You’re on an existing contract with optionsThe requirement may attach at your next option, not on Nov. 10 itselfTreat the option-exercise date as your real deadline
You supply only COTS itemsGenerally exempt from CMMCConfirm your work is truly COTS-only

Educational research, not legal, contractual, or compliance advice. Confirm applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.

Map your CMMC Phase 2 situation

Tell The Defense Compliance Report’s Find My CMMC Path tool your level, CUI scope, assessment type, and timeline, and it will point you to the provider category to evaluate first — not a named-provider ranking, and never a certification guarantee.

Do not submit CUI, drawings, controlled technical information, or sensitive contract details. Provider matching may generate referral, sponsorship, or partner compensation when disclosed. It does not influence our regulatory analysis or category guidance.

Find My CMMC Path →

Is November 10, 2026 a universal CMMC deadline?

No. November 10, 2026 is the start of CMMC Phase 2, when the DoD intends to begin requiring Level 2 (C3PAO) certification for applicable CUI contracts as a condition of award — not a date by which every contractor must be certified. Your actual deadline is set by your contract: the day a CMMC Level 2 (C3PAO) requirement appears in a solicitation, award, or option period you need.

This is where most of the internet gets it wrong, and where the anxiety comes from. Vendors talk about November 10, 2026 like a single cliff every company in the Defense Industrial Base (DIB) falls off on the same day. That’s not how the rule is built.

Here’s the word we promised you. In the CMMC Program Rule (32 CFR § 170.3(e)), Phase 2 says the DoD “intends to include the requirement for CMMC Status of Level 2 (C3PAO) for applicableDoD solicitations and contracts as a condition of contract award.” Read the very next paragraph — Phase 3 — and the language changes to “all applicableDoD solicitations and contracts.” That difference between applicable and all applicableis not an accident. It’s the DoD telling you, in its own regulation, that Phase 2 is a rollout that attaches to specific contracts, and that the blanket, everyone-in application arrives later.

We checked the current eCFR version of 32 CFR Part 170 on June 30, 2026. The requirement is also tied to the type of information on your systems: the rule puts DoD program managers in charge of selecting the CMMC status for each procurement based on whether it involves FCI or CUI (32 CFR § 170.3(d)). The DoD can even waive CMMC requirements for a procurement in advance (32 CFR § 170.3(c)) — though, as we’ll cover below, the government’s own watchdog has warned against leaning on that waiver too hard.

So the honest translation is this: the date is real, but it is a contract implementation milestone, not a universal certification cliff. What matters for you is whether — and when — a Level 2 (C3PAO) requirement shows up in the specific work you want to win or keep.


What actually changes on November 10, 2026?

In Phase 1 (since November 10, 2025), the DoD has included Level 1 (Self) and Level 2 (Self) requirements in applicable contracts while keeping the discretion to require a C3PAO assessment. Phase 2 adds Level 2 (C3PAO) as a condition of award for applicable CUI contracts — meaning an accredited outside firm independently verifies all 110 NIST SP 800-171 Revision 2 requirements. Where a contract requires Level 2 (C3PAO), a self-assessment does not satisfy it.

Phase 1 has been in effect since the DFARS acquisition rule took effect on November 10, 2025 (Federal Register, DFARS final rule). The practical shift in Phase 2 is the level of scrutiny for applicable CUI work: from a self-assessment you perform and post, to an independent assessment a third party conducts.

Phase 1 vs Phase 2 comparison — what changes November 10, 2026
What changesPhase 1 (from Nov. 10, 2025)Phase 2 (from Nov. 10, 2026)
Who it targetsApplicable Level 1 and Level 2 contractsAdds applicable Level 2 (C3PAO) contracts
Level 2 (Self) for CUIIncluded for applicable contractsStill available only where the contract specifies it
Level 2 (C3PAO) for CUIAt DoD discretion, in select casesIntended for applicable contracts as a condition of award
Who performs a Level 2 assessmentYou (self), or a C3PAO if the contract requires itYou (self) where allowed, or an accredited C3PAO
Does self-attestation satisfy a C3PAO requirement?NoNo
Level 3 (DIBCAC)Possible at DoD discretionPossible at DoD discretion
Annual affirmationRequired where applicableRequired where applicable

The biggest misunderstanding worth killing right now: Phase 2 does not erase every self-assessment path overnight. It expands the use of Level 2 (C3PAO) requirements for applicable contracts. Whether your specific contract requires “Self” or “C3PAO” is a fact stated in the solicitation — not something the calendar decides for you.


The full CMMC phase-in timeline (Phases 1–4)

CMMC rolls out over four phases under 32 CFR § 170.3(e). Phase 1 began November 10, 2025 (Level 1/Level 2 self-assessment). Phase 2 begins November 10, 2026 (Level 2 C3PAO for applicable CUI contracts). Phase 3 begins November 10, 2027 (Level 2 C3PAO for all applicable contracts, plus Level 3 DIBCAC). Phase 4 begins November 10, 2028 (full implementation across all applicable DoD contracts).

Full CMMC phase-in timeline from 2024 through 2028
MilestoneDateWhat it triggers
CMMC Program Rule effectiveDec. 16, 202432 CFR Part 170 takes effect; voluntary assessments possible
DFARS acquisition rule effective / Phase 1Nov. 10, 2025DoD begins including Level 1/Level 2 self-assessment requirements in applicable contracts
Phase 2Nov. 10, 2026DoD intends to require Level 2 (C3PAO) for applicable CUI contracts as a condition of award
Phase 3Nov. 10, 2027Level 2 (C3PAO) for all applicable contracts, plus Level 3 (DIBCAC) where applicable
Phase 4 (full implementation)Nov. 10, 2028CMMC in all applicable DoD solicitations and contracts, including option periods on prior awards

Two things to take from this table. First, the phases each begin one calendar year apart, by rule. Second, full implementation — the broadest phase, applying CMMC across applicable DoD solicitations and contracts that involve FCI or CUI — is Phase 4 in November 2028, not Phase 2. That’s the structural reason November 10, 2026 is not the universal deadline it’s often made out to be.

For the deep dive on each level, see our CMMC levels overview and CMMC certification process guides.


So when is your real CMMC Phase 2 deadline?

Your real deadline is the earliest date a CMMC requirement attaches to work you need. For a new award, the required CMMC status (at the level in the solicitation, or higher) must be current prior to award — which in practice means being ready well before you bid. For an option period, it’s before the option is exercised. For a subcontractor, it’s whatever evidence date your prime sets, which is frequently earlier than the DoD’s own milestone.

This is the part no one else will give you in one place, so we built it. We call it the CMMC Phase 2 Deadline Triage Matrix. It combines the phase timing from 32 CFR Part 170, the contract-trigger language from the DFARS clauses, the FCI-versus-CUI split, and the option-period and flow-down mechanics into a single grid. If you had to assemble this yourself, you’d be opening the CFR, two DFARS clauses, and a stack of vendor blogs. Here it is on one screen.

CMMC Phase 2 Deadline Triage Matrix — your situation, whether Nov. 10, 2026 applies, what to check, required status, effective deadline, and primary source
Your situationDoes Nov. 10, 2026 auto-require certification?What to check firstLikely required statusYour effective deadlineVerify (primary source)
No FCI or CUI on your systemsUsually no, unless a clause says otherwiseSolicitation scope and information typesNone unless the contract requires itN/A until scope changes32 CFR § 170.3
FCI onlyNot a Level 2 certification eventWhether the contract requires Level 1 (Self)Final Level 1 (Self) + annual affirmationWhen Level 1 appears in a solicitation you want (possible now)32 CFR § 170.15; FAR 52.204-21
CUI, contract says Level 2 SelfNo C3PAO unless the contract requires itDFARS 252.204-7025 level and assessment typeLevel 2 (Self), SPRS score, annual affirmationWhen a Level 2 (Self) contract you want is solicited32 CFR § 170.16
CUI, contract says Level 2 (C3PAO)Yes, for that applicable contract/award/optionWhether Level 2 (C3PAO) is required prior to awardFinal or Conditional Level 2 (C3PAO) + affirmationRequired status must be current prior to award — realistically, be ready before you bid32 CFR § 170.17; DFARS 252.204-7021
Existing contract with a future optionNot necessarily on Nov. 10 itselfWhether the requirement attaches at the optionDepends on option language and clause insertionYour next option-exercise date that carries the requirement32 CFR § 170.3(e)
Subcontractor receiving CUI flow-downThe prime may set an earlier practical deadlinePrime flow-down language, data type, required levelWhatever the prime requires for the workThe prime’s required date (often earlier than DoD’s)32 CFR § 170.23; DFARS 252.204-7021 flow-down
Level 3 candidatePhase 2 can include Level 3 at DoD discretionWhether the contract identifies Level 3Final Level 2 (C3PAO) first, then DIBCAC Level 3When Level 3 appears in your contract32 CFR § 170.18

This matrix is educational research, not legal or contractual advice. Your contract clause and CUI handling set your level — this table helps you ask the right questions.

As of this review — June 30, 2026 — Phase 2 is about 19 weeks away (roughly 133 days).

That sounds like room. It usually isn’t. Readiness for a Level 2 (C3PAO) assessment is commonly described as a six-to-nine-montheffort for a company building its program — that’s the range CyberSheath’s leadership gave in National Defense Magazine — and published market estimates put C3PAO scheduling lead times in the three-to-six-month range, with some assessors reporting windows of four to five months and growing. Do the arithmetic: if you handle CUI, expect a Level 2 (C3PAO) requirement, and are starting from a standing start today, a clean, non-conditional certificate beforeNovember 10, 2026 is a tight — sometimes impossible — window. That doesn’t mean you’re stuck. It means the smart move is to figure out your exact situation now, not in October.

If you’re not sure which category of help you actually need — readiness, a managed environment, evidence software, an enclave, or an assessor — that’s the entire reason we built the tool.


Do you need a C3PAO assessment, or does a self-assessment still count?

It depends on your information type and your specific contract. FCI-only work uses Level 1 (Self). CUI work is Level 2 — and whether that’s Level 2 (Self) or Level 2 (C3PAO) is stated in the solicitation. Phase 2 makes Level 2 (C3PAO) the intended requirement for applicable CUI contracts as a condition of award; a limited share of Level 2 work may still permit self-assessment where the contract says so.

The distinction matters because the two paths differ in cost, timeline, and who has to sign off. A self-assessment is something your team performs and posts to the Supplier Performance Risk System (SPRS). A C3PAO assessment brings in an accredited third party to examine, interview, and test your environment against all 110 requirements. Same underlying standard — very different level of scrutiny.

CMMC Level 1 Self vs Level 2 Self vs Level 2 C3PAO comparison
QuestionLevel 1 (Self)Level 2 (Self)Level 2 (C3PAO)
Information typeFCI onlyCUI (where contract allows self)CUI (Phase 2 requirement for applicable contracts)
Who assessesYouYouAn accredited C3PAO
Requirements15 (FAR 52.204-21)110 (NIST SP 800-171 Rev. 2)110 (NIST SP 800-171 Rev. 2)
CadenceAnnual self-assessmentEvery 3 years + annual affirmationEvery 3 years + annual affirmation
Where status livesSPRSSPRSCMMC eMASS / SPRS
First provider to considerRPO or light readiness helpRPO, GRC platform, MSSP if gapsReadiness provider first if not ready; C3PAO when ready

Not sure you’re even in scope? Read this before you spend a dollar. If you handle only FCI and never touch CUI, the Phase 2 C3PAO requirement is not aimed at you — start with our CMMC Level 1 guidance instead of an assessor. And if your work won’t involve DoD contracts at all, you likely don’t need CMMC; confirm applicability with a Registered Practitioner or a federal-contracts attorney before you buy anything. We’d rather you leave this page correctly than pay for the wrong step. For a full side-by-side, see our CMMC Level 2 self-assessment vs C3PAO comparison.


The honest part: if you have CUI and no scope yet, here’s the truth

We’re going to tell you something most vendors won’t, because we don’t sell readiness services or assessments and we don’t rank “best providers” — so we have no reason to soften it.

If you handle CUI today and you don’t yet have a defined scope, a current System Security Plan (SSP), and an SPRS score, you are probably not assessment-ready — and no honest firm can promise you a clean Level 2 (C3PAO) certificate before your contract needs one.

That’s not us being pessimistic. It’s what assessors are seeing. In Alluvionic’s 2025 State of CMMC report — a survey of C3PAO assessors — only about 25% of surveyed assessors said organizations are typically well prepared when they arrive, about half reported delaying or turning away clients roughly half the time due to readiness gaps, and around 80% pointed to “assumed readiness without validation” as the leading cause of reschedules. Translation: the most expensive mistake in CMMC isn’t failing an assessment. It’s walking into one you weren’t ready for.

Here’s the pivot, and it’s genuinely good news. This is fixable, and the fix changes who you should call first. If you’re not ready, the first move is notto book a C3PAO — it’s readiness: scope your CUI, build the SSP, close your highest-weighted gaps, and get an honest self-assessment score. Do that now, and you’re in a strong position even with a tight calendar. There’s also a formal safety valve — Conditional certification — which we explain in the next section. And if you can’t get a clean certificate before a specific contract needs it, knowing that early lets you adjust your bid strategy instead of getting surprised.

Start with the readiness work, not the assessor

Download the CMMC Readiness Checklist, mapped to the 14 NIST SP 800-171 Rev. 2 control families, so you find your 3- and 5-point gaps before an assessor does.

Get the Readiness Checklist →

What happens if you’re not certified in time?

Missing November 10, 2026 does not automatically ban you from all DoD work. But if a solicitation, award, option, or prime flow-down requires a CMMC status you don’t hold, you’re ineligible for thatopportunity. There is a middle path: if you score at least 88 of 110 and your remaining gaps qualify, you can earn Conditional Level 2 and get 180 days to close a Plan of Action and Milestones (POA&M). It is not a free pass.

The scoring and POA&M rules are precise, and they’re where a lot of contractors get an unpleasant surprise. Here’s what the rule actually requires (32 CFR § 170.21 and § 170.17):

One terminology trap worth flagging: the post-assessment POA&M (time-bound, 180 days) is not the same thing as the ongoing Operational Plan of Action (OPA) the rule also defines. The OPA tracks day-to-day deficiencies and has no fixed remediation deadline. The CMMC Final Rule split these deliberately, and assessors will expect you to know the difference. For the full edge-case treatment, see our Conditional CMMC Level 2 Certificate page.


Did the 2026 FAR overhaul change the Phase 2 deadline?

No. The 2026 FAR overhaul did not move the Phase 2 date. What it created is clause-number confusion: under a February 1, 2026 DoD class deviation, some solicitations now use new constructs (FAR Part 40, FAR 52.240-93, DFARS Part 240, DFARS 252.240-7997), while the codified DFARS on Acquisition.gov still displays DFARS 252.204-7020 and the CMMC program rule (32 CFR Part 170) still references FAR 52.204-21 and DFARS 252.204-7020. DFARS 252.204-7021, the CMMC clause, and the November 10, 2026 Phase 2 milestone are unchanged.

This is where a lot of contractors got spooked in early 2026, so let’s clear it up carefully — because the truth is more nuanced than either “nothing happened” or “everything got renumbered.” On February 1, 2026, the DoD issued class deviations under the broader “Revolutionary FAR Overhaul,” directing contracting officers to use reorganized information-security constructs — a new FAR Part 40 and DFARS Part 240 — in solicitations that use the deviation. That’s real. But a class deviation runs aheadof formal rulemaking, so the codified regulation text hasn’t caught up. The result is a transition period in which both the old and new clause numbers are live, depending on where you look and which solicitation you’re reading.

We checked the primary sources ourselves. Here’s the honest ledger.

FAR overhaul impact on CMMC clauses — what changed and what to do
ItemCMMC program rule (32 CFR Part 170) still referencesCodified DFARS on Acquisition.gov (checked June 30, 2026)Class-deviation construct (Feb. 1, 2026)What to do
Level 1 baseline (15 FCI safeguards)FAR 52.204-21FAR text still uses 52.204-21Deviation solicitations may use FAR 52.240-93 (same requirements)Read your solicitation for whichever number it cites
Basic self-assessment requirement (old DFARS 252.204-7019)Standalone “Basic” self-assessment removed under the deviationAssessment obligations now run through the CMMC framework
NIST SP 800-171 DoD Assessment (DFARS 252.204-7020)Still references 252.204-7020Still displayed as a current clause (DFARS Change 5/7/2026)Deviation solicitations may use DFARS 252.240-7997Expect either number until rulemaking codifies the change
CMMC clause (DFARS 252.204-7021)References 252.204-7021UnchangedUnchangedThis is the clause that ties eligibility to your CMMC status
CMMC notice provision (DFARS 252.204-7025)References 252.204-7025UnchangedUnchangedTells you the required level and assessment type

The practical takeaway: none of the underlying obligations went away, the CMMC-specific clauses that govern your Phase 2 deadline weren’t touched, and if you’re reading a solicitation, check which construct it uses rather than assuming.

There is also a proposedFAR rule (FAR Case 2026-001, published at 91 FR 37550 in June 2026) with a public comment period. As of this writing it is a proposal, nothing is final, and — importantly — it does not change the CMMC Level 2 requirements or the November 10, 2026 Phase 2 date. We’re flagging it so that if you see headlines about it, you know it hasn’t changed your obligations. We re-check the Federal Register and Acquisition.gov on this every month.


What contract language should you check first?

Before you call a single vendor, check whether your solicitation or contract identifies Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). The provision that spells out the required level and assessment type before award is DFARS 252.204-7025 (Notice of CMMC Level Requirements); the clause that makes it a binding condition is DFARS 252.204-7021.

The single most useful thing you can do this week costs nothing: read your contract documents with the right questions in hand. DFARS 252.204-7025 is explicit — the contracting officer names the required CMMC level in the solicitation, and that level “is required prior to award” for each system that will handle FCI or CUI; an offeror without it is not eligible for award. Run this checklist against your documents.

If you can answer those, you know your real deadline. If a few of them are fuzzy — especially the CUI and scope questions — that fuzziness isthe problem to solve first, and it’s exactly what a Registered Provider Organization (RPO) or scoping engagement is for.

Turn your contract details into a next step

Drop the clause numbers, required level, assessment type, and timeline from your solicitation into Find My CMMC Path, and we’ll point you to the provider category to talk to first.

Do not enter CUI, drawings, or sensitive contract details.

Find My CMMC Path →

What if your cloud, MSP, or CUI enclave is in scope?

Cloud service providers (CSPs) and external service providers (ESPs) can pull your environment into CMMC scope. If CUI lives in Microsoft 365, GCC High, AWS GovCloud, a file-sharing or ticketing system, a backup platform, or an MSP-managed network, the provider and the shared-responsibility model matter — and a “compliance tool” by itself does not make you certified.

This is the section that quietly saves companies the most money and pain, because scope drives everything downstream: your cost, your timeline, and your odds of passing. The core principle from the rule is simple — if a system processes, stores, or transmits CUI, it’s in scope, and you need to document who is responsible for each control in a customer responsibility matrix and your SSP. Use the grid below to pressure-test your own environment.

Cloud and MSP CMMC scope considerations by system type
System / touchpointWhy it may be in scopeEvidence to gatherProvider-category implication
Email (Microsoft 365, GCC, GCC High)If CUI is sent or received by emailConfiguration, encryption, responsibility matrixMSSP or CUI enclave if not properly configured
File sharing / collaborationIf CUI is stored or shared thereAccess controls, encryption, sharing settingsCUI enclave or managed secure collaboration
Ticketing / help deskIf CUI ends up in tickets or attachmentsData-handling policy, access logsGRC platform + process change; possibly enclave
Backup / disaster recoveryIf backups contain CUIEncryption at rest, access controls, retentionMSSP or enclave provider
MSP remote monitoring & management (RMM)If the MSP can access CUI systemsMSP’s own responsibility matrix and controlsCMMC-focused MSP/MSSP; verify the MSP’s posture
CUI enclavePurpose-built to concentrate and protect CUIBoundary definition, SSP, control ownershipEnclave provider (can reduce your scope)
Cloud environment (GovCloud / GCC High)If CUI is processed or stored in the cloudFedRAMP status/equivalency, responsibility matrixManaged cloud / enclave provider

A few realities to internalize. Buying a GRC (governance, risk, and compliance) platform is genuinely useful for managing evidence and your SSP, but software is a supporting layer, not the whole solution — it does not implement your controls or make you compliant on its own. A CUI enclave can dramatically reduceyour scope, but only if it’s implemented and governed correctly and your SSP reflects reality. And for any external provider, you need a clear customer responsibility matrix: who owns which control, and who produces the evidence. If your CUI is scattered across commercial IT with no boundary, the most valuable early conversation is usually with a managed-environment or enclave provider to shrink and define scope — long before you talk to an assessor.


How to think about this as a subcontractor

Subcontractors often feel Phase 2 earlier than the public date. If a prime flows CMMC requirements down to you, your practical deadline becomes the prime’s evidence requirement — which can land well before the DoD’s own milestone. Get the required level, assessment type, and CUI scope from your prime in writing.

CMMC requirements flow down the supply chain by rule (32 CFR § 170.23), and primes are responsible for making sure their subs meet the required level for the work. Many primes aren’t waiting — they’re auditing their supply chains now, because a non-compliant sub is a risk to theireligibility. That’s why “we’ll deal with it in 2026” can be the wrong answer for a subcontractor whose prime needs proof this year.

Before you respond to a prime’s request, pin down the specifics:

Getting those answers in writing does two things: it tells you your real deadline, and it tells you which provider category to talk to first. If you’re staring at a prime’s email right now and not sure how to answer it, the fastest path is to map your requirement in Find My CMMC Path before you reply — no CUI required.


What the government’s own watchdogs say about the deadline

Two independent government reviews — one from the Government Accountability Office (GAO) in March 2026, one from the DoD Inspector General — confirm the two things that should shape your Phase 2 planning: assessment capacity is a real constraint, and you should verify a C3PAO’s current authorization yourself rather than trust marketing.

We lean on primary and government sources here on purpose, and these two are worth reading.

The Government Accountability Office (in GAO-26-107955, published March 12, 2026) found that the DoD had addressed six of seven elements of a comprehensive CMMC strategy but had not fully assessed the “external factors” that could impede the program. The report is blunt about capacity: as of December 2025, the Cyber AB had authorized 92 C3PAOs, and the DoD relies on the private sector to grow enough assessors to meet demand across a defense supply chain the GAO puts at roughly 200,000 companies. GAO also flagged that DoD’s fallback — issuing waivers when capacity gets tight — could undermine the program if overused, and it noted the same Revision 2 versus Revision 3 gap we cover below (CMMC is still pinned to the older standard). For context on demand, the Cyber AB reported at its February 2026 town hall that roughly 1,000 companieshad earned a third-party CMMC certification or were in the process. Ninety-two authorized C3PAOs for a roughly 200,000-company defense supply chain is the math behind every “book early” warning you’ve read — but note the more precise point the data supports: the binding constraint is as much contractor readiness as it is assessor supply.

The DoD Office of Inspector General (DODIG-2025-056) reviewed how C3PAOs get authorized and found the process wasn’t being effectively implemented — it identified cases where organizations were authorized without a fully verified quality-control lead or fully confirmed assessor staffing, because the DoD lacked a quality-assurance step. Why this matters to you: because Level 2 (C3PAO) status is tied to contract eligibility, relying on an inadequately authorized assessor can create real downstream contract risk if a certification is later called into question. The practical defense is simple. Before you sign an engagement letter, confirm the firm is listed as an Authorized C3PAO on the Cyber AB Marketplace on the day you sign, and put a dated copy of that listing in your file. A screenshot from six months ago is not evidence of current status.

Here’s how to hold the “who says so” straight — what the regulation states versus what’s been verified in practice:

Regulation-stated vs verified-in-practice facts about CMMC C3PAO authorization and capacity
PointRegulation-statedVerified in practice
Who may assessOnly an authorized/accredited C3PAO may perform a Level 2 certification assessment; the Cyber AB maintains the authoritative Marketplace list (32 CFR Part 170)GAO: 92 C3PAOs authorized as of Dec. 2025 for a ~200,000-company DIB
Assessment integrityThe DoD relies on a vetted authorization process for C3PAOsDoD OIG: found quality-assurance gaps in that authorization process
Your protectionVerify status before relying on an assessorCheck the firm’s “Authorized C3PAO” status on the Cyber AB Marketplace on signing day, and keep a dated copy

What we verified for this page

We take primary-source citation seriously, so here’s exactly what we checked and when. This is educational research, not legal or contractual advice.

Primary sources verified for this CMMC Phase 2 deadline page
What we verifiedSourceLast checked
Four-phase schedule and the “applicable” vs “all applicable” languageeCFR, 32 CFR § 170.3(e)June 30, 2026
DFARS acquisition rule effective date (Nov. 10, 2025)Federal Register, DFARS final rule (Sept. 10, 2025)June 30, 2026
Required CMMC level “prior to award”; offeror ineligible without itAcquisition.gov, DFARS 252.204-7025June 30, 2026
DFARS 252.204-7021 unchanged; DFARS 252.204-7020 still displayed (Change 5/7/2026)Acquisition.govJune 30, 2026
Feb. 1, 2026 class deviation introduced FAR 52.240-93 / DFARS 252.240-7997 constructsDoD class deviation (Revolutionary FAR Overhaul)June 30, 2026
Conditional status: 88/110, 1-point POA&M rule, 180-day closeouteCFR, 32 CFR §§ 170.17, 170.21, 170.24June 30, 2026
Level 2 maps to NIST SP 800-171 Rev. 2 (not Rev. 3)32 CFR § 170.2; GAO-26-107955June 30, 2026
92 authorized C3PAOs as of Dec. 2025; capacity findingsGAO-26-107955June 30, 2026
C3PAO authorization process gapsDoD OIG, DODIG-2025-056June 30, 2026
Proposed FAR rule (91 FR 37550) not in effect; deadline unchangedFederal Register, FAR Case 2026-001June 30, 2026

A note on standards versions, because it trips people up: CMMC Level 2 is measured against NIST SP 800-171 Revision 2, even though NIST published Revision 3 in May 2024. The DoD is holding CMMC to Revision 2 for now — changing it would require a fresh rulemaking — and the GAO specifically called out this gap. Do not let a vendor tell you Revision 3 controls your CMMC Level 2 assessment today; the rule still points to Revision 2 unless and until the DoD amends it. (Level 3 layers on 24 enhanced requirements selected from NIST SP 800-172, February 2021, as incorporated in the rule.)


Bottom line and your next step

November 10, 2026 is a real, fixed milestone — the start of Phase 2 — but it is not a universal certify-by-this-date deadline. What decides your timeline is the level and assessment type your contract requires, the information you handle, and whether a prime is moving faster than the DoD. Read your contract for DFARS 252.204-7025 and 252.204-7021, confirm your FCI/CUI scope, check your SPRS status, and figure out whether your first call should be to a readiness provider, a managed-environment or enclave provider, a GRC platform, or — only when you’re truly ready — a C3PAO.

If any of that is still unclear, don’t guess and don’t panic-buy. Take one small, concrete step.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, controlled technical information, export-controlled data, or sensitive contract details through this form.

Find My CMMC Path →

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. See our editorial and advertising policy.

This page is educational research, not legal, contractual, or compliance advice. Confirm contract interpretation, scope, and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level, not a checklist. Conflict-of-interest rules in the CMMC ecosystem (32 CFR Part 170) restrict a firm from conducting your Level 2 certification assessment if it also provided the consulting that prepared you for it — keep readiness help and formal assessment properly separated.


Frequently asked questions about the CMMC Phase 2 deadline

Is November 10, 2026 the CMMC deadline for everyone?

No. November 10, 2026 is the start of CMMC Phase 2, when the DoD intends to begin requiring Level 2 (C3PAO) certification for applicable CUI contracts as a condition of award (32 CFR § 170.3(e)). It is not a universal date by which every contractor must be certified; your real deadline is set by your specific solicitation, contract, option, or prime flow-down.

Do I have to be CMMC Level 2 certified by November 10, 2026?

Only if a contract you need requires it on or after that date. For many contractors the requirement attaches later — at a new solicitation or an option period — and for subcontractors it can attach earlier through a prime’s flow-down. The date to plan around is when a CMMC requirement lands in your work, not the phase start itself.

Does Phase 2 apply if I only handle FCI?

No. Work that involves only Federal Contract Information (FCI) and no Controlled Unclassified Information (CUI) falls under Level 1 (Self), which is an annual self-assessment against 15 requirements — not a C3PAO certification (32 CFR § 170.15).

Does the CMMC Phase 2 deadline apply to COTS-only work?

Generally no. The CMMC program does not apply to DoD contracts that are exclusively for commercially available off-the-shelf (COTS) items (32 CFR § 170.3). Confirm the solicitation, your data handling, and the contract scope before treating your work as exempt.

Can I still use a Level 2 self-assessment after Phase 2 starts?

Only where your specific contract requires Level 2 (Self) rather than Level 2 (C3PAO). Phase 2 makes Level 2 (C3PAO) the intended requirement for applicable CUI contracts, but the assessment type is set by the solicitation, not the calendar (32 CFR § 170.16).

What happens if my C3PAO assessment isn’t scheduled before my contract needs it?

You may be ineligible for that award or option until you hold the required status. Conditional Level 2 can bridge some gaps if you score at least 88 of 110 and your remaining items qualify, but it carries a 180-day closeout deadline and cannot cover your highest-weighted controls (32 CFR § 170.21).

Did the February 2026 FAR overhaul change the deadline or DFARS 252.204-7021?

No. A February 1, 2026 class deviation introduced new clause constructs (for example, FAR 52.240-93 and DFARS 252.240-7997) for solicitations that use the deviation and removed the standalone Basic self-assessment requirement. But the codified DFARS on Acquisition.gov still displays DFARS 252.204-7020, DFARS 252.204-7021 (the CMMC clause) is unchanged, and the November 10, 2026 Phase 2 date is unchanged.

Is CMMC Level 2 based on NIST SP 800-171 Revision 2 or Revision 3?

Revision 2. Even though NIST published Revision 3 in May 2024, the CMMC program still measures Level 2 against Revision 2, and the GAO confirmed the DoD is holding to Revision 2 for now (32 CFR § 170.2; GAO-26-107955).

How long does it take to get ready for a Level 2 (C3PAO) assessment?

Industry sources commonly describe readiness as a six-to-nine-month effort for a company building its program, with C3PAO scheduling adding roughly three to six months on top. Those timelines are why starting readiness now — rather than booking an assessor first — is the realistic move for anyone facing a 2026 to 2027 requirement.

What’s the difference between CMMC Phase 2 and Phase 3?

Phase 2 (November 10, 2026) applies Level 2 (C3PAO) to applicable contracts as a condition of award. Phase 3 (November 10, 2027) expands that to all applicable contracts, adds it as a condition to exercise option periods, and layers in Level 3 (DIBCAC) where applicable (32 CFR § 170.3(e)).

How do I verify a C3PAO is legitimate?

Check that the firm is listed as an Authorized C3PAO on the Cyber AB Marketplace on the day you sign your engagement, and keep a dated copy. The DoD Inspector General found gaps in the authorization process, so confirming current status yourself — rather than relying on a firm’s marketing — is a reasonable protection (DODIG-2025-056).



Primary and authoritative sources

  • CMMC Program Rule — 32 CFR Part 170, especially § 170.3(e) (phased implementation), §§ 170.15–170.18 (level requirements), § 170.21 (POA&M), § 170.23 (flow-down), § 170.24 (scoring). eCFR
  • DFARS 252.204-7021, Contractor Compliance with CMMC Level Requirements. Acquisition.gov
  • DFARS 252.204-7025, Notice of CMMC Level Requirements. Acquisition.gov
  • DFARS CMMC acquisition final rule (effective Nov. 10, 2025). Federal Register
  • CMMC Program Final Rule (effective Dec. 16, 2024). Federal Register
  • GAO-26-107955, Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation (March 12, 2026). GAO
  • DODIG-2025-056, Audit of the DoD’s Process for Authorizing Third-Party Organizations to Perform CMMC 2.0 Assessments. DoD OIG
  • FAR Case 2026-001, proposed FAR overhaul rule, 91 FR 37550 (June 2026) — proposed, not in effect.