CMMC 2.0 Enforcement Timeline 2026

Leave a Comment / CMMC / By

CMMC 2.0 enforcement began November 10, 2025, and it’s rolling out in four phases through 2028. Contractors will not be able to win new business, or extend some existing contracts, without affirming Level 1 compliance. The next major shift hits November 10, 2026, when third-party certification becomes mandatory and organizations that aren’t ready won’t be eligible for covered contracts. If you haven’t started your gap assessment, the window to be ready is closing faster than most contractors realize.

Where We Actually Are Right Now

CMMC isn’t a future concern anymore — it’s live, and it’s already showing up in contract language. Here’s the four-phase rollout as it actually stands:

  • Phase 1 — November 10, 2025 (we are here): Level 1 mandatory self-assessments for new solicitations and contracts. The DoD may, at its discretion, immediately require the more stringent CMMC Level 2 (C3PAO Certification) for certain prioritized contracts — meaning some contractors are already facing third-party assessment requirements ahead of schedule.
  • Phase 2 — November 10, 2026: Mandatory C3PAO certifications for CMMC Level 2 begin to appear in applicable contracts requiring the protection of CUI. This is the deadline that matters most. After this date, a self-assessment isn’t enough — you’ll need a Level 2 (C3PAO) certification for nearly all CUI-handling contracts.
  • Phase 3 — November 10, 2027: CMMC Level 3 requirements and government-led DIBCAC assessments are introduced for the most critical programs.
  • Phase 4 — November 10, 2028: CMMC requirements become universally mandatory across all applicable DoD contracts, solicitations, option exercises, and renewals.

The phased structure can create a false sense of room to wait. It shouldn’t — given that achieving Level 2 compliance typically requires 6 to 12 months of dedicated work, any company wishing to bid on CUI-handling contracts in the near term needs its gap analysis completed and remediation roadmap underway today.

Why November 2026 Is the Date That Actually Matters

Phase 1 is mostly self-attestation, you assess yourself, submit a score, move on. Phase 2 ends that. Phase 2 ends the era of self-attestation. Third-party certification becomes mandatory. And organizations that aren’t ready won’t be eligible for covered contracts.

That’s five months from today. And DoD estimates roughly 93% of Defense Industrial Base organizations handling CUI will need Level 2 (C3PAO) certification, meaning most contractors reading this fall into the group that needs to act now, not later.

The Part Most Contractors Miss — Subcontractor Flow-Down

If you’re a subcontractor and assume CMMC is “the prime’s problem,” that assumption is incorrect and increasingly costly. If a prime contractor flows CUI to you, the compliance obligation flows with it — regardless of whether you’ve had an explicit CMMC conversation with your prime. Supply chain enforcement is a stated DoD priority, and prime contractors are increasingly issuing compliance demands to their suppliers ahead of Phase 2.

This also extends beyond DoD-only contracts: GSA requirements have extended NIST 800-171 compliance to civilian agency contracts involving CUI as well, meaning organizations with both DoD and non-DoD federal work face a converging compliance baseline.

If you don’t currently know whether CUI flows through your environment, that’s the first question to resolve, before anything else.

What “Ready” Actually Requires

A Level 2 (C3PAO) certification isn’t a form you fill out. To pass a C3PAO assessment, three deliverables need to be in place, and they need to be accurate, not aspirational: a current System Security Plan (SSP), an honest Plan of Action and Milestones (POA&M) for anything not yet met, and your actual SPRS score reflecting where you stand today.

There is some room if you’re not at 100%: organizations can pursue conditional CMMC status if they score at least 80% (88 of 110 requirements) as met, with critical requirements satisfied. But conditional status isn’t a free pass, a 180-day window applies to close out remaining POA&M items, and if they’re not closed in time, conditional status expires and the organization becomes ineligible for contracts requiring Level 2.

What to Do This Quarter

  1. Determine your CUI exposure. If you don’t know whether you handle Controlled Unclassified Information — as a prime or as a subcontractor — resolve that first.
  2. Get a gap assessment against NIST 800-171. This tells you exactly where you stand against the 110 controls Level 2 requires, not a guess.
  3. Build a real POA&M. Not a wish list — an honest, dated remediation plan for every gap identified.
  4. Start now, not in Q4 2026. Most organizations need 6–12 months to prepare. If you start your gap assessment after Labor Day, you’re racing the Phase 2 deadline with little room for error.

A CMMC gap assessment tells you exactly where you stand against NIST 800-171 — with a clear remediation roadmap, not just a list of problems.

 

FAQ SECTION 

Q: When did CMMC 2.0 enforcement begin?

A: CMMC Phase 1 began November 10, 2025, introducing mandatory Level 1 self-assessments for new DoD solicitations and contracts.

Q: When does CMMC become mandatory for all contracts?

A: Full implementation begins November 10, 2028, when CMMC requirements become universally mandatory across all applicable DoD contracts. However, Phase 2, beginning November 10, 2026, is when third-party certification becomes mandatory and the compliance stakes become contractual consequences for most CUI-handling contractors.

Q: Does CMMC apply to subcontractors?

A: Yes. If a prime contractor flows CUI to a subcontractor, the compliance obligation flows with it — regardless of whether an explicit CMMC conversation has taken place.

Q: What’s the difference between a self-assessment and a C3PAO assessment?

A: A self-assessment is an internal review where the contractor attests to its own compliance and submits a score to SPRS. A C3PAO assessment is conducted by a Certified Third-Party Assessor Organization and is required for most organizations handling CUI starting in Phase 2. RSAA provides advisory support to prepare for a C3PAO assessment — we do not conduct the C3PAO assessment itself.

Q: How long does CMMC Level 2 preparation take?

A: Most organizations require 6–12 months to fully prepare for a C3PAO assessment, depending on current security posture and the number of gaps identified.

Q: What happens if I’m not fully compliant by the deadline?

A: Conditional CMMC status is available if you score at least 80% of requirements as met, with critical requirements satisfied, and remaining gaps documented in a POA&M. Conditional status comes with a 180-day window to close out remaining POA&M items, after which it expires.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top