Meridian Compass
Compliance

CMMC Phase 2 Enforcement: What Changes in November 2026

2026-03-17 · 7 min read

CMMC Phase 2 enforcement begins November 10, 2026. If you’ve been watching the rollout from the sidelines, this is the deadline that closes the self-assessment window. Starting that date, third-party certification becomes a condition of award for a growing category of DoD contracts.

This article explains exactly what shifts, who gets affected first, and what the timeline looks like for a 50-person defense manufacturer starting today.

What Phase 1 Already Requires (Active Since November 2025)

Phase 1 went live on November 10, 2025. Since then, DoD has had authority to include CMMC requirements in new contracts and solicitations. Under Phase 1:

  • CMMC Level 1 requires an annual self-assessment posted to SPRS (Supplier Performance Risk System)
  • CMMC Level 2 can be satisfied through self-assessment on selected contracts — but not indefinitely
  • DFARS clause 252.204-7021 is now active, so contracting officers can include CMMC requirements in new awards

Phase 1 gave contracting officers discretion. Some contracts now carry the requirement; many don’t yet. That changes on schedule.

What Specifically Changes in Phase 2

Phase 2 removes the self-assessment option for Level 2 contracts that involve Controlled Unclassified Information (CUI):

Phase 1 (Now–Nov 9, 2026)Phase 2 (Nov 10, 2026+)
Level 1Annual self-assessmentAnnual self-assessment (unchanged)
Level 2 (CUI contracts)Self-assessment allowed on selected contractsC3PAO third-party certification required on prioritized contracts

The practical implication: if you’re competing for contracts that involve CUI and have been relying on self-attestation, that path closes for most of those contracts in November 2026.

Who Gets Affected First

Phase 2 focuses enforcement on:

  1. New contracts and solicitations issued after November 10, 2026 that include DFARS 252.204-7021
  2. Option period exercises — DoD can require CMMC as a condition to exercise an option period even on legacy contracts awarded before the rule (32 CFR 170.5(e))
  3. Subcontractors who handle CUI — if your prime flows CUI to you, that flow-down obligation is contractual and enforceable under DFARS 252.204-7021

If your revenue depends on DoD prime or subcontract work involving CUI — manufacturing, engineering, IT services, maintenance — you are in scope. See CMMC for Subcontractors for how the flow-down works in practice.

The C3PAO Supply Problem

There are roughly 97 accredited C3PAOs (Certified Third-Party Assessor Organizations) serving a defense industrial base of over 80,000 contractors. That’s structural undersupply — and Phase 2 hasn’t hit yet.

Assessment fees are currently $30,000–$100,000 for a typical mid-size manufacturer and are projected to roughly double by late 2026 as demand surges. If you want a certified assessor with availability before November 2026, you need to be in their pipeline now. Not in Q3.

For context on how assessor fees stack up against your total compliance investment, use the CMMC cost estimator.

How Long Does Preparation Actually Take?

Based on companies that have completed the process:

  • Existing controls, no documentation: 6–9 months to audit readiness
  • Starting from scratch (no SSP, no formal policies): 12–18 months
  • Well-documented but needing technical remediation: 6–12 months

For a company starting in early 2026 with a November 2026 target: you have roughly 8 months. That’s achievable — if you don’t waste the first 90 days on scoping discussions that go nowhere.

The typical bottleneck is documentation, not technology. Deploying MFA takes days. Writing a System Security Plan that covers all 110 NIST SP 800-171 controls with evidence artifacts takes months of structured work.

Not sure where you stand? Take the free CMMC readiness assessment — it takes 10 minutes and identifies your gaps.

What Has to Be in Place Before the Assessment

A C3PAO assessment is not a questionnaire. It involves interviews, technical testing, and documentation review. If any of the following are missing, the assessment cannot be completed:

Required documentation:

  • System Security Plan (SSP) — typically 100–300 pages
  • Plans of Action & Milestones (POA&M) for unmet controls
  • Asset inventory: hardware, software, external service providers
  • Network diagrams showing where CUI lives and flows
  • Incident response plan
  • Training records for staff with CUI access

Technical controls that commonly fail assessments:

  • Multi-factor authentication across all systems handling CUI
  • FIPS-validated encryption for data in transit and at rest
  • Audit logging (SIEM or equivalent)
  • Endpoint detection and response (EDR)

To understand which of these you’re missing and roughly what remediation costs, the CMMC cost estimator gives you a scoped range before you walk into a consultant conversation. For guidance on finding the right consultant, see How to Choose a CMMC Consultant.

The False Claims Act Risk Nobody Mentions

Phase 2 doesn’t just add a certification step — it raises the legal stakes for misrepresenting compliance.

Since 2021, the DoJ Civil Cyber-Fraud Initiative has been prosecuting contractors who submitted SPRS scores that didn’t reflect their actual security posture. When you sign an SPRS affirmation, you’re certifying under federal contract law that the information is accurate. Getting it wrong — even without intent — can create False Claims Act exposure for the executive who signed.

This is why DFARS clauses matter beyond the administrative. DFARS Clauses Decoded explains the specific obligations and how they tie to liability.

The Bigger Enforcement Timeline

Phase 2 is an inflection point, not the final deadline. The DFARS final rule (90 Fed. Reg. 43,560) established a phased rollout running from November 10, 2025 through November 2028, at which point mandatory CMMC clause inclusion covers all applicable DoD contracts — existing and new.

Contractors who get certified now have a multi-year competitive window over companies still scrambling in 2027. For a deeper dive on the certification levels themselves, see CMMC Level 1 vs. Level 2.

Frequently Asked Questions

Does Phase 2 apply to all DoD contracts starting November 10, 2026? No — Phase 2 expands DoD’s authority to require Level 2 C3PAO certification, but it’s applied contract by contract via DFARS 252.204-7021. Prioritized acquisitions involving CUI are affected first. Full mandatory coverage across all applicable contracts completes in November 2028. That said, contracting officers have broad discretion — CUI-handling contracts will increasingly require third-party certification from November 2026 onward, and it’s not worth gambling your contract on exceptions.

Can I still use self-assessment for Level 2 after Phase 2? For lower-risk Level 2 work, self-assessment may still be accepted on specific contracts. But for prioritized acquisitions involving CUI, the self-assessment option closes. The exact scope depends on the individual contract’s DFARS clause. When in doubt, plan for a C3PAO.

What is a C3PAO and how do I find one? A C3PAO (Certified Third-Party Assessor Organization) is a company accredited by CyberAB to conduct official CMMC Level 2 assessments. The CyberAB marketplace lists all authorized assessors. What Is a C3PAO? walks through how to evaluate and select one that fits your scope and budget.

What happens if I miss the November 2026 deadline? Existing contracts don’t automatically lapse — but you may be excluded from new awards and option period exercises on contracts that include CMMC requirements. For companies where DoD work represents most of their revenue, that’s an existential exposure. There is no grace period or waiver for missing the certification requirement on a specific contract.

How much will Level 2 certification cost me? Total first-year costs for a small defense manufacturer typically run $80,000–$315,000 depending on your current security posture, documentation maturity, and technical remediation scope. Use the CMMC cost estimator to get a figure based on your situation — before committing to any consulting engagement.

Start Now, Not in September

The math is straightforward: Phase 2 lands in November 2026, readiness takes 6–12 months, and C3PAO slots are already scarce. The start window is Q1–Q2 2026. Companies beginning in September will compete for the same limited assessor capacity as every other contractor who procrastinated — and pay the premium price for it.

The contractors who get certified early don’t just solve a compliance problem. They convert it into a competitive advantage in a supply chain that’s actively shedding non-compliant partners.

Take the free readiness assessment →

Sources: Federal Register — DFARS Final Rule (90 Fed. Reg. 43,560, effective Nov 10, 2025) · 32 CFR Part 170 (effective Dec 16, 2024) · CyberAB Assessor Registry · NIST SP 800-171

Found this useful?

Get the CMMC Readiness Checklist — free

15 questions to understand your compliance exposure before you talk to a single vendor.

Download the Checklist → Or take the 3-minute assessment →

Ready to get started?

15 minutes. We'll tell you exactly where you stand on CMMC and what your next step should be.

Get in Touch

Free. Available to US-based defense contractors.