For years, the cybersecurity obligations on defense contractors operated largely on the honor system. Under DFARS 252.204-7012, contractors handling Controlled Unclassified Information (CUI) were required to implement the 110 controls of NIST SP 800-171 and to self-attest to their compliance. The result, repeatedly documented by the DoD Inspector General, was a defense industrial base that claimed compliance it had not achieved โ€” a gap adversaries have exploited through the supply chain for over a decade.

The Cybersecurity Maturity Model Certification (CMMC) program exists to close that gap by replacing self-attestation with verification. And in 2026, after years of rulemaking, it stops being a future concern and becomes a contract-award gate. If your organization holds or is pursuing DoD contracts that involve CUI, the most important date on your compliance calendar is now November 10, 2026.

Where the rule actually stands

CMMC is no longer proposed, pending, or theoretical. The sequence that made it binding:

  • The DoD released the final CMMC program rule (32 CFR) in October 2024, effective December 2024, establishing the certification framework and the three maturity levels.
  • The DoD published the final DFARS acquisition rule on September 10, 2025, integrating CMMC into contracts through the new DFARS 252.204-7021 clause. This is the contractual hook โ€” the clause that makes a CMMC certificate a condition of award.
  • Implementation rolls out in phases to give the assessment ecosystem time to scale.

That phased rollout is the part contractors must internalize, because the obligations escalate on fixed dates.

The phased timeline

Phase 1 โ€” began November 10, 2025. DoD started including CMMC requirements in solicitations, requiring Level 1 or Level 2 self-assessments for certain contracts. This phase reintroduces self-assessment, but now formalized, recorded, and backed by a senior-official affirmation in the governmentโ€™s Supplier Performance Risk System (SPRS) โ€” with False Claims Act exposure for inaccurate affirmations.

Phase 2 โ€” begins November 10, 2026. This is the inflection point. Phase 2 brings mandatory third-party certification for Level 2 contracts โ€” assessment by an accredited C3PAO (Certified Third-Party Assessment Organization) rather than self-attestation. For the large population of contractors that handle CUI and therefore fall at Level 2, the honor system ends here. You will need an independent assessor to verify your implementation of all 110 NIST SP 800-171 controls before you can be awarded covered work.

Beyond Phase 2. CMMC requirements continue to broaden across the following years, with full incorporation into effectively all relevant DoD contracts by around November 2028, including contracts involving Federal Contract Information (FCI) at Level 1 and the most sensitive programs at Level 3.

Why November 10, 2026 is really a today problem

The deadline is months away, but the preparation window is not. Industry experience is consistent: it takes the average defense contractor 6 to 12 months to become assessment-ready โ€” to remediate control gaps, build the required documentation (System Security Plan, policies, evidence), implement controls like multifactor authentication and FIPS-validated encryption, and then schedule and pass a C3PAO assessment. There is also a finite supply of accredited C3PAOs, which creates scheduling pressure as the deadline approaches and demand spikes.

Count backward from November 10, 2026, add C3PAO scheduling lead time, and a contractor starting in mid-2026 is already at the edge of the runway. A contractor that has not started is, for any Level 2 award in the Phase 2 window, likely too late to be ready in time.

The Level 2 control reality

Level 2 certification requires demonstrated implementation of the 110 controls in NIST SP 800-171 Revision 2 (with the program moving toward alignment with the updated Revision 3). The controls most contractors struggle with โ€” and the ones most likely to surface as findings โ€” are familiar:

  • Multifactor authentication on all access to CUI
  • FIPS-validated cryptography for protecting CUI at rest and in transit
  • Comprehensive access control and least-privilege enforcement
  • Security continuous monitoring and incident response capability
  • Asset inventory and CUI data-flow mapping โ€” knowing exactly where CUI lives and moves
  • A complete, current System Security Plan (SSP) and supporting Plans of Action and Milestones (POA&Ms)

Notably, the scope for full certification is tighter than many assume: certain controls must be fully met with no POA&M allowed, and POA&Ms that are permitted must be closed within 180 days. You cannot certify on promises alone.

Flow-down: this reaches your subcontractors

A critical and often-missed feature: CMMC requirements flow down the subcontractor chain. A prime contractor cannot pass CUI to a subcontractor that lacks the appropriate CMMC level. This means primes must verify their subsโ€™ certification status, and small subcontractors that handle CUI face the same Level 2 obligation as the primes they serve โ€” frequently with far fewer resources to meet it. The certification requirement is a supply-chain gate, not a single-company checkbox.

What to do now

  1. Determine your required level immediately. Handling FCI only points to Level 1; handling CUI points to Level 2; the most sensitive programs require Level 3. Your level dictates whether Phase 2โ€™s third-party assessment applies to you.
  2. Get an honest SPRS score today. Conduct (or revisit) your NIST SP 800-171 self-assessment and confirm the score posted in SPRS is accurate. Inflated affirmations are False Claims Act exposure, and that risk is live now, not in November.
  3. Close the high-frequency gaps first. Prioritize MFA, FIPS-validated encryption, access control, and a complete SSP. These are the controls assessors find missing most often.
  4. Map your CUI. You cannot protect or scope what you have not inventoried. Build a current asset inventory and CUI data-flow map; consider enclaving CUI to shrink assessment scope.
  5. Engage a C3PAO early. Assessor capacity is finite and demand is rising into the deadline. Get in a queue rather than assuming a slot will be available in Q4 2026.
  6. Push requirements down to subcontractors. Inventory which subs touch CUI, verify their CMMC readiness, and build flow-down into your subcontract terms. Their non-compliance becomes your inability to perform.

The defense industrial base has had a decade of self-attestation. CMMC Phase 2 is the moment that ends for Level 2 work. The contractors who treat November 10, 2026 as a real, near-term gate โ€” and who started months ago โ€” will keep bidding. The ones still treating CMMC as a future paperwork exercise are at genuine risk of being locked out of CUI contracts they depend on.

This article is provided for informational purposes only and does not constitute legal advice.