CMMC Phase 2 requirements take effect on November 10, 2026, and with that date, self-attestation for many Level 2 contracts ends. For most subcontractors handling CUI on their systems, compliance will need to be demonstrated through a certified third‑party C3PAO assessment. Here’s what you need to know as the phase 2 requirements approach.
Key Takeaways
- CMMC Phase 2 mandates third-party C3PAO certification for many Level 2 contracts beginning November 10, 2026.
- The average certification timeline is 6–18 months, depending on where you stand when you start.
- The goal for most contractors today is to get in the assessment queue and protect contract eligibility through the current performance period.
Table of Contents
What is CMMC Phase 2?
CMMC Phase 2 is the second phase of the Department of Defense’s phased rollout of the Cybersecurity Maturity Model Certification program. It takes effect November 10, 2026, exactly 12 months after Phase 1 began.
Under Phase 1, contracting officers had discretion over whether to require C3PAO assessments or accept contractor self-attestation for Level 2 contracts. Many used that discretion to accept self-attestation, particularly for contracts that were already in progress.
Phase 2 removes that discretion for some contracts. The DoD estimates CMMC Level 2 affects roughly 80,000 organizations in the Defense Industrial Base.
Why waiting to schedule your audit with a C3PAO is a risk.
There are approximately 83–100 accredited C3PAOs in the United States authorized to conduct CMMC Level 2 assessments, according to the Cyber AB. They serve a Defense Industrial Base of tens of thousands of organizations.
C3PAOs have been reporting 1-3 month wait times just to schedule an initial assessment. Many believe the wait will soon balloon as phase two approaches – making the assessor shortage a block to certification.
How long does CMMC Level 2 certification take?
The timeline is 6 months or more from a standing start…and that assumes the organization can begin immediately.
You’ll need a gap assessment against all 110 NIST SP 800-171 controls (four to eight weeks) to get a baseline. The remediation step is where timelines vary the most, though. An organization with a well-managed IT environment (and already implementing most controls) may need three to four months. However, an organization starting from scratch may need to work for a year on remediation.
When that step is complete, you’ll need a pre-assessment readiness review (four to eight weeks), then the C3PAO engagement – where you’ll go through a stage of documentation review and another for controls testing. If the organization receives a Conditional status, they have 180 additional days to close the findings before receiving final certification.
The variable that compresses this timeline most is documentation. The 110 controls in NIST SP 800-171 require implementation and proof of implementation, including:
- System Security Plans
- Policies
- Procedures
All the evidence that your controls are functioning as designed. Organizations that work with an MSP to implement these controls (but don’t have documentation for them) will find that getting said documentation will be the bulk of their work.
What subcontractors should do right now.
To prepare for phase 2, follow these prioritized steps below.
1. Determine your actual CMMC level requirement.
If your contracts involve CUI or DFARS 252.204-7012, you are very likely in Level 2 scope. However, you should verify the required level – which will be in your contracts.
2. Confirm whether your MSP is familiar with CMMC and that they’re certified to Level 2.
An MSP that has been through the C3PAO process itself knows exactly what assessors will ask for on your behalf. That institutional experience is not the same as an IT provider that has read the framework or is learning on your dime.
Not sure whether your MSP candidates can deliver on CMMC? This checklist walks DIB contractors through the questions that separate qualified managed IT providers from those figuring it out alongside you.
3. Run a gap assessment against NIST SP 800-171.
4. Contact authorized C3PAOs now.
5. Evaluate what your IT environment can prove today.
A C3PAO assesses what you have implemented and what you can document and demonstrate. Make sure you identify gaps in your System Security Plan and your evidence long before your actual assessment.
6. Focus on maintaining compliance, not just achieving certification.
The priority is to ensure that your current security posture is accurate, defensible, and actively improving. Make sure you:
- Maintain a current System Security Plan (SSP)
- Track gaps through a compliant Plan of Action and Milestones (POA&M)
- Stay on track to remediate all POA&M items – typically within 180 days for conditional status.
But remember that certification is not a finish line. It is simply the starting point for a three-year cycle.
After your C3PAO assessment, you must submit an annual affirmation in the Supplier Performance Risk System (SPRS) confirming that your organization continues to meet all 110 NIST SP 800-171 controls. Failing to meet those controls puts your contract work at risk. And claiming you meet all controls when you don’t (intentionally or not) puts you at risk of finding yourself with a False Claims Act settlement.
The point I’m driving home is that contractors who treat their CMMC program as a posture -instead of as a one-off project – will be set up for lasting success in the ecosystem.
FAQ
Do subcontractors need CMMC Level 2 certification?
Yes, if they process, store, or transmit CUI. DFARS 252.204-7021 requires prime contractors to pass CMMC requirements down to any subcontractor who handles CUI under that contract. As of 2026, major defense primes are not waiting for Phase 2 to enforce this. For example, Lockheed Martin required all its suppliers to document their CMMC compliance status.
