CMMC Phase 2 Deadline (November 10, 2026): What Defense Contractors Must Do Now
By Fortwise Team
On November 10, 2026, the CMMC program enters Phase 2 — and the era of self-attesting your way onto CUI contracts begins to close. From that date, the Department of Defense can require CMMC Level 2 certification by an authorized C3PAO as a condition of award in applicable new solicitations. If your contracts involve Controlled Unclassified Information, this is the deadline your 2027 pipeline depends on.
Phase 1, which began November 10, 2025 under the CMMC acquisition rule (DFARS 252.204-7021), put self-assessments and annual affirmations into new DoD contracts. Phase 2 raises the bar from "tell us" to "prove it": an independent assessment by a certified third party.
What changes on November 10, 2026?
Starting November 10, 2026, DoD contracting officers may include a requirement for third-party CMMC Level 2 certification — not just a self-assessment — in new solicitations that involve CUI. The full phase-in looks like this:
- Phase 1 (from November 10, 2025): Level 1 and Level 2 self-assessments, with annual affirmations, required in applicable new contracts.
- Phase 2 (from November 10, 2026): C3PAO-certified Level 2 can be required as a condition of award in applicable new solicitations.
- Phase 3 (from November 10, 2027): requirements extend further, including option periods on existing contracts and Level 3 for the highest-priority programs.
- Full implementation (expected 2028): CMMC requirements appear in all applicable DoD contracts.
Two important wrinkles: contracting officers have had discretion to require certification earlier than the phase schedule, and many primes are already demanding proof from their supply chains ahead of any regulatory deadline.
Does Phase 2 apply to your existing contracts?
Not immediately. Phase 2 applies to new solicitations and awards; existing contracts aren't retroactively modified, and option periods are generally a Phase 3 concern. But that comfort is thinner than it looks. Recompetes and renewals become new awards. Primes flow requirements down early to de-risk their own bids. If a contract you depend on comes up for renewal in 2027, the certification clock is effectively already running.
Is it still possible to certify before the deadline?
For many contractors, yes — but the math is unforgiving. A typical Level 2 journey involves months of remediation, and C3PAO booking lead times were commonly reported at six to nine months in early 2026, with the queue growing. Starting from scratch in July and holding a certificate by November 10 is unrealistic; starting now and being deep in a C3PAO's queue with remediation nearly done is very achievable.
There's also a legitimate middle path: conditional certification. If you score at least 80% at assessment and your open items are POA&M-eligible controls, you can be conditionally certified and close the remaining gaps within 180 days.
What should you do this quarter?
- Confirm your level. Establish whether your contracts involve CUI (Level 2) or only FCI (Level 1) — this decision drives everything else.
- Run a real gap assessment and make sure your SPRS score reflects reality — affirmations carry legal weight now.
- Get in a C3PAO queue early — don't wait for remediation to finish before you start scheduling conversations.
- Remediate the heavily weighted gaps first — five-point items like multifactor authentication and FIPS-validated encryption move your score fastest.
- Collect evidence as you remediate, organized by assessment objective — scrambling for artifacts the month before assessment is where timelines die.
The contractors who clear Phase 2 comfortably will be the ones who treated November 10 as the finish line, not the starting gun. If you don't know exactly where you stand, a readiness assessment gives you the control-by-control answer — and a defensible plan for the months you have left.
