The Department of Defense has been warning the defense industrial base for years: self-attestation is not a compliance program. The DoD Inspector General documented, repeatedly, that contractors were claiming NIST SP 800-171 compliance they had not actually achieved, and adversaries were exploiting that gap. CMMC 2.0 exists to close it, and November 10, 2026 is the date when that gap finally closes at the contract level, for any organization handling Controlled Unclassified Information (CUI).
Phase 2 of the CMMC rollout ends the self-attestation era for Level 2 contracts. Organizations that haven’t started the certification process are already behind, and shrinking assessor availability makes the preparation window shorter by the month.
What Changes on November 10, 2026
CMMC enforcement launched in Phase 1 on November 10, 2025, when CMMC clauses began appearing in DoD solicitations. During Phase 1, contractors could satisfy Level 2 requirements through self-assessment: score their own implementation of the 110 NIST SP 800-171 controls, post results to the Supplier Performance Risk System (SPRS), and remain eligible to bid.
Phase 2 removes that option for most contracts involving CUI. Beginning November 10, 2026, third-party assessment by an accredited Certified Third-Party Assessment Organization (C3PAO) becomes the mandatory standard for Level 2 certification. A C3PAO will review documentation, conduct interviews, and verify through technical testing that the organization actually meets all 110 security requirements. A signed self-assessment that satisfied Phase 1 requirements will not satisfy a Phase 2 C3PAO.
The scope does not stop at prime contractors. If a prime contractor passes CUI to subcontractors, the compliance obligation travels with it. Supply chain enforcement is a stated DoD priority, and prime contractors are increasingly issuing CMMC compliance demands to their suppliers ahead of the deadline. A subcontractor who cannot demonstrate certification makes the prime unable to perform, which is why the most proactive primes are already verifying their supply chain’s CMMC status.
CMMC Certification Requirements at Level 2
To pass a C3PAO assessment, three things need to be accurate and fully in place before the assessor arrives.
A scoped and documented System Security Plan (SSP). The SSP defines the boundary of the organization’s CUI environment: which systems process, store, or transmit CUI, which external service providers fall within scope, and how each of the 110 NIST SP 800-171 controls is implemented. A vague or incomplete SSP is one of the most common reasons organizations fail their assessment or require a remediation cycle before one can proceed.
Full implementation of 110 security practices across 14 control families. The 14 domains include access control, incident response, media protection, risk assessment, system and communications protection, and more. Each domain carries specific technical and procedural requirements, and partial implementation is not sufficient. Organizations also need to document 320 assessment objectives, which requires consistent recordkeeping across teams that often lack formal documentation processes.
A Plan of Action and Milestones (POA&M) for any open items. While POA&Ms are permitted at Level 2, they are not a blanket pass. Assessors will determine which deficiencies can be resolved within the assessment window and which represent disqualifying gaps. Organizations entering an assessment with significant open items risk failing certification entirely.
The CMMC Compliance Checklist: What to Prioritize Now
For organizations still in preparation, the following sequence reflects where most gaps are found and what has the longest lead time.
Determine your CUI scope first. The first step is mapping which systems actually process, store, or transmit CUI, before any gap work, documentation, or remediation begins. Many organizations either over-scope, which inflates the cost of compliance, or under-scope, which guarantees an assessment failure. The DoD’s CMMC Scoping Guide is the authoritative reference.
Conduct a gap assessment against NIST SP 800-171. A gap assessment produces a clear picture of where current practices fall short of the 110 controls. It informs the remediation plan, the POA&M, and the SSP, and it prevents organizations from discovering major deficiencies when a C3PAO assessor is already on site.
Address identity and access controls, logging, and multi-factor authentication. These three areas account for a disproportionate share of Level 2 deficiencies. Multi-factor authentication (MFA) for all CUI system access, role-based access control, and audit logging with retention policies that satisfy control requirements are baseline requirements with no room for workarounds.
Engage a C3PAO early. Assessor capacity is the most underappreciated constraint in the entire CMMC ecosystem. Fewer than 600 Certified CMMC Assessors exist today, while estimates suggest 2,000 to 3,000 will eventually be needed. Approximately 80 authorized C3PAOs serve a population of roughly 80,000 contractors requiring Level 2 certification, and many are already booked through most of 2026. Organizations that do not have a C3PAO engagement in place now are competing for a shrinking pool of available slots.
Verify subcontractor readiness. Inventory which subcontractors touch CUI, assess their CMMC status, and incorporate compliance requirements into subcontract terms now. A subcontractor who misses their certification deadline creates a prime contractor performance problem.
The Broader CMMC 2.0 Compliance Timeline
November 10, 2026 is critical, but it is not the endpoint. Phase 3 begins November 10, 2027, when Level 2 C3PAO certification becomes mandatory for all applicable DoD solicitations as a condition of both contract award and option period exercises. Phase 4, beginning November 10, 2028, extends CMMC requirements across all contracts involving FCI or CUI, including full incorporation of Level 3 requirements for the most sensitive programs.
The phased rollout was designed to give the assessment ecosystem time to scale. For contractors, it created the impression that early phases were optional preparation, which proved to be a costly misread. Organizations that treated Phase 1 as the finish line, or that assumed Phase 2 requirements would be softer than announced, are now running out of preparation time.
The DoD will not award or extend contracts to organizations that do not meet the CMMC level specified in the solicitation. Contracting officers are prohibited from doing so. There is no grace period in the framework and no informal workaround in the supply chain.
What Working with a CMMC Consultant Looks Like
For most defense contractors, the certification process involves more complexity than an internal IT team can absorb alongside normal operations. A qualified CMMC consultant brings a structured approach to scoping, gap analysis, SSP development, and remediation prioritization, with direct familiarity with what C3PAO assessors scrutinize most closely.
The practical value of an experienced consultant is not just in knowing what the 110 controls require; it is in knowing which documentation gaps derail assessments, how to scope the CUI environment accurately, and how to sequence remediation so that the highest-risk items are addressed first. For organizations with six months or fewer before they need certification in hand, that experience compresses a months-long process into a sequence an organization can actually execute before the deadline.
Planet 9 is a Bay Area cybersecurity consulting firm specializing in compliance readiness for SMBs in healthcare, SaaS, technology, and DoD contracting. Our vCISOs and compliance managers help organizations scope their environments accurately, close control gaps efficiently, and reach certification-ready status without wasted effort.
