CMMC Phase 2 enforcement begins November 2026. See how to get certified →

Book a DemoLogin
All Insights
CMMC

CMMC Phase 2 Timeline: What Defense Contractors Must Do Before November 2026

PolicyCortex Team|March 3, 2026|10 min read
CMMCPhase 2timelinedefense contractorscertification2026

The Clock Is Running: November 2026 Is Not a Soft Deadline

CMMC Phase 2 enforcement begins in November 2026. Starting on that date, the Department of Defense will begin including CMMC Level 2 certification requirements in new contracts involving Controlled Unclassified Information (CUI). Contractors without certification will be unable to bid.

This is the culmination of a rulemaking process that started in 2020, survived multiple revisions, and is now codified in the CMMC Final Rule (32 CFR Part 170). The timeline is set. The enforcement mechanism is in place. The only variable is whether your organization will be ready.

Over 80,000 defense contractors in the Defense Industrial Base handle CUI. As of March 2026, fewer than 2% have completed CMMC Level 2 certification. The math is simple: demand for C3PAO assessments will far exceed supply as the deadline approaches.

This post lays out the exact timeline, what changes at each milestone, and a month-by-month action plan for contractors who haven't started — or who are mid-process and need to accelerate.

The CMMC Implementation Timeline

What has already happened

December 2023: CMMC Proposed Rule published in Federal Register October 2024: CMMC Final Rule published (32 CFR Part 170) December 2024: CMMC Final Rule effective date January 2025: Phase 1 begins — CMMC Level 1 self-assessment requirements appear in select contracts

What happens next

November 2026: Phase 2 begins

This is the critical milestone. Phase 2 introduces CMMC Level 2 certification requirements into DoD contracts. Specifically:

  • New solicitations and contracts involving CUI will include CMMC Level 2 requirements
  • Contractors must have either completed C3PAO certification OR have an active assessment in progress
  • Self-assessment (for non-critical programs) or third-party assessment (for critical programs) depending on the contract

Phase 3 (estimated 2027-2028)

CMMC Level 3 requirements for contracts involving the most sensitive CUI. This requires a government-led assessment (DIBCAC) in addition to C3PAO certification.

Full implementation (estimated 2028)

All DoD contracts involving CUI require appropriate CMMC certification. No exceptions, no grandfather clauses.

Why You Cannot Wait Until Summer 2026

The bottleneck is not remediation — it's C3PAO availability.

There are a limited number of certified C3PAOs authorized by the CMMC Accreditation Body (The Cyber AB). As of early 2026, wait times for scheduling an assessment range from 3 to 6 months. As the November deadline approaches, this will extend further.

Here's the math:

  • 80,000+ contractors need certification
  • A C3PAO assessment takes 1-2 weeks per contractor
  • There are currently fewer than 50 active C3PAOs
  • Each C3PAO can assess roughly 25-40 companies per year

Even with aggressive C3PAO growth, the system cannot process the backlog if everyone waits until Q3 2026.

The contractors who schedule their C3PAO assessment now will be certified. Those who wait until summer will be in a queue that extends past the deadline.

Month-by-Month Action Plan

March - April 2026: Foundation (You are here)

If you haven't started:

  1. Identify a senior owner for CMMC compliance (CISO, ISSO, or compliance lead)
  2. Define your CUI boundary — document every system that stores, processes, or transmits CUI
  3. Conduct an initial gap assessment against all 110 NIST 800-171 controls
  4. Begin your System Security Plan (SSP)

If you're mid-process:

  1. Validate your CUI boundary is complete and accurate
  2. Review your SSP for technical accuracy against actual configurations
  3. Prioritize remediation of NOT MET controls
  4. Schedule your C3PAO assessment if you haven't already

May - June 2026: Remediation Sprint

  1. Close the highest-priority gaps identified in your assessment
  2. Deploy continuous monitoring tools for configuration drift detection
  3. Establish audit log review procedures and document evidence
  4. Conduct tabletop exercises for your incident response plan
  5. Implement MFA for all privileged and remote access (if not already done)

July - August 2026: Evidence Collection & Documentation

  1. Complete your SSP with technical evidence for every control
  2. Build POA&M entries for any remaining open items with realistic timelines
  3. Conduct internal mock assessments simulating C3PAO procedures
  4. Ensure all personnel have completed role-based security awareness training
  5. Validate all 14 control families have documented evidence

September - October 2026: Pre-Assessment

  1. C3PAO assessment window — if you scheduled in Q1, your assessment is likely in this timeframe
  2. Final review of all evidence packages
  3. Pre-assessment readiness check with your C3PAO
  4. Remediate any findings from the pre-assessment phase

November 2026: Enforcement Begins

If you've followed this timeline, you either have your certification or are in the final stages of your C3PAO assessment. Contractors who haven't started are now facing:

  • A 6+ month C3PAO backlog
  • Inability to bid on new CUI contracts
  • Potential loss of existing contract renewals

What "In Process" Means and Whether It Helps

Some contractors hope that being "in process" with a C3PAO assessment will suffice when enforcement begins. The answer is: it depends on the specific contract and contracting officer.

The CMMC rule allows contracting officers some discretion. Having a scheduled C3PAO assessment with evidence of active compliance work is significantly better than having nothing. But it is not a guarantee of contract eligibility.

The safest position is to have your certification complete before November 2026. The next best position is to have your C3PAO assessment scheduled and actively underway.

The Real Cost of Waiting

Every month of delay compounds the problem:

  • C3PAO backlog grows — scheduling slots fill up, wait times extend
  • Remediation takes longer than expected — technical implementations always reveal unexpected complexity
  • Personnel availability — key staff get pulled to other priorities
  • Contract timing — you may miss recompete deadlines while waiting for certification

The defense contractors who will navigate this transition smoothly are the ones who started early, invested in automation, and treated CMMC as a continuous requirement rather than a one-time assessment.

How PolicyCortex Compresses the Timeline

PolicyCortex was built specifically for this moment. The platform:

  • Continuously monitors all 110 NIST 800-171 controls across your cloud environment
  • Auto-collects evidence for every control family — no manual screenshots or spreadsheets
  • Detects configuration drift in real time, before it becomes an assessment finding
  • Generates SSP documentation mapped to your actual technical implementation
  • Tracks POA&Ms with automated progress updates as you remediate findings

Defense contractors using PolicyCortex have reduced their assessment preparation from months to weeks — not by cutting corners, but by automating the evidence collection and monitoring that consume 80% of the preparation effort.

The November 2026 deadline is fixed. Your preparation timeline is not. Start now.

Take the free CMMC Readiness Assessment to see where you stand, or book a 15-minute demo to see PolicyCortex in action.

Ready to automate your cloud governance?

See how PolicyCortex replaces your disconnected compliance tools with one autonomous platform.

Request a DemoContact Us

Related Insights

CMMC Level 2 Requirements in 2026: The Complete Guide for Defense Contractors

CMMC Phase 2 enforcement begins November 2026. This guide breaks down every requirement — 110 NIST 800-171 controls, C3PAO assessment process, timelines, costs, and what happens if you're not certified.

The Safety Sandwich: How PolicyCortex Gives AI Safe Write Access to Cloud Environments

Giving AI autonomous write access to production cloud environments sounds dangerous. It is — without the right architecture. Here's the three-layer system we built to make it safe enough for defense contractor environments.

CMMC Level 2 Compliance Costs: The Complete Breakdown for 2026

Most defense contractors budget for the C3PAO assessment and forget about everything else. Here's the full cost picture — including the hidden line items that blow budgets and how automation changes the math.