Phase 2 of the CMMC rollout begins November 10, 2026, which will include third-party assessment requirements in more defense contracts.

Since most contracts involving Controlled Unclassified Information (CUI) will require Level 2 (C3PAO) certification as a condition of award, this is the phase that officially shifts CMMC from largely self-assessed to independently verified. 

Bottom line: If you're a defense contractor handling CUI, Phase 2 is your real deadline for CMMC certification. Here’s what you need to know.

What Phase 2 changes 

The critical change of this phase of CMMC enforcement: 

• In Phase 1, DoD contracting officers had the discretion to include C3PAO assessment requirements in certain Level 2 contracts that handled more sensitive CUI, but this phase largely focused on self-assessments for Level 2 contracts involving non-critical CUI (and Level 1 contracts involving FCI).
• In Phase 2, Level 2 (C3PAO) certification becomes the default for contracts involving CUI. 

Across the entire DIB (~220,000 organizations), the DoD estimates that 35% will need to complete Level 2 (C3PAO) certification. Here's how the numbers break down across the DIB, based on DoD estimates published in the 32 CFR rule:

Among organizations handling CUI specifically:

• 93% will require Level 2 (C3PAO) starting in Phase 2
• 5% will require Level 2 (Self)
• 2% will require Level 3 (DIBCAC)

Among organizations with Level 2 requirements specifically:

• ~95% will require a C3PAO assessment for Phase 2
• Only ~5% handling non-critical CUI may qualify for a self-assessment

Image Source: Impact and Cost Analysis of the Revised CMMC Program in 32 CFR rule

In short, if your contract involves CUI and it's awarded after November 10, 2026, you'll almost certainly need a CMMC Level 2 (C3PAO) certification. A self-assessment isn’t enough; you’ll need to complete an assessment conducted by a Certified Third-Party Assessor Organization.

Who is affected by Phase 2?

Phase 2 primarily affects organizations that:

1. Handle CUI under DoD contracts: Most DIB organizations handling CUI will need Level 2 (C3PAO) certification—93% according to DoD estimates.
2. Are subcontractors receiving CUI from primes: CMMC requirements flow down to every tier. So if a prime needs Level 2 (C3PAO) certification, then that’s the minimum requirement for any subcontractor that handles CUI on their behalf.
3. Plan to bid on new DoD contracts after November 2026: Starting on November 10, 2026, new solicitations and contracts involving CUI will most likely include Level 2 (C3PAO) requirements. 
4. Previously relied on self-assessment: Organizations that were self-reporting NIST 800-171 compliance via SPRS under DFARS 7019 will now need to prove NIST 800-171 compliance via C3PAO-led assessments under CMMC Level 2. 

Who is NOT affected:

• Contractors handling only FCI (CMMC Level 1 remains self-assessment)
• COTS suppliers (exempt from CMMC)
• Existing contracts awarded before Phase 2 (generally not retroactive, though re-competitions and option exercises may include CMMC)

Understanding the C3PAO Assessment Process

A C3PAO is an independent organization authorized by the Cyber AB to conduct CMMC assessments. While the process and duration of a CMMC assessment varies based on the C3PAO and the size and complexity of the organization seeking certification (OSC), the process typically runs like this:

Phase 1: Preparation (1-12 months)

• Define and document your system boundary in architecture diagrams and executive summaries
• Document how each of your controls are implemented in an SSP
• Draft policies and procedures and distribute for employees to accept and review
• Collect and organize evidence for all requirements ideally using a GRC platform

This first part takes more than a year on average, according to Redspin’s latest report on the State of DIB CMMC Readiness. The right tool can slash this timeline to a fraction, with Secureframe Defense reducing assessment readiness to as little as 4 weeks on average. 

Phase 2: The Actual Assessment 

1. Scheduling the assessment (Start 3–6+ months before your target date)

Lead times for C3PAOs can stretch several months, so start reaching out proactively during your readiness phase. A C3PAO's availability is just one of several criteria you can use to select the right partner.

2. Pre-assessment (2-4 weeks)

Up to a month before the assessment, the C3PAO typically conducts a scoping call to: 

• Review architecture diagrams and CUI data flows
• Determine assessment scope 
• Schedule on-site/remote assessment activities
• Request your SSP, POA&M, and supporting documentation in advance

3. Assessment (1-2 weeks)

This is when your assessors verify that what's documented in your SSP is actually happening in practice.

• Assessors evaluate each of the 110 NIST 800-171 requirements and 320 assessment objectives
• Review of policies, procedures, and technical configurations
• Interviews with key personnel
• Testing of technical controls (scanning, verification)
• Evidence collection and validation

3. Scoring, reporting, and results

Each requirement is scored as MET, NOT MET, or NOT APPLICABLE. There are three possible outcomes based on your total score:

1. CMMC Level 2 Final Status if all 110 requirements MET (valid 3 years)
2. Conditional CMMC Status if at least 80% MET (88/110) with qualifying POA&M items (must close within 180 days)
3. No CMMC Status if below 80% threshold or critical requirements not met that can’t be on POA&M

4. Post-assessment

• If conditional status: 180-day window to close POA&M items, followed by a closeout assessment
• If final status: Annual affirmation required to maintain certification
• Full re-assessment every 3 years

Conditional CMMC Status: What Contractors Need to Know Before the Phase 2 Deadline

With the Phase 2 deadline of November 10, 2026 approaching, conditional CMMC status may be the most realistic path for organizations that can't achieve full Level 2 compliance in time. But the rules are strict. Here’s what you need to know:

Requirements for conditional status:

• Must score at least 80% (88 of 110) requirements as MET
• Document permitted unmet requirements in a POA&M 
• Each POA&M item must be worth no more than 1 point in the scoring methodology
• All POA&M items must be closed within 180 days
• A C3PAO closeout assessment must verify remediation

If POA&M items are not closed out within 180 days, your conditional status expires and you become ineligible for contracts requiring Level 2.

Requirements that CANNOT be on a POA&M (must be MET at assessment):

There are some 1-point requirements that the DoD deems fundamental to CUI protection and therefore must be fully implemented before the C3PAO assessment—not documented in a POA&M and remediated later.

These are either basic safeguarding requirements under FAR 52.204-21 or DFARS clause 252.204-7012, and explicitly listed as prohibited in 32 CFR 170.21(a)(2)(iii). 

C3PAO Availability: The Booking Crisis

This is the most underappreciated risk for Phase 2. The number of authorized C3PAOs is growing, but still limited relative to the demand.

According to the February 2026 Cyber AB Town Hall, 

• There are 98 authorized C3PAOs
• 896 final Level 2 Certificates and 36 conditional certificates have been issued
• 110 Level 2 assessments currently in progress

Assuming the conditional certificates and current assessments turn into final certificates, that still means only 1,042 of the estimated 76,598 organizations have completed the expected certification. In other words: 99% of organizations still need to complete Level 2 (C3PAO) certification. 

These organizations are expected to perform these assessments gradually over the next decade, not all at once. DoD projections from the 32 CFR rule show C3PAO assessment capacity ramping from 517 C3PAO in Year 1 to 2,599 in Year 2 and 8,666 in Year 3. Meaning, demand will substantially outpace current capacity well into the Phase 2 window.

Image source:  Impact and Cost Analysis of the Revised CMMC Program in 32 CFR rule

As a result:

• C3PAOs are already reporting full calendars extending into late 2026
• Assessment timelines of 8-12 weeks from engagement to completion are typical
• As Phase 2 approaches, wait times will increase

What this means: If you wait until mid-2026 to begin your C3PAO process, you may not be able to schedule an assessment before the November deadline. Book your C3PAO engagement now, even if your assessment won't occur for months.

Find authorized C3PAOs at the Cyber AB Marketplace or search at cyberab.org/Catalog.

What if you're not ready by November 2026?

You won't lose existing contracts overnight. Phase 2 applies to new solicitations and contracts after November 10, 2026. Existing contracts generally aren't retroactively modified.

But you will:

• Be unable to bid on new contracts requiring Level 2 (C3PAO)
• Risk losing re-competition or option exercise opportunities
• Potentially face subcontracting restrictions if primes require verified compliance
• Fall behind competitors who are certified

The pragmatic approach: Even if you can't complete a C3PAO assessment by November 2026, being in process (gap analysis complete, remediation underway, C3PAO booked) puts you in a vastly better position than having done nothing.

Phase 2 preparation checklist

These timeline estimates reflect readiness efforts using manual processes or disparate tools or consultants. Secureframe Defense automates documentation, gap analysis, remediation tracking, and real-time SPRS scoring, compressing average readiness to as little as 4 weeks.

Go from zero to assessment-ready with Secureframe Defense

Don't wait for Phase 2 to start preparing. Secureframe Defense automates every step of the process, from infrastructure deployment to documentation to monitoring, so you can get assessment-ready in weeks, not months.

Why navigate the process alone when Secureframe will perform a gap analysis against NIST 800-171, document your controls, track your remediation progress, give you a real-time SPRS score—and so much more—so you know exactly where you stand before your C3PAO walks in for the assessment.

Talk to an expert about fast-tracking your Level 2 (C3PAO) certification for Phase 2 before it’s too late.