post-img
  • Home >
  • Resources >
  • What DoD Contractors need to know about the CMMC Phase 2 deadline
Designing security programs Designing security programs CMMC

What DoD Contractors need to know about the CMMC Phase 2 deadline

Designing security programs
  • copy-link-icon

    Copy URL

  • linkedin-icon
written by Justin Beals
, Founder & CEO
Strike Graph
June 16, 2026

The Cybersecurity Maturity Model Certification program has been in motion for years. Phase 2 -- beginning November 10, 2026 -- is when the compliance stakes become contractual consequences.

For defense contractors handling Controlled Unclassified Information, Phase 2 ends the era of self-attestation. Third-party certification becomes mandatory. And organizations that aren't ready won't be eligible for covered contracts.

This post covers exactly what changes on November 10, who is affected, what CMMC Level 2 certification requires, and why your preparation timeline needs to start now.

What Changes on November 10, 2026 - CMMC Phase 2

CMMC enforcement is rolling out in four phases. Phase 1, effective November 10, 2025, introduced CMMC Level 1 and Level 2 self-assessment requirements into applicable DoD solicitations and contracts. Contractors could attest to their own compliance, submit their SPRS score, and remain eligible.

Phase 2 eliminates that option for most Level 2 contracts. Beginning November 10, 2026, mandatory C3PAO assessments become the standard requirement for contracts involving CUI. That means an accredited third-party assessment organization will review your documentation, conduct interviews, and technically validate that your organization actually meets all 110 NIST SP 800-171 security requirements -- not just that you've said it does.

The shift is significant. A signed attestation that satisfied Phase 1 requirements will not satisfy a Phase 2 C3PAO. Organizations that treated Phase 1 as the finish line are now behind.

Who is affected by CMMC Phase 2

CMMC Level 2 applies to any organization that processes, stores, or transmits CUI in the performance of a DoD contract. That includes prime contractors and the subcontractors they flow CUI down to. If you receive technical drawings, specifications, engineering data, or any other sensitive DoD information as part of your work, you are almost certainly in scope.

Two situations where organizations most often underestimate their exposure:

Subcontractors who haven't been formally notified. If a prime contractor flows CUI to you, the compliance obligation flows with it -- regardless of whether you've had an explicit CMMC conversation with your prime. Supply chain enforcement is a stated DoD priority, and prime contractors are increasingly issuing compliance demands to their suppliers ahead of Phase 2.

Organizations with mixed federal portfolios. GSA requirements have extended NIST 800-171 compliance to civilian agency contracts involving CUI as well. For organizations with both DoD and non-DoD federal work, the practical compliance baseline is converging.

If you're uncertain whether CUI flows through your environment, that uncertainty needs to be resolved before anything else.

What CMMC Level 2 certification requires

To pass a C3PAO assessment, three deliverables need to be in place -- and they need to be accurate, not aspirational.

System Security Plan

Your System Security Plan (SSP) documents how your organization implements each of the 110 NIST 800-171 controls across your in-scope environment. It defines your system boundary, describes your control implementations, and serves as the primary reference document for assessors. A strong SSP reflects your actual environment, not a future-state or idealized version of it. Discrepancies between your SSP and what assessors observe are a significant source of findings.

SPRS Score

Your score in the Supplier Performance Risk System quantifies your organization's NIST 800-171 compliance posture. It needs to reflect your real security state. False Claims Act enforcement actions have already been brought against contractors whose SPRS scores were found to be inaccurate -- including the first-ever action against a subcontractor. The legal risk of an inflated score is not theoretical.

Evidence

Evidence is where most CMMC efforts break down. Your controls need to be demonstrably operational, meaning logs, configurations, screenshots, and records that consistently show your security practices functioning as your SSP describes. Policies that say one thing while system behavior shows another is the most common reason assessors flag non-compliance. Evidence needs to be current, control-mapped, and reviewable on demand.

You'll also need a Plan of Action and Milestones documenting any gaps in your control implementation and your remediation timeline. An assessor will expect to see a credible path to full compliance, not just an acknowledgment that gaps exist.

Why the real deadline is now

A C3PAO assessment doesn't happen in a week. Authorized assessors have limited capacity, and demand heading into Phase 2 will compress availability further. The preparation work itself -- scoping, gap analysis, remediation, documentation, evidence collection, and pre-assessment validation -- typically takes six to twelve months, depending on your current security posture.

Organizations that begin preparation in September or October are not on track for November. They are on track for 2027, and they will miss contract opportunities in the interim.

There's also a sequencing reality that often catches organizations off guard: you can't begin meaningful remediation until you've completed a thorough gap analysis. You can't build a credible SSP until you've scoped your environment. Each phase of preparation depends on the one before it. That dependency chain is why starting late has a compounding effect.

The contractors who meet the Phase 2 deadline are the ones who started their gap analysis months ago -- or who are starting it today.

How Strike Graph accelerates your path to certification

Strike Graph is built around the three deliverables every C3PAO assessment requires: your System Security Plan, your Self-Assessment and SPRS score, and your Plan of Action & Milestones (POA&M). The platform automates evidence collection, continuously validates that evidence against your NIST 800-171 controls, and surfaces gaps before they become assessment findings.

Verify AI, Strike Graph's patent-pending evidence validation technology, detects version drift, checks evidence content against control descriptions, and flags inconsistencies in real time. It's the difference between discovering a broken evidence chain at 11pm before an assessor arrives versus having it caught and corrected months earlier.

You can start on Strike Graph's full CMMC compliance platform today -- free for 60 days. That includes your self-assessment, SSP builder, POA&M tracking, NIST 800-171 mappings, Verify AI, and compliance dashboards.

Start your free 60-day assessment →

Not sure where your gaps are? Strike Graph CMMC experts are here to help you each step of the way.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.

foot-dark-shade
Strike Graph is an AI-native compliance management platform that accelerates audits, eliminates redundant work, and builds trust through its secure, agentic technology and enterprise-ready data model.

© 2026 Strike Graph, Inc. All Rights Reserved • Privacy PolicyTerms of ServiceEU AI Act

SOC_NonCPAA
Achieved-SG-badge_hipaa