Phase 2 of the Cybersecurity Maturity Model Certification (CMMC) program takes effect November 10, 2026 — the date when third-party (C3PAO) Level 2 certification becomes mandatory in DoD solicitations involving Controlled Unclassified Information (CUI). Reporting from RidgeIT, Workstreet, and Elevate Consult on the schedule.
The capacity math doesn't work
~80Authorized C3PAOs (third-party assessors)
~80,000Contractors needing Level 2 certification
<600Certified Assessors in the pool today
2,000–3,000Assessors needed at full ramp
12–18 moTime from gap assessment to certification
$80–300kTypical Level 2 assessment cost
Even at full assessor capacity and best-case turnaround, the existing C3PAO pool cannot certify 80,000 contractors in 12 months. Math says a meaningful share of contractors holding CUI obligations will miss the November window — and by extension, the contracts that require Phase 2 compliance.
What "missing it" actually means
Three failure modes:
- Loss of bid eligibility. New solicitations after November 10 that require Level 2 certification will exclude non-certified bidders. Recompetes of existing CUI-handling work fall into this bucket.
- Loss of subcontract pass-through. Primes will start dropping subs that can't certify, because the prime's certification depends on its supply chain.
- Loss of option exercises. Contracting officers can decline to exercise option years on contracts where the contractor's certification status has lapsed.
The full implementation timeline
| Date | Phase | What changes |
|---|---|---|
| Nov 10, 2025 | Phase 1 | Level 1 and Level 2 self-assessments appear in applicable solicitations |
| Nov 10, 2026 | Phase 2 | Mandatory C3PAO certification for Level 2 contracts handling CUI |
| Nov 10, 2027 | Phase 3 | Level 3 requirements apply to all DoD solicitations |
| Nov 10, 2028 | Full | CMMC requirements apply to all contracts and option periods |
What to do this week
- Confirm whether your firm handles CUI on any contract or expects to under future awards. If yes, Level 2 is the relevant target.
- If you haven't started a NIST 800-171 gap assessment, start one this month. Assessor backlogs only get worse.
- Request quotes from at least three C3PAOs now. Sticker shock is real — typical Level 2 assessment runs $80k–$300k depending on scope and remediation needs.
- If you can't make November 2026, plan your bid strategy around non-CUI contracts during the gap.