A step-by-step readiness checklist for defense contractors preparing for the November 10, 2026 CMMC 2.0 Phase 2 deadline.

Published by BlueRadius Cyber | May 2026 | All rules and figures footnoted to federal primary sources

Executive Summary

The CMMC 2.0 final rule (32 CFR Part 170) became effective December 16, 2024, with the implementing DFARS contract clause (252.204-7021) taking effect November 10, 2025.[1][2] CMMC rolls out in four phases. Phase 2 begins November 10, 2026, the date DoD program managers begin requiring Level 2 certification by an accredited Certified Third-Party Assessor Organization (C3PAO) at contract award for solicitations involving Controlled Unclassified Information.[1] Defense contractors and subcontractors that handle CUI cannot win covered DoD contracts after that date without a current C3PAO certificate.

This checklist covers every gating step from scoping through assessment. The DoD's own regulatory impact analysis projects only 135 C3PAO certifications in Year 1, growing to 673 in Year 2, 2,252 in Year 3, and 4,452 in Year 4.[1] With approximately 103 authorized C3PAOs as of March 2026[3] and a realistic 9-to-15-month readiness timeline for contractors starting from scratch[4][5], the runway for contractors who have not yet started is already tight.

Key Facts

Phase 2 trigger date: November 10, 2026. Level 2 C3PAO certification required at award for applicable DoD solicitations.[1]
Rule sources: 32 CFR Part 170 (program rule, effective December 16, 2024) and DFARS 252.204-7021 (contract clause, effective November 10, 2025).[1][2][6]
Level 2 controls: 110 controls across 14 NIST SP 800-171 Revision 2 families, evaluated against 320 assessment objectives in NIST SP 800-171A.[7][8]
C3PAO ecosystem: approximately 103 authorized C3PAOs as of March 2026, growing slowly; assessment fees typically run $30,000 to $80,000 for small and mid-size contractors and up to $150,000 for larger organizations.[3][5]
POA&M rule: conditional certification with a Plan of Action and Milestones is valid for 180 days; minimum 80% score required, and certain controls cannot be on a POA&M.[9]
Annual affirmation: a senior official affirmation in SPRS is required annually; knowingly false affirmation creates personal False Claims Act liability.[10][11]
Realistic timeline: 9 to 15 months from kickoff to C3PAO assessment readiness for unprepared contractors. Gating items: System Security Plan, POA&M, subcontractor flow-down evidence.[4][5]
Most-failed controls: multi-factor authentication (IA family), audit logging, configuration management, and incident response evidence.[12]

Bottom line: Phase 2 is not retroactive to in-flight DoD contracts; those existing contracts are swept in at Phase 4 option exercises on November 10, 2028.[1] But any new solicitation issued on or after November 10, 2026 that requires CMMC Level 2 will exclude uncertified bidders. The cost of missing the deadline is not a fine; it is bid disqualification. Defense contractors that have not yet started a gap assessment should begin one within 30 days to preserve a realistic path to certification before Phase 2.

How the Four Phases Work

CMMC implementation is staged over four Nov-10 anniversaries:[1]

Phase 1 (November 10, 2025 to November 9, 2026): Level 1 (self-assessment) and Level 2 self-assessment required at award for applicable solicitations.
Phase 2 (November 10, 2026 to November 9, 2027): Level 2 C3PAO certification required at award. This is the headline deadline.
Phase 3 (November 10, 2027 to November 9, 2028): Level 2 C3PAO required for option exercises on existing contracts; Level 3 required at award.
Phase 4 (November 10, 2028 and after): Full implementation. All in-scope contracts including pre-existing option exercises require the appropriate level.

Existing contracts are not retroactively swept in until Phase 4. Phase 2 affects new solicitations and competitive renewals only.[1]

The Three CMMC Levels

Level 1 (Foundational)

17 basic safeguarding controls from FAR clause 52.204-21. Annual self-assessment in SPRS. Applies to contractors handling only Federal Contract Information (FCI), not CUI.[1][7]

Level 2 (Advanced) — the bulk of defense suppliers

110 controls from NIST SP 800-171 Revision 2, evaluated against 320 assessment objectives in NIST SP 800-171A.[7][8] Applies to contractors handling Controlled Unclassified Information. C3PAO assessment every three years (a narrow exception allows self-assessment for select contracts). The 14 control families and their counts:[8]

Access Control (AC): 22 controls
Awareness and Training (AT): 3
Audit and Accountability (AU): 9
Configuration Management (CM): 9
Identification and Authentication (IA): 11
Incident Response (IR): 3
Maintenance (MA): 6
Media Protection (MP): 9
Personnel Security (PS): 2
Physical Protection (PE): 6
Risk Assessment (RA): 3
Security Assessment (CA): 4
System and Communications Protection (SC): 16
System and Information Integrity (SI): 7

Phase 2 uses NIST SP 800-171 Revision 2. Revision 3 was finalized May 14, 2024 but DoD has not yet transitioned to it via rulemaking.[8]

Level 3 (Expert)

Level 2 plus 24 selected enhanced controls from NIST SP 800-172. Assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not C3PAOs. Applies to contractors handling the most sensitive CUI under advanced persistent threat exposure.[13]

The Readiness Checklist

A realistic readiness program for an unprepared Level 2 contractor runs nine to fifteen months in five phases. Compress at your own risk; common stumbling blocks (covered below) typically add three to six months of unplanned work.

Phase 0: Scoping (4 to 6 weeks)

Identify the CUI you handle. Per 32 CFR Part 2002 and the NARA CUI Registry, CUI covers categories including Controlled Technical Information, Export Controlled, Privacy, Proprietary Business Information, and dozens of others.[14][15] Identify which DoD contracts (current and pipeline) generate CUI for your organization, and which categories.
Define the CUI boundary. Map every system, network segment, application, storage location, and endpoint that touches CUI. The smaller the boundary, the faster certification gets. Aggressive boundary narrowing (use a dedicated CUI enclave rather than treating your whole network as in-scope) typically compresses the timeline 30 to 50%.
Confirm Level 2 (not Level 1) is your requirement. If your only DoD work involves FCI not CUI, Level 1 is sufficient. Many contractors over-scope themselves.
Identify subcontractors handling CUI. 32 CFR Part 170.23 requires primes to flow appropriate CMMC level requirements down to subs.[1]

Phase 1: Gap Assessment (4 to 8 weeks)

Map current controls to NIST SP 800-171 Rev 2. All 110 controls, broken into 320 assessment objectives. Result: a gap matrix identifying which controls are fully implemented, partially implemented, planned, or not applicable.[8]
Calculate your current SPRS score. Scoring methodology in DoD Assessment Methodology v1.2.1 (or current version). Starting score for many contractors is negative because the methodology weights some controls heavily.
Identify show-stoppers. Certain controls cannot go on a POA&M and must be fully implemented before assessment (see Phase 4 below).
Draft a realistic remediation roadmap. Account for vendor lead times, technology refresh budgets, and personnel availability.

Phase 2: Remediation (12 to 26 weeks)

The technical and administrative work to close gaps. Common remediation buckets:

Identification and Authentication (IA family): phishing-resistant multi-factor authentication for all privileged accounts and remote access. The most commonly failed control family in C3PAO assessments.[12]
Audit and Accountability (AU family): centralized logging across the CUI boundary with retention sufficient for incident reconstruction. SIEM deployment if not already in place.
Configuration Management (CM family): hardened baselines for every system in scope, change control documentation, and inventory accuracy. Common failure point.[12]
Incident Response (IR family): documented incident response plan, designated incident response team, and tested response procedures with evidence of exercises within the past 12 months.[12]
Media Protection (MP family): media sanitization procedures, encrypted removable media, and chain-of-custody documentation.
System and Communications Protection (SC family): FIPS-validated cryptography for CUI at rest and in transit. This is a frequent procurement bottleneck.
System and Information Integrity (SI family): centrally managed anti-malware, vulnerability management with timely patching, and flaw remediation tracking.

Phase 3: Documentation (concurrent with Phase 2)

System Security Plan (SSP): the central document. Describes the CUI environment, the controls implemented, and how each NIST SP 800-171 practice is satisfied. The SSP is the first artifact a C3PAO assessor reviews. Inaccurate or thin SSPs cause assessment failures more than any other documentation defect.
Plan of Action and Milestones (POA&M): documents controls not yet fully implemented and the schedule to close them. POA&M discipline is essential. Per 32 CFR 170.21, conditional certification is valid for 180 days and you must complete the assessment within that window to convert to full certification.[9]
Policy and procedure library: documented policies covering every control family. Many contractors discover during gap assessment that their existing policies are aspirational rather than implemented.
Evidence library: the artifacts that prove each control is operating. Screenshots, configuration exports, log samples, training records, signed attestations. C3PAO assessors will sample evidence during the assessment.

Phase 4: Mock Assessment (3 to 5 weeks)

Run a mock C3PAO assessment with a qualified internal team or an external advisor. Walk through each of the 320 assessment objectives. Identify any gaps the C3PAO will find.
Close remaining gaps. Mock assessment findings typically reveal evidence gaps (control is implemented but the evidence is not formatted for a C3PAO walkthrough) more than control gaps.
Verify POA&M eligibility. Per 32 CFR 170.21, controls worth more than one point in the SPRS scoring cannot be on a POA&M (with a narrow carve-out for SC.L2-3.13.11 CUI encryption).[9] Reconfirm before assessment.
Confirm at least 80% score. A score below 80% disqualifies you from a conditional certification.[9]

Phase 5: C3PAO Assessment and Certification (4 to 8 weeks)

Engage an authorized C3PAO. Choose from the approximately 103 authorized C3PAOs in the Cyber-AB marketplace.[3]
Schedule the assessment. Assessment slots are tightening as Phase 2 approaches. Expect 60 to 120 days from contract to assessment date for established C3PAOs.
Coordinate the assessment. C3PAOs typically conduct a kickoff, evidence review, on-site or virtual walkthrough, and findings session over 2 to 4 weeks.
Receive certification. Full certification is valid for three years. Conditional certification (with POA&M items) is valid for 180 days; you must close out POA&M items and pass a re-assessment within that window.[9]
File annual affirmation. Senior official affirmation in SPRS is required annually. Knowingly false affirmation triggers False Claims Act liability.[10][11]

POA&M Strategy

The Plan of Action and Milestones is the most misunderstood part of CMMC 2.0. Per 32 CFR 170.21, you cannot defer just anything via POA&M.[9]

You must achieve a minimum 80% SPRS score to receive conditional certification.
Controls worth more than one point in SPRS scoring cannot be on a POA&M (with a narrow carve-out for SC.L2-3.13.11 CUI encryption).
POA&M items must be closed within 180 days, with a re-assessment to convert conditional to full certification.

In practice this means roughly the lowest-weight 20% of controls can be deferred to a POA&M; the rest must be fully implemented at initial assessment.

Subcontractor Flow-Down

DFARS 252.204-7012 already requires safeguarding of CUI and 72-hour cyber incident reporting at flow-down.[6] DFARS 252.204-7021 now flows CMMC level requirements to subcontractors who handle CUI on the contract.[6] 32 CFR 170.23 requires primes to identify which subs handle FCI versus CUI and flow the appropriate level down.[1]

Practical implications:

Primes are liable under the False Claims Act for knowingly misrepresenting their supply chain's CMMC status.[11]
Subcontractor selection criteria need to incorporate CMMC level by November 10, 2026.
Existing subcontractor agreements may need modification or non-renewal if the sub does not pursue certification.

DOJ Enforcement: The False Claims Act Exposure Is Real

The DOJ Civil Cyber-Fraud Initiative has produced real settlements against contractors that misrepresented their cybersecurity posture:

Penn State University: $1.25 million settlement, October 22, 2024. Allegations of false NIST SP 800-171 self-attestations across 15 DoD and NASA contracts. Whistleblower was the former Chief Information Officer of Penn State's Applied Research Laboratory.[16]
Georgia Tech Research Corporation: $875,000 settlement. Allegations included failing to install and run anti-malware in CUI environments, lacking an SSP until February 2020, and submitting a false SPRS score in December 2020.[17]

Annual senior official affirmation in SPRS is the personal mechanism through which FCA liability attaches. Submitting a false affirmation knowing the underlying state of the security program is what creates the personal exposure.[10]

Common Stumbling Blocks

Based on aggregated assessor observations, the most-failed assessment objectives cluster in these areas:[12]

Multi-factor authentication (IA family) not implemented for all privileged accounts or all remote access
Audit logging (AU family) not centralized, not retained long enough, or not reviewed
Configuration management (CM family) baselines not documented, change control gaps, inventory accuracy issues
Incident response (IR family) plan exists on paper but no evidence of exercises in the past 12 months
FIPS-validated cryptography (SC family) CUI at rest or in transit using non-FIPS-validated cryptographic modules
System Security Plan completeness SSP describes controls aspirationally rather than as implemented

Costs and Timeline

C3PAO assessment fee: $30,000 to $80,000 for small and mid-size contractors; up to $150,000 for larger contractors.[5]
Total first-cycle spend including preparation and technology: industry survey averages cluster between $138,000 and $285,000.[5]
Kickoff to certification timeline: 9 to 15 months realistic. Contractors that start with mature security programs may achieve readiness in 6 to 9 months. Contractors starting from zero typically need 12 to 18 months.[4][5]
Annual affirmation cost: minimal direct cost; the cost is the ongoing program management to keep the SSP accurate and evidence current.

Engage a vCISO to Run Your CMMC Program

CMMC certification is not a one-time project. Annual affirmations, triennial re-assessments, and continuous control operation all require sustained leadership. For mid-market defense contractors without a full-time CISO, a fractional or virtual CISO engagement provides the senior leadership accountability that the senior official affirmation requires, at a fraction of the cost of a full-time hire. BlueRadius Cyber's virtual CISO services embed a senior security leader with hands-on CMMC experience into your program from gap assessment through certification and ongoing maintenance. See the dedicated CMMC compliance services page for engagement scope and pricing.

Frequently Asked Questions

What is the CMMC Phase 2 deadline?

November 10, 2026. As of that date, DoD program managers begin requiring CMMC Level 2 C3PAO certification at contract award for applicable solicitations involving Controlled Unclassified Information.[1]

How many controls does CMMC Level 2 require?

110 controls from NIST Special Publication 800-171 Revision 2, evaluated against 320 assessment objectives published in NIST SP 800-171A. The controls cover 14 control families including access control, audit, configuration management, identification and authentication, and incident response.[7][8]

What does a C3PAO assessment cost?

Industry pricing surveys put C3PAO assessment fees at $30,000 to $80,000 for small and mid-size contractors and up to $150,000 for larger organizations. Total first-cycle spend including preparation and technology averages $138,000 to $285,000 across multiple industry surveys.[5]

How long does CMMC Level 2 readiness take?

Nine to fifteen months from kickoff to C3PAO assessment readiness for contractors starting from a moderate baseline. Contractors starting from zero typically need 12 to 18 months. The largest gating items are the System Security Plan, Plan of Action and Milestones, and subcontractor flow-down documentation.[4][5]

What is a POA&M and how does it work in CMMC?

A Plan of Action and Milestones documents controls that are not yet fully implemented and the schedule to close them. Per 32 CFR 170.21, conditional certification with a POA&M is valid for 180 days, you must achieve a minimum 80% SPRS score to qualify, and controls worth more than one point in scoring cannot be on a POA&M (with a narrow carve-out for CUI encryption).[9]

What happens if I miss the November 10, 2026 deadline?

You are not fined. You are disqualified from bidding on applicable DoD solicitations issued on or after that date that require CMMC Level 2 certification. Existing contracts continue under their original terms until Phase 4 (November 10, 2028) sweeps in option exercises and renewals.[1]

How many C3PAOs are there and is it hard to schedule an assessment?

Approximately 103 C3PAOs are authorized as of March 2026, growing slowly through Cyber-AB's authorization process.[3] Assessment slots are tightening as Phase 2 approaches. Expect 60 to 120 days from contract execution to assessment date for established C3PAOs.

What is the False Claims Act exposure with CMMC?

Annual senior official affirmation in the Supplier Performance Risk System (SPRS) is the personal mechanism through which False Claims Act liability attaches under the DOJ Civil Cyber-Fraud Initiative. Knowingly false affirmations have produced real settlements, including $1.25 million against Penn State (October 2024) and $875,000 against Georgia Tech Research Corporation.[10][16][17]

Does CMMC apply to non-DoD federal contracts?

CMMC 2.0 currently applies to DoD contracts only. Other federal agencies use FedRAMP for cloud providers, FISMA and NIST SP 800-53 for federal systems, and various agency-specific frameworks. Several non-DoD agencies have signaled interest in CMMC-equivalent requirements but no rule has been issued. Building NIST SP 800-171 compliance positions you well regardless of which framework an agency ultimately requires.

BlueRadius Research Library

Sourced research reports across the BlueRadius cybersecurity catalog. Every report below is footnoted to primary or established secondary sources, and each tracks a different slice of the threat and regulatory landscape facing mid-market organizations.

Sources

[1] Code of Federal Regulations, 32 CFR Part 170 (Cybersecurity Maturity Model Certification Program). ecfr.gov.

[2] Federal Register, "Cybersecurity Maturity Model Certification (CMMC) Program," final rule published October 15, 2024. federalregister.gov.

[3] Cyber-AB CMMC Ecosystem, C3PAO Marketplace. Cyber-AB Town Hall recaps document the growth of authorized C3PAOs from ~97 in January 2026 to ~103 by March 2026. cyberab.org.

[4] Federal Register CMMC final rule (cited above), Regulatory Impact Analysis projecting 135, 673, 2,252, and 4,452 C3PAO certifications in years 1 through 4. federalregister.gov.

[5] IBSS Corp, "CMMC Level 2 Assessment Cost: What Defense Contractors Pay in 2026" (industry pricing survey, secondary source). ibsscorp.com.

[6] DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements. acquisition.gov.

[7] DoD CIO, "CMMC Level 2 Assessment Guide" (v2.13). dodcio.defense.gov.

[8] National Institute of Standards and Technology, "NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information." nist.gov.

[9] 32 CFR 170.21, Plan of Action and Milestones requirements. ecfr.gov.

[10] 32 CFR 170.22, Annual affirmation requirement. ecfr.gov.

[11] Holland and Knight, "The CMMC Affirmation Trap: FCA Exposure," January 2026 legal alert. hklaw.com.

[12] ISI Defense, "How to Successfully Pass the Most Commonly Failed NIST 800-171 Assessment Objectives." isidefense.com.

[13] DoD CIO, "CMMC Level 3 Assessment Guide." dodcio.defense.gov.

[14] 32 CFR Part 2002, Controlled Unclassified Information. ecfr.gov.

[15] National Archives and Records Administration, CUI Registry. archives.gov.

[16] Inside Government Contracts, "Penn State Agrees to Pay $1.25M in Settlement for Cybersecurity Non-Compliance False Claims Act Allegations." insidegovernmentcontracts.com.

[17] U.S. Department of Justice, "Georgia Tech Research Corporation Agrees to Pay $875,000 to Resolve Civil Cyber-Fraud Litigation." justice.gov.

CMMC Phase 2 Readiness Checklist: Nov 10, 2026 Deadline + 110 Control Path