On November 10, 2026, the Cybersecurity Maturity Model Certification program enters Phase 2, and the rules of the game change for any contractor that handles Controlled Unclassified Information. Phase 2 introduces mandatory third-party C3PAO certification for applicable Level 2 contracts, retiring the self-attestation that carried Phase 1. The phase-in has been public since the DFARS final rule took effect on November 10, 2025, so the date is no surprise. What surprises people is the lead time. A Level 2 assessment, plus the remediation that usually precedes it, is not a thing you start when a solicitation names it. If you are beginning that work now, you may already be behind. We are not, and that is the point of this post.
What Actually Changes on November 10 Phase 1, in effect since late 2025, let most contractors meet the requirement with a Level 1 or Level 2 self-assessment recorded in SPRS. Phase 2 raises the bar for CUI work to a certified assessment performed by an accredited C3PAO. Level 2 means all 110 practices from NIST SP 800-171, independently verified rather than self-scored. The verification is not a one-time gate, either. Contracting officers use the Supplier Performance Risk System to confirm CMMC status before awarding a contract and before exercising an option, which means an existing program can inherit the requirement at its next option year. For a fuller breakdown of the phase schedule, Wiley’s analysis of the final rule is a clear read.
Why “We’ll Get Certified When We Need It” Is Already Too Late The macro date on the calendar is November 10. The date that actually governs you is the day a CMMC clause shows up in your next solicitation, award, or option exercise, and for many firms that is sooner. Industry guidance consistently puts a Level 2 readiness effort at six to twelve months once you account for gap analysis, control implementation, evidence collection, and scheduling against a finite pool of accredited assessors. That assessor capacity is the quiet bottleneck. As Phase 2 pulls demand forward, the firms that waited will be competing for the same C3PAO calendar slots at the same time. Certification is not something you can buy on a deadline; you either have the controls in place and the evidence to prove them, or you watch eligible work go to someone who does.
What an Assessed Prime Means for Your Flowdown CMMC obligations flow down. DFARS 252.204-7021 passes the requirement from prime to subcontractor wherever CUI moves through the supply chain, which makes a teammate’s certification status a live capture risk, not a paperwork footnote. Teaming with a firm that is already assessed retires that risk on day one. In our own DoD cybersecurity work, where we operate endpoint security and RMF programs across classified and unclassified enclaves, we treated CMMC as table stakes rather than a future project: S2i2 is CMMC Level 2 validated by an accredited C3PAO with zero findings, all 110 practices met, on the same NIST SP 800-171 control baseline that Phase 2 demands. That posture sits alongside ISO 9001, 27001, and 20000-1 certifications and a CMMI Maturity Level 3 appraisal. None of it is decorative. It is the difference between a subcontract that adds risk to your bid and one that subtracts it.
Final Thoughts Phase 2 is often described as a deadline, but it is better understood as a sorting mechanism. It separates the firms that built real security infrastructure from the ones that documented an intention to. The certificate itself is a floor, not a finish line; continuous monitoring and annual affirmations keep the obligation alive long after the assessment. The contractors who treat November 10 as a milestone they passed months ago, rather than a cliff they are sprinting toward, will spend 2027 bidding while others are still scheduling. If you are weighing where you stand, the honest test is simple: could you produce the evidence today.
If you’d like to learn more about how S2i2 can help, contact us at info@s2i2.com. Follow us on LinkedIn for more updates from the S2i2 team.
