Why the Phased Rollout Exists
The DoD didn't flip a switch on CMMC all at once. There are 118,000+ companies in the defense industrial base, and the infrastructure to assess them all simply doesn't exist yet. The phased approach was designed to let the assessment ecosystem catch up while still creating real urgency for companies to start.
The problem is that "phased" gets misread as "optional for now." It's not. Phase 1 is already in effect. Phase 2 is seven months away. Companies that haven't started their compliance programs are already behind.
The Four Phases — What Each One Means
Phase 1: Foundation
The CMMC 2.0 Final Rule took effect. New DoD contracts can now include CMMC requirements — Level 1 self-assessment requirements are standard, and some Level 2 assessments are already showing up in contracts. The Supplier Performance Risk System (SPRS) is being used to track compliance scores. If your contract was awarded after December 2024 and includes DFARS 252.204-7021, you're already subject to CMMC.
Phase 2: The Big One
All new DoD contracts involving CUI require formal CMMC Level 2 certification — meaning a third-party C3PAO assessment, not just a self-assessment. From November 2026 forward, if you don't have a C3PAO-issued certification, you're not eligible to bid on covered contracts. Primes must be certified, and they must flow requirements down to their subs. This deadline affects the vast majority of defense manufacturers, machine shops, aerospace subcontractors, and engineering firms.
Phase 3: Option Periods
CMMC requirements extend to option periods on existing contracts. This matters if you have multi-year contracts awarded before Phase 2 — when those contracts come up for renewal, CMMC applies. Level 3 requirements (based on NIST SP 800-172) also begin appearing for high-priority programs with the most sensitive data. Level 3 is rare — it targets a small subset of defense programs — but if you're in those programs, start planning now.
Phase 4: Full Rollout
CMMC requirements apply to all DoD contracts — no exceptions, no carve-outs. Every company with a DoD contract of any kind, at any tier of the supply chain, will be required to maintain their appropriate CMMC level. By this point, the companies that didn't get certified in Phase 2 will have been competing at a significant disadvantage for two years. This is the end state.
Our free readiness check takes 2 minutes and tells you exactly what you need to do — and how much time you have — based on your actual operation, not a generic checklist.
Take the Free Readiness Check →Phase 2 Is the One That Matters Right Now
Let's be direct: if you're a defense manufacturer, machine shop, aerospace subcontractor, or engineering firm, November 2026 is your deadline. Phase 2 is when your ability to bid on covered contracts depends on having a certified compliance posture — verified by an authorized third party.
That third party is called a C3PAO — a CMMC Third Party Assessment Organization. They go through a rigorous authorization process themselves, which is why there are only about 90 of them serving the entire defense industrial base. When you read that there are 118,000+ companies that need assessment, and only 90 assessors, you start to understand the problem.
What Primes Are Doing Right Now
Large prime contractors — Lockheed Martin, Northrop Grumman, Raytheon, Boeing, General Dynamics — are actively auditing their supply chains. Their compliance teams are reviewing their supplier lists, identifying which subs handle CUI, and demanding SPRS scores and compliance documentation. Some are already requiring proof of CMMC compliance on new subcontracts, ahead of the formal Phase 2 deadline.
The shops getting early contracts are the ones that already have their compliance programs in motion. The shops that say "we'll worry about it when our prime asks" are going to find that conversation happening at the worst possible time — when there's a specific contract on the line and a 60-day window to get certified.
The C3PAO Capacity Crisis
This is the part nobody wants to talk about because it makes an already stressful situation feel overwhelming. But you need to understand it so you can plan realistically.
Roughly 90 authorized C3PAOs. Over 118,000 defense contractors needing assessment. C3PAO assessments take 2–4 weeks each. Even running at full capacity, the supply of assessors can't meet the demand — especially if companies wait until 2026 to start booking. Slots are already booking 12–18 months out in early 2026.
This isn't a scare tactic — it's arithmetic. If you haven't booked your C3PAO assessment yet, that step alone should jump to the top of your priority list. You can work on your compliance program while you're on the waitlist, but you can't fast-track yourself to the front of the queue.
Working Backward From Your Deadline
Here's what a realistic path to Phase 2 compliance looks like, working backward from November 2026:
The implication is clear: companies that haven't started by now are at real risk of missing the November 2026 deadline. That doesn't mean give up — every month you can shave off matters. But it does mean there's no time for extended planning phases. You need to move.
The companies that will be fine after Phase 2 are the ones that treated CMMC like a business-critical project starting in 2024 or early 2025 — not the ones that waited for their prime to send a formal letter.
Our readiness assessment maps your current state against the 110 NIST 800-171 controls and gives you a realistic picture of your timeline and cost. It takes 2 minutes and you'll have a starting point before you finish your coffee.
Take the Free Readiness Check →What You Should Be Doing Right Now
If you're reading this and you haven't started your compliance program, here's your prioritized action list — in order of urgency:
1. Determine your required level. Use the Level 1 vs Level 2 guide to confirm whether you need Level 1 self-assessment or Level 2 C3PAO certification. This shapes everything else.
2. Book a C3PAO assessment slot immediately. You can't control the wait time, but you can control when you get in line. Contact C3PAOs now, get on their waitlist, and work backward from your assessment date to set your remediation schedule.
3. Conduct a gap assessment. You need to know where you stand against the 110 controls before you can build a remediation plan. Our free readiness check gives you a preliminary picture. For a full control-by-control report, see our Gap Analysis Guide.
4. Start documentation in parallel with remediation. Your SSP and policies don't have to wait until your technical work is done. Start documenting your environment and your planned controls now — it saves time and gives your C3PAO something to review before the formal assessment.
5. Understand your cost. See the full breakdown in the CMMC Cost Guide — and understand where you can cut costs significantly versus where you can't.
Frequently Asked Questions
Yes. CMMC Phase 1 went into effect with the Final Rule in December 2024. New DoD contracts for Level 1 work can include CMMC requirements, and some Level 2 contracts also include them. Companies that haven't started their compliance programs are already behind.
Phase 2 is when CMMC Level 2 requirements become standard in all new DoD contracts involving CUI. From that date, primes must be Level 2 certified and flow requirements to subcontractors. Companies without certification won't be eligible to bid on covered contracts. This is the deadline that matters most for most defense manufacturers.
Waivers are technically possible but extremely limited — they require senior DoD official approval and are typically only granted for unique national security requirements. Do not plan around getting a waiver. Plan around getting certified before the deadline.
Phase 3, starting November 2027, extends CMMC requirements to option periods on existing contracts. If you have a multi-year contract awarded before Phase 2, when it comes up for renewal, CMMC will apply. This catches companies who thought existing contracts gave them immunity. It also introduces Level 3 requirements for certain high-priority programs.
If you start immediately, it's possible but tight. Level 2 certification takes 9–18 months from zero to certified, and C3PAO slots are booking 12–18 months out. Every month you wait makes the math harder. Start the assessment today, book your C3PAO slot immediately, and move fast on remediation.
There are roughly 90 authorized C3PAOs serving over 118,000 defense contractors that need Level 2 assessments. Even running at full capacity, assessors can't serve everyone before Phase 2 if companies wait until 2026 to book. Slots are already booking 12–18 months out. Book your assessment slot before you finish your remediation — that's how tight the timeline is.
See Your Timeline in 2 Minutes
The quiz maps your current state to your deadline and tells you exactly what needs to happen and when. Stop estimating — get a real picture.
Take the Free Readiness Check →Takes 2 minutes · Free · No obligation