CMMC 2026 Deadline: Phase 2 Timeline for Small Contractors
Published April 17, 2026 — The Phase 2 deadline is October 31, 2026. Here is what you need to do and when you need to do it.
Key date: October 31, 2026 — Phase 2 of the CMMC rollout begins. DoD contracts will start requiring third-party C3PAO assessments for Level 2 certification. If you handle CUI and have not started preparing, your window is closing.
The Cybersecurity Maturity Model Certification is rolling out in phases, and the most consequential phase for small defense contractors — Phase 2 — arrives in October 2026. This is when the DoD transitions from accepting self-assessments to requiring independent third-party verification for most CUI-handling contractors.
This guide lays out the full phased timeline, explains what happens at each stage, and gives you a month-by-month action plan to get certified before the deadline.
The Three-Phase CMMC Rollout
The DoD is implementing CMMC through a phased approach defined in 48 CFR Part 204. Each phase expands the scope and rigor of certification requirements:
Phase 1: Self-Assessment (Active Now)
Phase 1 began when the CMMC Final Rule (32 CFR Part 170) took effect. During this phase:
- DoD contracts may include CMMC Level 1 self-assessment requirements
- DoD contracts may include CMMC Level 2 self-assessment requirements for lower-sensitivity CUI
- Contractors must submit self-assessment results to SPRS
- No third-party assessment is required yet
- Contractors with existing NIST SP 800-171 self-assessments in SPRS satisfy Phase 1 requirements
Phase 1 is designed to give contractors time to understand the framework and begin gap remediation while the C3PAO ecosystem scales up.
Phase 2: Third-Party Assessments Begin (October 31, 2026)
Phase 2 is the critical transition. Starting October 31, 2026:
- DoD contracts involving CUI may require CMMC Level 2 certification via C3PAO third-party assessment
- Contracting officers gain the authority to include CMMC Level 2 C3PAO assessment as a contract requirement
- Self-assessments will still be accepted for some lower-sensitivity CUI contracts, but the trend will shift heavily toward C3PAO requirements
- New contract solicitations will increasingly specify C3PAO assessment
- Existing contracts up for renewal may add CMMC Level 2 C3PAO requirements
What this means for you: If you are a small contractor who handles CUI and competes for DoD contracts, you should plan to have your C3PAO assessment completed by October 2026. Waiting until after Phase 2 begins means you may miss contract opportunities while you are in the certification process.
Phase 3: Full Implementation (Approximately 2027–2028)
Phase 3 expands CMMC requirements to all applicable DoD contracts:
- All DoD contracts with CUI will require CMMC Level 2 certification
- CMMC Level 3 (Expert) requirements begin appearing on the highest-sensitivity programs
- Option periods and renewals on existing contracts will include CMMC requirements
- The CMMC ecosystem will be fully operational with sufficient C3PAO capacity
By Phase 3, CMMC certification will be as routine and expected as having a facility clearance. Not having it will effectively lock you out of the defense supply chain.
What Happens If You Miss the Deadline
Missing the Phase 2 deadline does not result in fines or penalties in itself. However, the practical consequences are severe:
- Contract ineligibility — You cannot bid on or receive contracts that require CMMC Level 2 C3PAO certification
- Contract non-renewal — Existing contracts coming up for renewal may add CMMC requirements you cannot meet
- Prime contractor replacement — If you are a subcontractor, primes may replace you with a certified competitor to maintain their own compliance posture
- Competitive disadvantage — Certified competitors will win contracts you would otherwise be eligible for
- Revenue loss — For contractors heavily dependent on DoD work, the revenue impact can be existential
The risk is not a single deadline cliff — it is a gradual squeeze. Each new solicitation that includes CMMC Level 2 is a contract you cannot compete for. Over months, the cumulative impact grows.
How Long Does Certification Actually Take?
From starting your preparation to receiving your CMMC Level 2 certification, expect 6 to 12 months. Here is a realistic breakdown:
| Phase | Duration | Details |
|---|
| Initial gap assessment | 2–4 weeks | Assess all 110 controls, calculate SPRS score, identify gaps |
| Remediation planning | 2–4 weeks | Prioritize gaps by weight and difficulty, budget, assign owners |
| Technical remediation | 3–9 months | Implement MFA, SIEM, encryption, network segmentation, etc. |
| Documentation | Concurrent | Write SSP, policies, procedures as you implement (do not wait until the end) |
| Evidence collection | Concurrent | Screenshots, configurations, training records, policy sign-offs |
| Pre-assessment readiness | 2–4 weeks | Internal review or mock assessment to catch remaining gaps |
| C3PAO scheduling | 2–4 months lead time | Book early — C3PAO availability is limited and shrinking |
| C3PAO on-site assessment | 3–5 days | Assessors review evidence, interview staff, verify controls |
| POA&M closure (if conditional) | Up to 180 days | Close any gaps identified during assessment |
The bottleneck is C3PAO availability. There are a limited number of accredited C3PAOs, and demand is surging as the deadline approaches. Scheduling lead times are already 2–4 months and growing. Book your assessment slot as early as possible, even before your remediation is fully complete.
Month-by-Month Action Plan (Starting April 2026)
With the Phase 2 deadline roughly 6 months away, here is a concrete action plan for a small contractor starting today:
April 2026: Assess and Plan
- Complete a full assessment of all 110 NIST SP 800-171 controls
- Calculate your current SPRS score
- Identify your CUI boundary — what systems, networks, and locations are in scope
- Prioritize gaps by control weight (5-point controls first)
- Begin researching C3PAOs and request quotes
May 2026: Start Remediation
- Deploy multi-factor authentication (MFA) on all accounts if not already in place (IA.L2-3.5.3, weight: 5)
- Implement or verify encryption for CUI at rest and in transit (SC.L2-3.13.8, SC.L2-3.13.11)
- Begin deploying centralized log management or SIEM (AU family controls)
- Start drafting your System Security Plan (SSP) for each control family
- Schedule your C3PAO assessment for August or September
June 2026: Continue Remediation and Document
- Complete network segmentation to isolate CUI systems (SC.L2-3.13.1)
- Implement account management and access control policies (AC family)
- Deploy endpoint detection and response (EDR) tools (SI.L2-3.14.2)
- Write incident response plan and conduct tabletop exercise (IR family)
- Collect evidence artifacts for each implemented control
July 2026: Documentation Sprint
- Complete your SSP with narratives for all 14 control families
- Finalize POA&M for any controls still in progress
- Conduct security awareness training for all staff (AT family)
- Review and update physical security controls (PE family)
- Perform internal vulnerability scan and remediate findings (RA.L2-3.11.2)
August 2026: Pre-Assessment Readiness
- Conduct internal mock assessment against all 110 controls
- Verify all evidence artifacts are current and linked to correct controls
- Review SSP for completeness and accuracy
- Ensure all staff know their roles for the assessment (who answers questions about which controls)
- Update your SPRS score to reflect your current remediation progress
September–October 2026: C3PAO Assessment
- Complete your C3PAO assessment
- Address any findings or conditional items immediately
- If you receive conditional certification, begin closing POA&M items (180-day clock starts)
- Submit final SPRS score update
What If You Are Already Behind?
If you are reading this in mid-2026 and have not started, you can still make significant progress:
- Do not panic, but do start now. Every week of delay makes the timeline tighter.
- Focus on high-weight controls first. Implementing the top 5-point controls gives you the most score improvement.
- Use compliance tools, not spreadsheets. Purpose-built trackers like NormSuite CMMC Tracker save weeks of manual work on documentation and scoring.
- Consider a managed security service provider (MSSP) that specializes in CMMC. They can accelerate remediation significantly.
- Book a C3PAO now. Even if you are not ready today, getting on their calendar ensures you have a slot. You can always push it back if needed, but you cannot conjure a slot at the last minute.
- Start with self-assessment. Submit your current SPRS score (even if low) to SPRS. This satisfies Phase 1 requirements and demonstrates you are in the process.
C3PAO Capacity: The Hidden Risk
There are currently a limited number of accredited C3PAOs, and the number of defense contractors who need Level 2 assessments is estimated at 50,000 to 80,000. The math does not work out — there is not enough C3PAO capacity to assess everyone before the deadline.
This capacity constraint means:
- Assessment scheduling lead times will continue to grow through 2026
- C3PAO fees may increase as demand outstrips supply
- Contractors who book early get assessed first
- Last-minute requests may face 6+ month wait times
The Cyber AB is accrediting new C3PAOs on an ongoing basis, but the ramp-up will not fully meet demand by October 2026. Treat C3PAO scheduling as a first-priority action item, not something to do after remediation is complete.
Track Your Deadline Progress with NormSuite
NormSuite CMMC Tracker is designed to get you from gap assessment to C3PAO-ready as efficiently as possible:
- All 110 controls mapped with plain-English descriptions and DoD-assigned weights
- Real-time SPRS score that updates as you assess and remediate
- POA&M generation for remaining gaps with owner assignments and due dates
- SSP builder with AI-assisted narratives for each control family
- Evidence vault to organize artifacts before your assessment
- Compliance dashboard showing exactly where you stand across all 14 families
Start today: The free tier lets you assess up to 20 controls and preview your SPRS score. Create your free account and see where you stand in under an hour.
Frequently Asked Questions
When is the CMMC Level 2 deadline?
CMMC Phase 2 begins October 31, 2026. Starting on that date, DoD contracts involving CUI will begin requiring third-party C3PAO assessments for Level 2 certification. The rollout is phased, so not all contracts will require it immediately, but new solicitations will increasingly include the requirement.
What happens if I miss the CMMC deadline?
You will be ineligible to bid on or receive contracts that require CMMC Level 2 C3PAO certification. Existing contracts may not be renewed, and prime contractors may replace uncertified subcontractors. There are no fines for missing the deadline itself, but the contract revenue impact can be severe.
How long does CMMC Level 2 certification take?
Expect 6 to 12 months from start to certification. This includes gap assessment, remediation, documentation, C3PAO scheduling (2–4 month lead time), on-site assessment, and any POA&M closure. The biggest variable is your starting security posture and C3PAO availability.
Can I get an extension on the CMMC deadline?
The DoD has not announced any individual extension mechanism. The phased rollout is itself a gradual approach, with Phase 1 accepting self-assessments and Phase 2 requiring C3PAOs. If you are actively in the certification process when a solicitation drops, you may be able to demonstrate progress, but there is no guaranteed extension. Starting early is the only reliable strategy.
Related Guides