CMMC 2.0 Phase 2: The November 2026 Deadline Every DoD Contractor Should Be Planning For

The Department of Defense's CMMC 2.0 Acquisition Rule went into force on November 10, 2025, and the clock that matters for most DoD contractors starts ticking one year later. If your firm handles Controlled Unclassified Information — or sits in the supply chain of anyone who does — Phase 2 of the rollout will reshape your 2026.

Here's the part that isn't getting enough attention: the Phase 2 deadline isn't about paperwork. It's about walking into a third-party assessment with your control set already working.

The four-phase timeline in plain English

Per DoD CIO guidance and the final 48 CFR Acquisition Rule:

• Phase 1 (Nov 10, 2025 – Nov 9, 2026): New DoD contracts require Level 1 and Level 2 self-assessments. If you're here now, you're doing annual affirmations and SPRS score submissions.
• Phase 2 (begins Nov 10, 2026): Level 2 certification assessments by an accredited C3PAO become mandatory for contracts involving CUI. No more self-attestation on the things that matter.
• Phase 3 (Nov 10, 2027): Level 3 DIBCAC assessments begin for the highest-sensitivity programs.
• Phase 4 (Nov 10, 2028): Full implementation across all applicable DoD acquisitions.

By October 31, 2026, the Pentagon expects CMMC compliance language to appear in essentially all new contract awards. That's roughly six months from now.

Why "we'll start in Q3" is already too late

A Level 2 assessment covers 110 security requirements derived from NIST SP 800-171. The honest timeline to get there — from a standing start — is 9 to 12 months. Not because the controls are exotic, but because evidence of those controls takes time to accumulate. An assessor won't accept "we turned on MFA last Tuesday." They want configuration baselines, change logs, training records, incident exercises, and audit trails that demonstrate the control has been operating.

The common failure mode we see: an SMB reads the NIST 800-171 list, buys a handful of tools, and assumes they're compliant. Six months later, a C3PAO asks for evidence of continuous monitoring over the past 90 days and there's nothing to show. The finding isn't "you don't have the control." It's "you can't prove the control works."

The controls that trip up SMBs

Across recent gap assessments, five requirement families consistently derail CMMC Level 2 candidates:

• 3.1 Access Control. Role-based access is easy to describe and hard to enforce when your domain admins are also developers, and your file shares grew organically. Expect to rebuild your group structure.
• 3.4 Configuration Management. Documented baselines, approved change process, and actual evidence that configurations match the baseline. Most small firms have the intent but no mechanism.
• 3.6 Incident Response. A policy document isn't enough. You need a tested IR plan, trained roles, reporting to DoD within 72 hours, and a recent exercise record.
• 3.8 Media Protection. Controls on removable media, sanitization procedures, marked CUI — physical reality often doesn't match policy.
• 3.14 System and Information Integrity. Continuous monitoring, flaw remediation timelines, and malicious code protection. This is where an underpowered MSP arrangement becomes visible.

What to do in the next 90 days

If you haven't started, start now. A realistic six-month runway looks like this:

• Month 1: Scope your CUI boundary. What systems, people, and data actually touch CUI? Most firms over-scope and pay for it in assessment effort. Some firms under-scope and get caught.
• Month 2: Gap assessment against all 110 requirements, mapped to current evidence. The output is a prioritized remediation plan, not a pass/fail grade.
• Months 3–4: Remediate the highest-risk gaps, typically access control, logging, and IR. Document as you go — evidence you generate now is evidence the C3PAO will see later.
• Month 5: Internal mock assessment. Run it like it's real. Catch the gaps between "we do this" and "we can prove we do this."
• Month 6: Engage the C3PAO. Expect a 60-to-120-day assessment window. Don't book travel the week it starts.

The strategic read

CMMC isn't an IT project. It's a contracts continuity program. Primes are already screening subcontractors by CMMC status, which means companies without a credible compliance posture will get quietly delisted from bid packages long before November 2026 — without ever being told that's why.

The firms that will win in 2027 are the ones that started treating CMMC as table stakes in early 2026. The ones still deliberating will be watching contracts route around them.

Torchsec helps defense-adjacent firms scope, remediate, and prepare for CMMC Level 2 assessments. If you need an honest read on where you stand, get in touch.