Compliance
Jul 8, 2026
15 min read

CMMC Compliance Deadline: What Actually Happens on November 10, 2026

Kevin Barona
Table of content
share

There is no single CMMC deadline. There is something worse: a rolling series of them, and the biggest one lands on November 10, 2026.

That is the day CMMC Phase 2 begins. For defense contractors handling Controlled Unclassified Information (CUI), it is the day the honor system ends. This article explains exactly what changes on that date, why the math behind it should worry late starters, and how to back-plan from it.

The Four Phases of the CMMC Compliance Deadline, and Where We Are Now

The Department of Defense finalized the CMMC acquisition rule in September 2025, and it took effect on November 10, 2025. That started a four-phase rollout, with each phase beginning one year after the last:

  • Phase 1 (November 10, 2025): CMMC Level 1 and Level 2 self-assessments became conditions of award in applicable new solicitations. The DoD kept discretion to require third-party certification early on selected contracts.
  • Phase 2 (November 10, 2026): Third-party Level 2 certification by a C3PAO becomes the default requirement for applicable contracts involving CUI.
  • Phase 3 (November 10, 2027): Certification requirements extend to option exercises on existing contracts, and Level 3 assessments arrive for the most sensitive programs.
  • Phase 4 (November 10, 2028): Full implementation across applicable DoD contracts.

We are currently deep inside Phase 1. CMMC clauses are already appearing in solicitations under DFARS 252.204-7021. If that clause is in your contract or a prime's flow-down, the requirement is live for you today, phase schedule or not.

What Specifically Changes to the CMMC Compliance on November 10, 2026

During Phase 1, a contractor handling CUI could often self-assess against the 110 security requirements of NIST SP 800-171, post the score in the Supplier Performance Risk System (SPRS), and remain eligible to bid.

Phase 2 removes that option for most Level 2 contracts. From November 10, 2026, an accredited third-party assessment organization, a C3PAO, must independently verify your implementation. Assessors review documentation, interview staff, and technically validate controls. A signed self-attestation that satisfied Phase 1 will not satisfy a Phase 2 contracting officer.

Two details make this stricter than it first appears. Certification must be valid at the time of contract award, not promised for later. And the obligation flows down: primes must verify subcontractor compliance before sharing CUI, so subcontractors inherit the deadline even without a direct DoD relationship.

CMMC Compliance

The Math Problem Nobody Should Ignore

The DoD estimates that tens of thousands of organizations will need Level 2 third-party certification, with published figures topping 76,000. As of February 2026, fewer than 1,100 had completed it.

Meanwhile, the assessment supply chain is finite. There is a limited pool of authorized C3PAOs, and their calendars are filling. Readiness itself typically takes 6 to 12 months for an organization starting from a partial NIST SP 800-171 implementation. Put those numbers together and the practical deadline for starting is not November 2026. For many companies it has already passed, which makes speed the priority rather than perfection.

Cost planning belongs in this math too. The C3PAO assessment itself commonly runs in the tens of thousands of dollars for small and mid-size environments, and DoD cost projections put the total Level 2 effort, including preparation and remediation, at six figures for most organizations. The certification is then valid for three years.

Back-Planning for CMMC Compliance Deadline From November 10, 2026

Work the calendar in reverse.

Now through August 2026: gap analysis and scoping. Identify where CUI actually lives in your environment. Many companies shrink their compliance burden dramatically by scoping CUI into an enclave rather than certifying the whole network. Then assess your current state against all 110 requirements in NIST SP 800-171, which remains the technical backbone of Level 2.

August through early fall 2026: remediation and evidence. Close the gaps, and document as you go. Assessors verify three core artifacts: your System Security Plan, your SPRS score with its basis, and your Plan of Action and Milestones. Note that POA&Ms only cover a limited subset of lower-weight requirements, and they carry a 180-day closeout clock. The highest-value controls cannot be deferred.

As early as possible: book the C3PAO. Given the capacity crunch, scheduling the assessment is itself a long-lead item. Waiting until you feel ready to even start the conversation is the most common self-inflicted delay we see.

After certification: maintain. Annual affirmations of continuing compliance are part of the program. Certification is a state to maintain, not a trophy to collect. Building this into a broader plan is easier with a structured approach, and our guide to security roadmap creation covers how to sequence a program like this without stalling the business.

Common CMMC Compliance Deadline Misreadings

"Phase 4 is 2028, so we have two years." The phased rollout describes when the DoD must include requirements, not when it first can. Requirements appear contract by contract, and they are appearing now. If you want to bid in 2026 and 2027, Phase 4 is irrelevant to you.

"We are a subcontractor, so the prime handles it." Flow-down works the other way. Primes are contractually obligated to verify their subs, and many are demanding evidence well ahead of Phase 2 to protect their own eligibility.

"Our SPRS score is posted, so we are covered." A self-reported score satisfies Phase 1 requirements. Phase 2 requires independent verification of the same controls, and assessors regularly find gaps behind confident self-scores.

The authoritative source on the program's structure and timing is the DoD CIO's CMMC page, which is worth checking directly rather than relying on secondhand summaries. CMMC also is not arriving in isolation; it is part of a wider tightening we covered in our early look at cybersecurity regulations coming in 2026.

Hourglass to signify the CMMC compliance deadline

The CMMC Compliance Deadline Is Fixed. Your Timeline Is Not.

November 10, 2026 will arrive on schedule. What remains adjustable is how much of the intervening time your organization spends making progress versus deciding to.

Cycore works with defense contractors and their suppliers at every stage of this countdown. Our CMMC compliance service combines gap assessment, remediation execution, and assessment preparation, so the C3PAO visit confirms your readiness instead of discovering your gaps.

Contracts will be won and lost on this date. Decide today which side of it you are on.

Weekly tips and insights on building trust.
Join leaders in building a secure, trusted brand—receive expert guidance to outpace competitors and win customers.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By signing up, you agree to our Terms and Conditions.
Are you ready to get started?
Schedule a call to see how we can help you build trust
talk to an expert