WATCHUR6 // CMMC // ROLLOUT INTEL

CMMC Compliance for DoD Contractors.
Phase 2 begins November 10, 2026.

The DoD's four-phase CMMC 2.0 rollout began November 10, 2025. On November 10, 2026, third-party C3PAO certification becomes mandatory for most contracts handling Controlled Unclassified Information.

~80,000 contractors need Level 2. ~80 authorized C3PAOs serve them. Wait times are projected to exceed 18 months as Phase 2 approaches.

Contractors who wait for the clause to appear in their RFP will find the queue closed when they need to be in it.

Book a CMMC Strategy Call
SDVOSB CERTIFIED CMAS #3-25-06-1018 CAGE 9CQZ9 VETERAN-LED

// THE WAIT-AND-SEE TRAP

Wait until DoD knocks.
The queue locks before they do.

The contractors who treat CMMC as a 2028 problem are misreading the calendar. The DoD's phased rollout is a regulator-side schedule, not a contractor-side deadline. Your real deadline is whenever the next contract you want to win drops with a CMMC clause attached — and after November 10, 2026, that clause requires a C3PAO certification you cannot get on short notice.

The arithmetic is unforgiving. ~80,000 contractors need Level 2 certification. ~80 authorized C3PAOs serve them. Only ~600 Certified CMMC Assessors exist when 2,000 to 3,000 will be needed.

As Phase 2 approaches, wait times for new C3PAO clients will exceed 18 months. A contractor who starts the readiness work the day Phase 2 begins won't be certified until Phase 4 — when CMMC is universally mandatory and the bidding window has already closed.

The contractors who survive this are already in the queue. The contractors who wait for the contract clause to drop will discover that the contract clause is no longer the urgent thing — the C3PAO calendar is.

// THE THREE CMMC CERTIFICATION LEVELS

The Level Ladder. Find your tier.

CMMC 2.0 collapses what used to be five levels into three, each tied to the sensitivity of the information you handle, the contract type, and how the certification is assessed. The level you need is determined by the contract — not by what you'd prefer to spend.

// FCI = Federal Contract Information  ·  CUI = Controlled Unclassified Information  ·  C3PAO = Certified Third-Party Assessment Organization  ·  DIBCAC = Defense Industrial Base Cybersecurity Assessment Center

// THE DOD ROLLOUT CALENDAR

Five years, four phases. The next deadline is closer than it looks.

The DoD published the 48 CFR CMMC Acquisition Rule on September 10, 2025; it became effective sixty days later, triggering a four-phase rollout that concludes with full implementation across all applicable DoD contracts.

DEC 16 2024

32 CFR EFFECTIVE

CMMC Program Rule takes effect. Framework codified.

NOV 10 2025

PHASE 1

Self-assessments active in new DoD solicitations. C3PAO assessments optional.

NOV 10 2026

PHASE 2

C3PAO Level 2 certification mandatory for most CUI contracts.

NOV 10 2027

PHASE 3

Level 3 DIBCAC government-led assessments enforced.

NOV 10 2028

PHASE 4

Full implementation. CMMC required on all applicable DoD contracts and option periods.

// THE CMMC ENGAGEMENT MODEL

Six services. Three phases. One outcome.

CMMC isn't a one-shot audit — it's a program with a beginning, middle, and end. Engagements are structured around the lifecycle: get ready, get certified, stay certified. Each phase produces the artifacts the next phase needs.

// PHASE 01

Readiness

BEFORE THE CONTRACT CLAUSE HITS

// 01 // SCOPING

CMMC Scoping & Boundary Definition

The single most common mistake in CMMC engagements: over-scoping. We define your CUI/FCI boundary precisely — which systems, which networks, which contracts, which employees. A correctly scoped boundary is the difference between a 12-month engagement and a 24-month one, between a $200K project and a $1M one.

// INCLUDES

CUI INVENTORY FCI MAPPING DATA FLOW DIAGRAMS BOUNDARY DOCS ENCLAVE DESIGN

// 02 // GAP ASSESSMENT

NIST SP 800-171 Gap Assessment

Full 110-practice assessment against NIST SP 800-171 Revision 2, scored using the DoD assessment methodology that the C3PAO will apply. Output: a current-state SPRS score you can defend, a remediation roadmap sequenced by risk and 1-point requirements, and a timeline that lines up with the C3PAO calendar.

// INCLUDES

110 PRACTICES SPRS VALIDATION REMEDIATION ROADMAP 14 CONTROL FAMILIES 1-POINT PRIORITIES
// PHASE 02

Certification

DURING THE C3PAO ENGAGEMENT

// 03 // DOCUMENTATION

SSP & POAM Build-Out

The System Security Plan, Plan of Action & Milestones, and evidence repository the C3PAO will spend half the assessment reviewing. Operator-built artifacts, not consultant templates — every control description tied to operating evidence, every POA&M item scoped to the 180-day closeout window, every 1-point requirement marked as ineligible for deferral.

// INCLUDES

SSP POA&M EVIDENCE REPO POLICY LIBRARY CONTROL MAPPINGS

// 04 // ASSESSMENT

C3PAO Engagement & Audit Representation

C3PAO selection guidance, slot reservation, pre-assessment readiness review, and operator-led representation during the assessment itself. The assessor is doing their job; our job is to make sure your documentation tells the same story your operating environment does, and that any clarification questions are answered with the precision the audit record requires.

// INCLUDES

C3PAO SELECTION SLOT RESERVATION MOCK ASSESSMENT AUDIT REPRESENTATION FINDING RESPONSE
// PHASE 03

Sustainment

AFTER CERTIFICATION

// 05 // SUSTAINMENT

Continuous Monitoring & SPRS Maintenance

Certification is a three-year window, not a finish line. We run the cadence that keeps you certified: quarterly control validation, drift detection, change-management gate-keeping, annual senior official affirmations, and SPRS score maintenance. When the recertification window opens, the binder is already ready.

// INCLUDES

QUARTERLY VALIDATION DRIFT DETECTION SPRS UPLOAD ANNUAL AFFIRMATION RECERT PREP

// 06 // SUPPLY CHAIN

Subcontractor Flowdown Management

Your prime contract requires you to verify your subs. We track which of your suppliers handle CUI, which CMMC level applies to each, which are certified, and which need to be removed from the CUI scope before the next assessment. Includes flowdown clause language, supplier risk tracking, and quarterly status reporting.

// INCLUDES

SUPPLIER INVENTORY FLOWDOWN CLAUSES CMMC TRACKING CUI SCOPE MGMT QUARTERLY REPORTING

// CONNECTED INTELLIGENCE

CMMC sits inside the larger program.

CMMC certification is one framework inside Audit Readiness. Audit Readiness is one pillar inside the integrated program. Most CMMC engagements pull on at least one of the other pillars — the SOC capabilities required for Level 2/3, or the incident response posture the assessor will ask about.

// PARENT SERVICE

Audit Readiness

CMMC is one of ten frameworks under Audit Readiness.

The operator who runs your CMMC engagement is the same operator who would represent you in a SOC 2, HIPAA, or ISO 27001 audit. One methodology. Multiple frameworks.

Audit Readiness Brief

// VERTICAL CONTEXT

Government & DoD Contractors

CMMC is part of the broader regulatory environment for federal contractors. The Government industry brief covers FedRAMP, NIST 800-53, DFARS clauses, False Claims Act exposure, and the Prime/Sub flowdown dynamics CMMC sits inside.

Government Brief

// PROGRAM CAPABILITY

Managed Cybersecurity

CMMC Level 2 requires real security operations behind the documentation — incident detection, logging, response, and continuous monitoring. The Cybersecurity pillar runs the 24/7 SOC and operator capabilities that turn a documented control set into an operating one.

Cybersecurity Brief

// THE NUMBERS

CMMC by the numbers.

NOV 10 2026

Phase 2 Deadline

C3PAO Level 2 certification becomes mandatory for most contracts handling Controlled Unclassified Information. The first hard deadline most DIB contractors will encounter.

18 MO

C3PAO Queue Wait

Projected wait time for new C3PAO clients as Phase 2 approaches. ~80,000 contractors need Level 2; ~80 authorized C3PAOs serve them. The ratio is roughly 1,000-to-1.

100%

100% Audit-Ready

Every WatchUr6 engagement that reached its audit window arrived audit-ready on the first engagement. The framework changes; the methodology is consistent — operator-led, evidence-backed, pre-rehearsed.

// THE OPERATOR TEAM

Fortune 500 senior CISO leads CMMC program strategy and board-level reporting. CMMC-credentialed cloud architect engineers the technical foundation across AWS GovCloud, Azure Government, and on-prem CUI enclaves.

Army Special Forces communications sergeant (Green Beret, 18B/18C) leads tabletop facilitation. Naval Special Warfare veteran runs continuity operations and post-assessment after-actions.

SDVOSB · DVBE · SBE · CMAS #3-25-06-1018 · CAGE 9CQZ9 · SAM-registered · veteran-led.

// FREQUENTLY ASKED

The CMMC questions DoD contractors keep asking.

We don't have a DoD contract yet but we might bid in the next 12-24 months. Does CMMC apply to us?

If you intend to bid on a DoD contract that involves handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), CMMC will apply at the moment the solicitation drops. Phase 1 enforcement began November 10, 2025; Phase 2 begins November 10, 2026, when C3PAO third-party certification becomes mandatory for most Level 2 contracts.

The DoD will not award contracts to offerors who fail to demonstrate the required CMMC status at the time of award. Standard CMMC Level 2 readiness takes 12 to 18 months from a cold start.

If you are bidding on contracts with award dates in the Phase 2 window or later, the readiness work needs to begin now. There is no formal grace period, and C3PAO assessment wait times are projected to exceed 18 months for new clients as Phase 2 approaches.

We're a subcontractor and the prime hasn't asked about CMMC yet. Do we need to act?

Yes. CMMC requirements flow down through the entire supply chain — if a prime contract requires CMMC Level 2, every subcontractor handling CUI on that contract must also be Level 2 certified at the appropriate level.

Many primes (Lockheed Martin, RTX, Northrop Grumman, Boeing) have already begun pre-positioning their supply base ahead of formal contract clause requirements, requiring CMMC readiness as a condition of continued purchase order relationships.

Waiting for the prime to ask is waiting too late — by the time the request arrives, the contractor expects you to already be in the C3PAO queue.

What's the practical difference between Level 1 self-assessment and Level 2 C3PAO certification?

Level 1 covers 17 basic security practices derived from FAR 52.204-21 and applies to contractors handling only Federal Contract Information (FCI). It is assessed annually by the contractor itself, with results uploaded to the Supplier Performance Risk System (SPRS) and a senior official's affirmation.

Level 2 covers all 110 practices in NIST SP 800-171 Revision 2 and applies to contractors handling Controlled Unclassified Information (CUI). Beginning November 10, 2026, most Level 2 contracts require certification by a Certified Third-Party Assessment Organization (C3PAO) every three years.

The practical gap is substantial: Level 2 requires a documented System Security Plan, Plan of Action & Milestones, evidence repository, and external auditor coordination — work that typically takes 12 to 18 months to complete properly.

Can we use Plans of Action & Milestones (POA&Ms) to defer controls and still get certified?

Partially. CMMC Level 2 allows conditional certification if the organization scores at least 80% (88 of 110 practices met) at the time of C3PAO assessment, with the remaining practices documented in a POA&M and closed within 180 days.

If POA&M items are not closed within 180 days, conditional status expires and the organization becomes ineligible for contracts requiring Level 2.

Critically, certain high-priority practices — those classified as basic safeguarding requirements under FAR 52.204-21 or DFARS 252.204-7012, and explicitly listed in 32 CFR 170.21(a)(2)(iii) — cannot be deferred via POA&M. These must be fully implemented before the C3PAO assessment. Treating the POA&M as a planning shortcut rather than a true remediation queue is the most underappreciated Phase 2 risk.

How long does CMMC Level 2 readiness take, and when should we start?

For organizations already aligned with NIST SP 800-171 — documented SSP, current SPRS score, most of the 110 practices implemented — readiness runs 6 to 9 months.

For organizations starting from scratch with no documented controls, expect 12 to 18 months minimum.

Given that C3PAO wait times are projected to exceed 18 months as Phase 2 approaches, contractors planning to bid in the Phase 2 window need to start the readiness work now and reserve a C3PAO slot before queue lockout. The cleanest budget cycle alignment is to fund gap assessment and scoping work in the current fiscal quarter, then run remediation through the next two quarters before scheduling the C3PAO.

We already comply with NIST SP 800-171 under DFARS 252.204-7012. Why do we need CMMC?

DFARS 252.204-7012 has required NIST SP 800-171 implementation since 2017 — but as a self-reported affirmation, not an externally verified one.

CMMC adds the verification layer: a Certified Third-Party Assessment Organization (C3PAO) must independently confirm that the controls you claim to have implemented are actually in place and operating as documented.

In practice, the gap between self-reported SPRS scores and C3PAO-verified scores is substantial. Many contractors discover during their first C3PAO engagement that the operational evidence does not support the score they have been submitting. CMMC closes that gap and creates external assurance the DoD can rely on for contract award decisions.

// THE NEXT MOVE

Phase 2 won't wait. Don't be in the queue when it locks.

Book a 30-minute CMMC strategy call with a WatchUr6 advisor. Bring your current SPRS score, your upcoming contract pipeline, and the CMMC level you think you need. You'll walk away with a tactical read on your real timeline, the gap between your self-attest and what a C3PAO will find, and whether your bid window is still defensible — whether you hire us or not.

Book a CMMC Strategy Call