The companion episode of Status: Secure — Episode 018, The CMMC Briefing Part 2 — delivered the strategic briefing on what changes when Phase 2 of the Cybersecurity Maturity Model Certification takes effect on November 10, 2026. The Department of Defense ends the self-attestation era for most Level 2 contractors. Contracts involving Controlled Unclassified Information will require active C3PAO certification or a credible engagement letter and remediation timeline. The supply-and-demand math is brutal: 80,000 contractors in the Defense Industrial Base need certification, fewer than 800 Certified CMMC Assessors exist, and C3PAOs in the major defense corridors are already booking into Q1 2027.
This Sitrep is the complete operational guide to Phase 2. Not the news-cycle summary. The contractor’s playbook — what changes contractually, what you must build, who you must engage, what you must close before the assessor walks in, and the 30/60/90-day sprint that every DoD contractor must execute starting now.
Five and a half months remain. The runway is shorter than it appears.
What Phase 2 Actually Changes on November 10, 2026
Phase 1 of the CMMC Final Rule began on November 10, 2025. Under Phase 1, the Department of Defense had discretion to include Level 2 certification requirements on select contracts, but the majority of Level 2 contractors were permitted to operate under self-assessment with annual affirmation submitted to the Supplier Performance Risk System.
Phase 2 ends that discretion. Beginning November 10, 2026, contracting officers across the DoD will include mandatory Level 2 C3PAO certification requirements on new solicitations involving CUI. The contractual changes are categorical, not gradual.
New solicitations.
Bid responses on Phase 2 contracts will require the contractor to provide current CMMC certification status. A contractor without certification — and without a credible C3PAO engagement letter and remediation timeline — produces a non-responsive bid. The contracting officer is required to disqualify the response. There is no negotiated workaround at the solicitation level.
Existing contracts at option exercise.
Contracts that contain CMMC-relevant clauses will be reviewed at the option exercise. If the underlying work involves CUI and the contractor cannot demonstrate certification or active engagement, the contracting officer is not required to exercise the option. Contracts that the contractor previously assumed would renew may not renew.
Prime contractor enforcement intensifies.
The major primes — Lockheed Martin, Boeing, Northrop Grumman, Raytheon, General Dynamics — are not waiting for the November deadline to begin filtering supplier lists on CMMC posture. They are already requiring compliance documentation as a condition of new work and supplier agreement renewals. Phase 2 simply removes their remaining patience. Suppliers without C3PAO engagement by Q3 2026 are being deprioritized in supplier rationalizations happening now.
SPRS scores become consequential.
The Supplier Performance Risk System score functions as a public-facing posture indicator. Primes use it as a first-pass filter on supplier evaluations. A low SPRS score combined with no C3PAO engagement signals to the prime that the supplier is at risk of becoming non-responsive — and primes route work away preemptively rather than discover the gap at award.
The senior official affirmation becomes a legal artifact.
Under Phase 2, the affirmation a named senior official signs each year sits on top of a C3PAO-verified certification. It is no longer a self-attested statement of self-assessed posture. It is an attestation that the contractor continues to operate the controls the C3PAO already verified. Drift since certification must be remediated. The Department of Justice’s Civil Cyber-Fraud Initiative has been explicit that false or inaccurate affirmations to the government — particularly those tied to certification programs — are direct triggers for False Claims Act enforcement. The whistleblower share is 15 to 30 percent of any settlement. The senior official’s name on the affirmation is the legal anchor for the personal exposure.
These five operational changes constitute the entirety of Phase 2. The mechanics are not complex. The consequences are.
Who Is Affected — And Why “We Just Sub to a Prime” Is Not Safe
The Department of Defense estimates that approximately 65 percent of the Defense Industrial Base is affected by Phase 1, and approximately 80,000 contractors will need Level 2 certification before Phase 2 takes effect. The DoD’s own modeling assumes a meaningful number of contractors will exit the bidding process rather than complete certification.
The common misconception — particularly among small and mid-sized contractors — is that subcontracting to a prime insulates the contractor from CMMC requirements. It does not.
DFARS 252.204-7021, enforceable since November 10, 2025, requires prime contractors to flow CMMC requirements down to subcontractors that handle CUI in the course of contract performance. If the prime needs Level 2, the sub touching CUI needs Level 2 — as a condition of receiving work, not at some future date. The flowdown is the prime’s contractual obligation to the DoD, and the prime has no discretion to waive it.
Small subs sometimes attempt to escape the flowdown by representing to the prime that they do not touch CUI. The prime — facing flowdown enforcement and increasingly mature supplier audit programs — will not take that representation at face value. They will require attestation, often with C3PAO verification of the scope determination. The “we don’t touch CUI” exemption is harder to maintain than most subs assume, and the burden of proof has shifted to the sub.
The strategic implication runs in both directions. For a sub, early certification creates leverage. There will be high demand for certified suppliers as primes scramble to fill compliance gaps in their supply chains. Certified subs can command premium pricing through the transition window. For a prime, identifying which subs are on track to certification is now a procurement decision that affects program delivery. A prime with an uncertified critical-path supplier is a prime with a delivery risk on its hands.
The contractors who recognize this dynamic and act on it first capture the deal flow advantage. The contractors who wait will compete for the same primes from a weaker position.
The Pivot Math — When Walking Away From DoD Work Is and Is Not a Strategy
Some contractors will reach the conclusion that CMMC certification does not justify the investment. For a narrow band of contractors, that conclusion is correct. For most, it is a contraction disguised as a pivot.
If the defense revenue is a single-digit percentage of total revenue and the gross margin on defense work does not justify the certification investment, walking away is rational. The contractor recovers the certification cost, eliminates the ongoing maintenance burden, and reallocates capacity to commercial work.
For contractors with material defense exposure — twenty percent or more of revenue from defense work, direct or through primes — the math reverses. The certification path is six to twelve months. The replacement of equivalent commercial revenue takes 18 to 36 months. Choosing not to certify is choosing to liquidate the defense practice and accept the revenue hole until commercial work backfills it.
The decision is fundamentally a revenue-mix question. The contractor must run the math honestly: percentage of revenue from defense work, gross margin on that revenue, capital cost of certification, and realistic timeline to backfill if certification is declined. Most contractors who run that math discover that the certification investment is meaningfully cheaper than the contraction it would prevent.
// INCOMING TRANSMISSION
Status: Secure Episode 018 — The CMMC Briefing Part 2: Phase 2 and the November 2026 Deadline covers the supply-and-demand math of the C3PAO bottleneck, what changes contractually on November 10, the personal exposure of the senior official affirmation under the False Claims Act, and the 30/60/90-day sprint every DoD contractor must execute starting now.
INITIATE PLAYBACK »The 30/60/90 Sprint — Your Operational Playbook to November
Five and a half months between now and Phase 2 enforcement is not as much runway as it appears. The C3PAO calendar is the binding constraint, and the calendar is already congested. The 30/60/90 sprint below is the structured execution path that gets a contractor from current state to certification-ready before the assessor walks in.
Days 1–30: Book the C3PAO Engagement
The first thirty days is dedicated to one objective above all others: securing an executed engagement letter with an authorized Certified Third-Party Assessor Organization.
The contractor’s reflex is to finish the readiness work first and then look for an assessor. That sequence does not work in the current environment. The C3PAO calendar is the gate, and the gate is closing. Book the assessor before the readiness work is complete. Use the engagement letter as the forcing function that disciplines the rest of the sprint.
Authorized C3PAOs are listed on the Cyber AB marketplace at cyberab.org. Only an authorized C3PAO can issue Level 2 certification — RPOs (Registered Provider Organizations) and unaffiliated consulting firms cannot, regardless of marketing claims. Identify three to five candidate C3PAOs based on industry specialization, geographic capacity, and engagement availability.
Vet each candidate on five criteria: industry fit with the contractor’s operational environment, named lead assessor’s experience with Level 2 engagements at similar contractors, engagement cadence and reporting structure, conflict-of-interest posture if the firm also offers readiness services, and pricing transparency with a fixed or capped fee structure in writing.
Negotiate the engagement letter against an eight-component checklist: scope of assessment, assessment standard and methodology, named lead assessor and team, timeline and milestone schedule, fee structure and payment terms, conflict-of-interest representations, confidentiality and data handling protocols, and conditional certification framework with the 180-day remediation window mechanics defined explicitly.
Sign the engagement letter by Day 30. That signature is the artifact that preserves the contractor’s standing with primes during the wait — primes increasingly accept a credible engagement letter and remediation timeline as evidence of active progress, even if the formal certification is months away.
Days 31–60: Run the Readiness Gap Assessment
The second thirty days runs the structured gap assessment against all 110 NIST SP 800-171 Rev. 2 controls and the 320 assessment objectives the C3PAO will evaluate.
The gap assessment can be run internally, by a contracted RPO, or by an independent cybersecurity advisor. The choice depends on internal capacity and the contractor’s appetite for objectivity. A self-run gap assessment is the cheapest path but carries the risk that internal teams will rationalize gaps as already-addressed when they are not. The CISO referenced this on the episode — sitting in meetings where teams argue that a gap is not a gap, because they do not want to admit the baby is ugly. The baby will outgrow it with help, but only if the gap is honestly named first.
The gap assessment produces a written report identifying every gap, the remediation cost, the remediation timeline, and the named owner of each remediation item. This report becomes the input to Days 61–90 and the underlying data that drives both the Plan of Action and Milestones (POA&M) and the conditional certification negotiation, if one is needed.
Expect 15 to 25 percent of controls to fail the assessment on first pass for contractors who have not previously undergone formal Level 2 evaluation. That failure rate is not a problem — it is the data the contractor needs to remediate before the assessor walks in.
Days 61–90: Execute the Gap Closure Sprint
The third thirty days is the remediation sprint. The contractor sequences gap closure by impact and complexity.
High-impact, low-complexity gaps go first. These are typically configuration changes, policy updates, documentation gaps, and access-control adjustments that can be closed within hours or days. Closing them early reduces the assessor’s findings count meaningfully and demonstrates active remediation discipline.
High-impact, high-complexity gaps benefit from the full window. These are typically logging architecture rebuilds, access-control redesigns, incident response program maturation, and SIEM tuning work that requires sustained engineering effort. Some of these gaps may not close fully within the sprint window — and that is acceptable. The objective is to demonstrate sufficient progress that the C3PAO can issue Conditional Level 2 certification with a documented POA&M and a 180-day window, rather than a finding that requires re-engagement.
Low-impact gaps are addressed in the POA&M for closure after certification. The contractor does not need to close every gap before the assessor arrives — but the contractor must demonstrate that every gap has been identified, costed, named to an owner, and timelined for remediation.
By Day 90, the contractor walks into the C3PAO engagement with three things in hand: a signed engagement letter that locked in the assessor’s calendar, a documented readiness gap assessment that defines the current state, and a documented remediation plan that addresses every identified gap. The assessment becomes a verification exercise. The findings narrative is one the contractor controls.
The Three Marching Orders the CISO Reinforced on Both Episodes
Across both Part 1 and Part 2 of this series, three foundational actions came up repeatedly as the operational floor every contractor must establish — regardless of where they are in the readiness journey.
Determine your required level.
Pull every active DoD contract, every active subcontract under a DoD prime, and every contract pipeline opportunity for the next 24 months. For each, determine whether the work involves Federal Contract Information only or Controlled Unclassified Information. If any contract or pipeline opportunity involves CUI, the organization needs Level 2. Document the determination in writing. The default working assumption for any DoD-adjacent contractor should be Level 2 unless explicitly proven otherwise.
Pull your current SPRS score.
Every DoD contractor is required to maintain a current Basic Assessment score in the Supplier Performance Risk System. The score is visible to primes. The senior official should know the score off the top of their head — if they do not, that knowledge gap is the first finding any prime contractor reviewing the supplier file will identify.
Identify where CUI lives in your environment.
The System Security Plan, the file shares, the email systems, the endpoints, the cloud environments, the SaaS tools, the developer laptops, the archived test environments. If the contractor cannot draw the boundary around CUI on a whiteboard in five minutes, the assessment will fail before the assessor finishes their first day. The boundary exercise is the foundation of every other workstream in the sprint.
Execute the Standard
The November 10, 2026 deadline is fixed. The C3PAO assessor capacity is not increasing fast enough to absorb the demand. The contractors who are ready will continue winning defense contracts. The contractors who are not will be quietly removed from prime supplier lists, will fail bid evaluations, and will lose option exercises on contracts they currently hold.
Five and a half months. The clock is running. The runway is shorter than it appears.
If your team needs an outside perspective on Phase 2 readiness — a defensible diligence framework, a structured gap assessment against the 110 NIST 800-171 controls, a C3PAO selection and engagement letter review, or a 90-day sprint plan calibrated to your specific contract pipeline — that is the work we do. Verify your CMMC posture at watchur6.com/secure, or establish a secure line at watchur6.com/contact.Trust but verify your own posture. Book the C3PAO. Run the sprint. Execute the standard.