On November 10, 2026, CMMC Level 2 third-party certification becomes mandatory for DoD contracts involving Controlled Unclassified Information.

Eight months from now. That’s the timeline.

And based on what I’m seeing from the assessor side, the majority of the defense industrial base is not prepared.

This isn’t a scare piece. I’m not selling you assessment services. I’m a CCA candidate and I work with C3PAOs — and I’m telling you what the ground truth looks like right now.

Where things actually stand

Phase 1 has been in effect since November 10, 2025. Level 1 and Level 2 self-assessments are now required for new solicitations and contracts. Your self-assessment results need to be in SPRS with an annual executive affirmation signed.

That much is happening. What’s not happening is meaningful preparation for Phase 2, when the self-assessment won’t be enough — you’ll need an independent assessment from an authorized C3PAO.

Here’s the reality: there’s a finite number of authorized C3PAOs. The pool of organizations that need Level 2 certification is estimated at roughly 80,000. And most of them delayed action through 2024 and 2025 while waiting for the final rule.

That delay is about to become a crisis. Assessment scheduling is no longer a last step. It’s a business-critical decision. If you wait until Q3 to contact a C3PAO, you may not get on the calendar before your contract requires certification.

What assessors are actually finding

After over a year of active assessments, the picture is mixed. Organizations that started early are arriving better prepared, with improved scoping and documentation. Uniform training from the Cyber AB and higher assessment throughput have contributed to a rhythm.

But the gaps for newcomers are significant. Common issues I’m seeing and hearing about:

Scoping failures. Organizations don’t accurately identify which systems process, store, or transmit CUI. This is the foundation — if your scope is wrong, your entire SSP is wrong, and your assessment will reflect that. Scoping follows the data, not the org chart.

SSP documentation that exists but doesn’t reflect reality. Having an SSP on the shelf is not the same as having an SSP that describes what your environment actually looks like. Assessors verify implementation, not documentation. If your SSP says you have a SIEM and you don’t, that’s a finding.

POA&M misunderstandings. Level 1 doesn’t allow POA&Ms at all — gaps are binary pass/fail. Level 2 allows conditional status with POA&Ms in limited cases, but you must close them within 180 days through a closeout assessment. Organizations treating POA&Ms as indefinite waivers are in for a rude awakening.

CAGE code complications. CMMC certifications tie to specific CAGE codes in eMASS. If your organization has been through acquisitions, mergers, or restructuring, the CAGE code alignment can create complications that take months to resolve. Start now.

The False Claims Act is real. DOJ’s Civil Cyber Fraud Initiative is ramping up enforcement. Earlier this year, settlements were announced from a major defense contractor and a small business related to false CMMC compliance certifications — and those were under the old voluntary framework. Now that CMMC is contract-integrated, every self-assessment and affirmation is a representation to the government. If you sign an executive affirmation that doesn’t reflect your actual security posture, you have potential False Claims Act exposure.

What you should do in the next 90 days

If you handle CUI and you haven’t started preparing for a Level 2 assessment, here’s your priority list:

Confirm your CMMC level. Read your contracts. If CUI is in scope, you need Level 2. If only FCI, Level 1. Don’t assume — verify.

Scope your environment accurately. Identify every system, network segment, and user that touches CUI. Document your CUI data flows. This determines your assessment boundary.

Get your SSP current. Your System Security Plan should reflect your actual environment as of today — not what you planned to build or what it looked like two years ago. Map every NIST 800-171 control to your implemented reality.

Contact a C3PAO now. Not next quarter. Now. Assessment capacity is the bottleneck. Even if you’re not ready for the assessment itself, getting on a C3PAO’s calendar locks your timeline.

Brief your executives on False Claims Act risk. The person signing your executive affirmation needs to understand what they’re attesting to. This is not a routine compliance checkbox — it’s a legal representation to the federal government.

Phase 2 will separate the organizations that treated CMMC as a security program from those that treated it as a paperwork exercise. November is closer than you think.