CMMC 2.0 Phase 2 Prep: A 6-Month Countdown Guide for DoD Contractors

TL;DR: Quick Takeaways

•CMMC 2.0 Phase 2 begins November 10, 2026 — mandatory C3PAO assessments required for DoD contracts with CUI at Level 2.
•The assessor bottleneck is severe: approximately 600 active C3PAO assessors against 2,000+ contractors expected to need assessments — book your assessor now.
•Your System Security Plan (SSP) must be complete and your Plan of Action and Milestones (POA&M) closed before scheduling your assessment.
•CUI scoping is the single most impactful exercise — tightly scoping your assessment environment dramatically reduces your compliance burden.
•CMMC Level 2 requires full compliance with all 110 NIST SP 800-171 practices — no POA&M items are permitted at the time of assessment.

November 10, 2026. That date should be at the top of every DoD contractor's priority list today. On that date, CMMC 2.0 Phase 2 begins, and self-attestation for contracts involving Controlled Unclassified Information at Level 2 ends. From that point forward, if your contract requires CMMC Level 2, you need a Certified Third-Party Assessor Organization assessment and certification — no exceptions, no waivers, no grace period extensions.

The Defense Department is not bluffing this time. CMMC has been through years of revision, delay, and recalibration. The 2.0 rulemaking process is complete, the phased rollout plan is published, and Phase 2 has a hard start date. Contractors who treated previous CMMC deadlines as soft have learned an expensive lesson: the time to prepare is well before the deadline, because the assessment scheduling bottleneck means the earlier you move, the better your position.

This guide gives you a month-by-month action plan from April through October 2026 — seven months to get assessment-ready. We cover the critical milestones, the common gaps found during C3PAO assessments, budget planning, and how LowerPlane helps DoD contractors map CMMC controls to NIST SP 800-171 with automated evidence collection.

Understanding CMMC 2.0 Phase Structure

CMMC 2.0 simplified the original five-level framework to three levels. Level 1 covers basic cyber hygiene (17 practices) and is satisfied through annual self-attestation by a senior company official. Level 2 aligns exactly with the 110 practices in NIST SP 800-171 and requires either self-attestation or C3PAO assessment depending on the contract. Level 3 adds practices from NIST SP 800-172 on top of Level 2 and requires government-led assessments — this applies only to the most sensitive DoD programs.

The phased rollout has been carefully sequenced to give contractors time to prepare. Phase 1 (beginning October 2025) required Level 1 self-attestation for all FCI contracts. Phase 2 (November 10, 2026) adds Level 2 C3PAO assessments for prioritized CUI acquisitions. Phase 3 (2027) extends C3PAO requirements to all CUI contracts. Phase 4 (2028) adds Level 3 requirements for the most sensitive programs.

Phase	Start Date	Requirement	Who is Affected
Phase 1	Oct 2025	Level 1 self-attestation	All FCI contractors
Phase 2	Nov 10, 2026	Level 2 C3PAO assessment	Prioritized CUI acquisitions
Phase 3	2027	Level 2 C3PAO for all CUI	All CUI contractors
Phase 4	2028	Level 3 gov-led assessment	Critical program contractors

The Assessor Bottleneck: Why You Must Book Now

Here is the most critical operational reality about CMMC Phase 2: there are not enough certified assessors to handle the demand. As of April 2026, approximately 600 C3PAO assessment teams have completed the Cyber AB authorization process and are actively conducting Level 2 assessments. Industry estimates suggest that 2,000 to 3,000 contractors will need Level 2 C3PAO assessments during the Phase 2 window.

A typical Level 2 C3PAO assessment takes 4-6 weeks from start to Final Assessment Report, including documentation review, on-site or remote assessment activities, and report drafting. If demand reaches even the low end of estimates, the total assessment load would require roughly 10,000 assessor-weeks of work — capacity that simply does not exist in the current assessor pool.

The Bottleneck Warning

C3PAO assessment slots are already booking out 3-5 months in advance. Organizations that begin the scheduling process in Q3 2026 — just before the November deadline — risk being told the earliest available slot is January 2027. That means no CMMC certification when Phase 2 contracts begin flowing. That means no contract award.

Book your C3PAO assessment today. Not next quarter. Today.

When selecting a C3PAO, verify their Cyber AB authorization status on the Marketplace directory, check their experience with your industry sector (manufacturing, IT services, engineering, etc.), and confirm they can conduct the assessment within your timeline. Get a signed Statement of Work before assuming a slot is reserved.

Month-by-Month Countdown: April Through October 2026

Seven months is achievable if you start now and work systematically. The following plan assumes you are starting from a mid-maturity posture — you have some security controls in place and you have conducted at least a preliminary NIST 800-171 self-assessment. If you are starting from a lower baseline, you need to move faster in the early months or engage a Registered Practitioner Organization to accelerate the work.

April 2026: CUI Scoping and Gap Assessment

CUI scoping is the highest-leverage exercise in your entire CMMC preparation. The smaller your assessment scope, the fewer controls you need to implement and evidence, and the faster and cheaper your C3PAO assessment will be. This month, aggressively define your CUI boundary.

•Identify all systems, networks, and locations where CUI is created, processed, stored, or transmitted
•Map data flows: where does CUI enter your environment, how does it move, where does it exit or get destroyed?
•Consider architectural changes to isolate CUI to a smaller, controlled environment
•Conduct a current-state NIST 800-171 self-assessment against all 110 practices
•Score each practice: Met (1 point), Not Met (0 points), or Not Applicable
•Begin drafting or updating your System Security Plan (SSP)
•Contact at least three C3PAOs and request proposals — confirm assessment availability

May 2026: SSP Completion and POA&M Planning

Your SSP is not just a document — it is the primary artifact your C3PAO will use to plan and conduct the assessment. An incomplete or superficial SSP will slow your assessment and signal unreadiness. This month, build a comprehensive SSP and develop a realistic POA&M for all open practices.

•Complete SSP with system boundary, data flows, network diagrams, and user types
•For each of the 110 practices, document implementation status and describe how it is met
•Create POA&M for all not-met practices with realistic remediation dates (all must be closed before assessment)
•Prioritize POA&M items by risk and effort — close the high-risk, low-effort items first
•Select your C3PAO and sign Statement of Work
•Schedule your assessment window — target August or September to leave buffer time

June 2026: Technical Controls Implementation

This is your heaviest implementation month. Close the technical control gaps identified in your April assessment and begin collecting evidence as you go. Do not implement and then collect evidence separately — collect evidence at implementation time to avoid backtracking.

•Implement multi-factor authentication for all CUI system access (3.5.3 — commonly missing)
•Enable audit logging on all CUI systems with centralized collection and retention (3.3.x family)
•Implement or verify encryption for CUI in transit and at rest (3.13.8, 3.13.10)
•Configure session timeout and lock controls on all CUI workstations (3.1.10)
•Implement vulnerability scanning on all in-scope systems (3.11.2)
•Verify and document configuration management baselines (3.4.x family)
•Close or formally accept all open vulnerabilities from your last vulnerability scan

July 2026: Policy Completion and Personnel Controls

Many CMMC gaps are not technical — they are documentation and process failures. Assessors test whether policies exist, whether they are current, and whether employees are trained on them. This month locks down all policy and personnel requirements.

•Complete and have leadership approve all required policies (access control, IR, configuration management, media protection, physical security)
•Conduct and document security awareness training for all CUI system users (3.2.1, 3.2.2)
•Implement and document personnel screening processes (3.9.1)
•Review and update contractor and third-party access controls (3.1.x)
•Conduct tabletop incident response exercise and document results (3.6.x)
•Test and document backup and recovery procedures for all CUI systems (3.8.x)

August 2026: Evidence Collection and Mock Assessment

All open POA&M items must be closed this month. Conduct a rigorous internal mock assessment against all 110 practices before your C3PAO arrives. A failed C3PAO assessment requires starting over — a mock assessment is far cheaper than a failed real one.

•Close all outstanding POA&M items — no open items permitted at assessment time
•Collect and organize evidence for all 110 practices into a structured evidence repository
•Conduct internal mock assessment using CMMC assessment guides (NIST 800-171A)
•Interview system administrators, security personnel, and end users — replicate what assessors will do
•Remediate any gaps found in mock assessment immediately
•Finalize SSP to reflect all implemented controls and current system state
•Prepare assessment brief package for C3PAO — save assessor time by organizing your materials

September–October 2026: C3PAO Assessment Window

Your assessment takes place during this window. A typical Level 2 assessment runs 2-3 weeks for the active assessment phase. Being well-prepared dramatically reduces time-to-report. Respond to assessor questions promptly, provide additional evidence immediately when requested, and never guess at an answer.

•Conduct opening meeting with C3PAO — set expectations and review assessment plan
•Designate a single point of contact to coordinate all assessor requests — avoid confusion
•Have system administrators available for technical interviews and system demonstrations
•Respond to Requests for Information within 24 hours to avoid delays
•Review draft findings before Final Assessment Report — submit clarifications where assessors have misunderstood implementation
•Upon receiving certification, upload CMMC Level 2 certificate to SPRS and begin contract bidding

Start Your CMMC Readiness Assessment Today

LowerPlane maps all 110 NIST SP 800-171 practices to your existing controls, identifies gaps, and tracks evidence collection across your entire CUI environment. See where you stand against Phase 2 requirements in a live demo.

Book a Demo See CMMC Features

NIST SP 800-171 Alignment: What All 110 Controls Actually Require

CMMC Level 2 is a direct, one-to-one implementation of NIST SP 800-171 Rev 2. Every practice in your SSP maps to a numbered requirement in the NIST document, and every piece of evidence must demonstrate compliance with the specific requirement text — not general security best practices. Understanding what each control family requires in concrete terms helps you build an efficient, targeted compliance program rather than implementing controls that do not satisfy the specific NIST language assessors use to score you.

A critical point often missed by contractors: NIST released SP 800-171 Rev 3 in 2024. The DoD has confirmed that CMMC 2.0 Level 2 assessments remain based on Rev 2 through the Phase 2 enforcement period. Do not implement Rev 3 controls in your SSP unless your contracting officer has specifically requested it — doing so may introduce control numbers and language that do not align with what assessors are testing against.

The 14 NIST 800-171 Control Families with Evidence Requirements

1. Access Control (AC) — 22 requirements

Key evidence: Role-based access matrices, least-privilege justifications, remote access session logs, MFA enrollment records, and account management audit trails showing timely provisioning and de-provisioning.

2. Awareness & Training (AT) — 3 requirements

Key evidence: Training completion records for all CUI system users, curriculum content covering CUI handling and insider threat, and role-specific training for privileged users and system administrators.

3. Audit & Accountability (AU) — 9 requirements

Key evidence: SIEM configuration showing log source coverage, log retention policy set to 90+ days, alert rules for security events, and evidence of regular log review by a responsible party.

4. Configuration Management (CM) — 9 requirements

Key evidence: Documented baseline configurations for each system type, change control tickets showing approval workflow, vulnerability scan history with remediation records, and software allowlist or deny list enforcement.

5. Identification & Authentication (IA) — 11 requirements

Key evidence: MFA enrollment report for all CUI-accessing accounts, password policy enforcement screenshots, service account inventory with justification for each, and authenticator management procedures.

6. Incident Response (IR) — 4 requirements

Key evidence: Written IR plan with DoD reporting timelines, tabletop exercise report from the past 12 months, documented roles and contact list, and evidence of plan testing and update cycle.

7. Maintenance (MA) — 6 requirements

Key evidence: Maintenance activity log, remote maintenance session records with approval and monitoring evidence, sanitization or destruction records for media removed from CUI systems.

8. Media Protection (MP) — 9 requirements

Key evidence: Media inventory log, sanitization procedures with NIST 800-88 alignment, transport controls for physical media, and access controls on portable storage devices in the CUI environment.

9. Physical Protection (PE) — 6 requirements

Key evidence: Badge access logs for CUI areas, visitor log with escort records, physical media controls, and evidence that CUI output (printed materials) is controlled and disposed of securely.

10. Personnel Security (PS) — 2 requirements

Key evidence: Background check completion records aligned to position sensitivity, termination checklist showing timely account deactivation and access revocation upon separation.

11. Risk Assessment (RA) — 3 requirements

Key evidence: Annual risk assessment report, current vulnerability scan results (less than 30 days old at assessment time), and documented risk treatment decisions for identified vulnerabilities.

12. Security Assessment (CA) — 4 requirements

Key evidence: Internal security assessment or audit records, current SSP with all controls described, active POA&M tracking system, and action plans showing progress on open remediation items.

13. System & Communications (SC) — 16 requirements

Key evidence: Network diagrams showing CUI boundary enforcement, TLS certificate configurations, DNSSEC and DNS filtering evidence, network segmentation configuration, and mobile code controls.

14. System & Information Integrity (SI) — 8 requirements

Key evidence: Endpoint antimalware deployment report with update frequency, patch scan results and remediation records, security alert subscriptions (US-CERT, vendor advisories), and integrity checking tool configuration.

Evidence Organization Tip

Organize your evidence repository by NIST practice number (e.g., folder 3.1.1 through 3.14.7). Each folder should contain the primary evidence artifact, a brief description of how it satisfies the practice, and the date it was collected. This structure lets assessors navigate your evidence package independently without requiring your team to locate documents on demand — which saves significant time and reduces assessment anxiety.

How LowerPlane Maps and Automates CMMC Controls

LowerPlane was built for defense contractors managing CMMC alongside other compliance frameworks. The platform accelerates the six-month countdown by automating the three most time-consuming tasks in CMMC preparation: control tracking, evidence collection, and SSP maintenance.

Unlike generic compliance tools, LowerPlane pre-maps all 110 NIST 800-171 Rev 2 requirements with their CMMC practice identifiers, SPRS point values, and assessment method indicators from NIST 800-171A. This means you start with a complete control framework — you do not build it from scratch in a spreadsheet — and every piece of evidence collected is automatically linked to the correct practice.

SPRS Score Dashboard

Track your real-time SPRS score as you implement controls. The dashboard calculates your score using the same weighted methodology the DoD applies — giving you an accurate preview of what contracting officers will see before you submit to SPRS.

Automated SSP Generation

LowerPlane maintains a live SSP that updates automatically as your control implementation status changes. When a system enters scope or a control status changes, the SSP reflects it without manual editing — assessors receive a current, complete document.

Evidence Auto-Collection

Connect your existing security tools — vulnerability scanners, SIEM, MDM, cloud providers, identity platforms — and LowerPlane automatically pulls evidence artifacts mapped to specific NIST controls. Continuous evidence refresh keeps documentation current without manual collection cycles.

POA&M Lifecycle Management

Create, assign, track, and close POA&M items with structured workflows. Set milestone dates, track remediation progress, and generate status reports formatted for C3PAO and contracting officer review. Receive alerts when milestones are approaching or overdue.

Assessment Readiness Scoring

LowerPlane's readiness dashboard gives you a weighted view of your assessment posture that mirrors the DoD's SPRS methodology. Know exactly where gaps are, which gaps carry the highest point value, and where to focus remediation effort for the fastest score improvement.

Multi-Framework Control Overlap

For contractors pursuing FedRAMP, ISO 27001, or SOC 2 alongside CMMC, LowerPlane maps the 80-90% control overlap between frameworks. Evidence collected for CMMC simultaneously satisfies requirements in other frameworks — eliminating duplicated compliance work.

LowerPlane CMMC Capability Summary

✓ All 110 NIST 800-171 Rev 2 controls pre-mapped
✓ SPRS score real-time calculation
✓ CUI data flow diagram documentation
✓ Automated SSP generation and refresh

✓ POA&M lifecycle management
✓ Evidence linking to NIST practice IDs
✓ 375+ security tool integrations
✓ Continuous control monitoring

✓ C3PAO assessment package export
✓ Annual self-assessment workflows
✓ Multi-framework overlap mapping
✓ Audit-ready evidence repository

Common Gaps Found During C3PAO Assessments

Based on experience with DoD contractors across manufacturing, IT services, engineering, and professional services sectors, the following practices are most commonly found deficient during C3PAO assessments. If you address only these specific areas, you will eliminate the most common causes of assessment failure.

3.5.3 — Multi-Factor Authentication

High Risk

Many contractors implement MFA for VPN but fail to enforce it for cloud services, email, and remote desktop access. Assessors test MFA across all CUI system entry points.

3.3.1 / 3.3.2 — Audit Logging

High Risk

Logs exist but are not centrally collected, not retained for 90+ days, or do not capture the right event types (failed logins, privilege use, account management).

3.14.4 — Malware Protection Updates

Medium Risk

Antivirus is deployed but not updated automatically, or some systems (servers, shared workstations) lack coverage. Assessors check update frequency and coverage.

3.11.2 — Vulnerability Scanning

High Risk

Scans run infrequently, results are not reviewed promptly, or high/critical vulnerabilities remain open beyond 30 days without documented risk acceptance.

3.12.3 — Security Control Monitoring

Medium Risk

Controls are implemented but not continuously monitored. Assessors look for evidence of periodic review, not just initial implementation.

3.13.1 — Boundary Protection

High Risk

CUI boundary is not clearly defined or enforced. Remote access bypasses boundary controls, or CUI flows to unmanaged personal devices.

Budget Planning for CMMC Level 2

CMMC compliance is a significant investment. Budget planning should cover three categories: gap remediation costs, C3PAO assessment fees, and ongoing maintenance. The ranges below reflect typical costs for small-to-mid-size DoD contractors with 50-500 employees. Costs vary significantly based on your current security posture and the complexity of your CUI environment.

Gap Remediation

$50K–$300K

Security tooling (SIEM, vulnerability scanner): $20K–$80K/yr
MFA implementation: $5K–$20K
Internal engineering time: 500–1,500 hours
RPO/consultant support: $25K–$100K

C3PAO Assessment

$30K–$120K

Small scope (under 50 systems): $30K–$50K
Medium scope (50-200 systems): $50K–$80K
Large scope (200+ systems): $80K–$120K+
Failed assessment retest: additional $15K–$40K

Annual Maintenance

$40K–$150K/yr

Compliance tooling: $15K–$30K/yr
Internal time for continuous monitoring: 200–400 hrs/yr
Triennial C3PAO reassessment: $30K–$80K
Annual training and policy updates: $5K–$15K

View these costs in the context of the contracts they protect. A DoD contract worth $5M annually makes $50K-$150K in compliance investment extremely reasonable. The real risk is the contracts you cannot bid on or the contracts you lose mid-renewal because your CMMC certification is not in place. The cost of non-compliance is not the fine — it is the lost revenue from DoD contracts that require Level 2 certification.

Key Takeaways

1
Book your C3PAO assessment immediately — the assessor supply shortage is real, and slots are already booking out months in advance ahead of the November 10, 2026 Phase 2 start date.
2
CUI scoping is your single highest-leverage activity — a tightly defined, defensible CUI boundary reduces your compliance burden by limiting the number of systems, controls, and evidence artifacts in scope.
3
All 110 NIST 800-171 practices must be fully implemented with zero open POA&M items before your C3PAO assessment begins — unlike self-attestation, the C3PAO process is binary: you meet the requirements or you do not.
4
MFA, audit logging, vulnerability management, and boundary protection are the most commonly deficient practice families — address these in your first two months of preparation.
5
A mock assessment conducted by your internal team or an RPO before the real C3PAO assessment is the single best investment you can make — it surfaces gaps in a context where failure is recoverable.

Frequently Asked Questions

What happens to existing contracts if I am not certified by November 10, 2026?

Phase 2 applies to new DoD contract awards and renewals that specifically require CMMC Level 2 in the solicitation. Contracts awarded before Phase 2 with CMMC Level 2 language may include a grace period defined in the individual contract. However, when those contracts come up for renewal, the new award will require demonstrated CMMC Level 2 certification. Additionally, prime contractors who need to flow CMMC requirements down to subcontractors will begin requiring proof of certification as a condition of subcontract award, regardless of formal government enforcement timelines. The practical commercial pressure to be certified by late 2026 is real even for contractors whose formal government deadline might be later.

Can I use a cloud service provider to reduce my CMMC scope?

Yes, and this is a strategically sound approach for many contractors. Cloud services that are FedRAMP authorized at the Moderate baseline generally meet CMMC Level 2 requirements for the portions of the infrastructure they provide. If you host your CUI in a FedRAMP Moderate or High authorized environment (Microsoft 365 GCC High, AWS GovCloud with appropriate configurations, Google Workspace for Government), the cloud provider assumes responsibility for the physical and infrastructure controls in their environment. This can significantly reduce the number of controls you must independently implement and evidence. However, you remain responsible for controls in your scope — identity management, access policies, endpoint security, and how users interact with the system are all your responsibility regardless of cloud hosting.

How is CMMC Level 2 different from a NIST 800-171 self-assessment?

Both are based on the same 110 practices from NIST SP 800-171. The fundamental difference is verification rigor and accountability. A NIST 800-171 self-assessment involves your team evaluating and scoring your own implementation — there is no external verification, and scores are submitted to SPRS on the honor system. A CMMC Level 2 C3PAO assessment involves independent, trained assessors from an authorized organization verifying your implementation through document review, system demonstrations, and personnel interviews. The C3PAO assessment produces a Final Assessment Report that must be submitted to the government's CMMC database. The consequence of misrepresentation in a self-assessment is limited; misrepresentation in a C3PAO context implicates the assessors' certification and can trigger False Claims Act liability.

What does a CMMC assessment actually look like — what will assessors do?

A Level 2 C3PAO assessment uses the NIST 800-171A assessment procedures, which define three assessment methods for each practice: examine, interview, and test. Examine means reviewing documentation — policies, procedures, configuration screenshots, logs, training records. Interview means questioning personnel — system administrators, security officers, end users — to verify their understanding and actual practices. Test means technical testing — attempting to access systems, verifying technical controls are configured as documented, running diagnostic commands. Assessors typically spend the first week in document review, schedule personnel interviews for week two, and conduct technical testing throughout. The depth of testing for each practice is defined in 800-171A and assessors follow these procedures systematically.

Do subcontractors need their own CMMC certification?

If a subcontractor handles CUI — receives, processes, stores, or transmits CUI in the performance of the subcontract — then yes, that subcontractor needs their own CMMC certification at the appropriate level. Prime contractors are responsible for flowing CMMC requirements down to subcontractors. If a subcontractor only handles Federal Contract Information (FCI) but not CUI, they may only need Level 1 self-attestation. If a subcontractor provides services that do not involve CUI handling at all — such as facility cleaning, accounting services, or marketing — they may not require CMMC certification. The determination depends on whether and how CUI flows to each subcontractor in the specific contract performance context.

How long does CMMC Level 2 certification last?

CMMC Level 2 certifications from C3PAO assessments are valid for three years. During that three-year period, the certified organization must conduct annual affirmations — senior official attestations that the CMMC requirements continue to be met. If significant changes occur to the scoped environment (new systems, major acquisitions, architectural changes), the company should evaluate whether those changes require an updated assessment before the three-year term expires. At the end of three years, a full reassessment is required to maintain certification. Planning and budgeting for the reassessment cycle from the beginning prevents the cost from being a surprise.

🛡

Defense