Phase 2 Timeline: What Happens November 2026-2028

Phase 1 started November 10, 2025. No grace period. Selective enforcement.

But Phase 1 is the warm-up.

Phase 2 is when things get serious.

Starting November 10, 2026, C3PAO assessments become mandatory for most Level 2 contracts. Self-assessment won't cut it anymore.

By November 10, 2028, every applicable DoD contract will require CMMC. No exceptions.

Here's the timeline. And what you need to do at each stage.

The Three-Phase Rollout

The DoD is implementing CMMC in stages to avoid overwhelming the system (and to give contractors time to prepare... theoretically).

Phase 1: November 10, 2025 - November 9, 2026

What's required:

• CMMC language appears in select DoD solicitations
• Level 1 or Level 2 self-assessment acceptable for most contracts
• C3PAO assessment required at contracting officer's discretion

Who's affected:

• Contracts involving sensitive CUI
• Critical defense technologies
• High-value programs

Reality: Phase 1 is "opt-in" enforcement. The DoD picks which contracts get CMMC requirements.

But don't relax. Many contracts are already including CMMC language. And primes are requiring certification even when the government doesn't mandate it yet.

Phase 2: November 10, 2026 - November 9, 2028

What's required:

• CMMC language in most new solicitations and contract renewals
• C3PAO assessment mandatory for Level 2 (self-assessment no longer accepted for most contracts)
• Level 1 self-assessment still allowed

Who's affected:

• Broader set of contracts
• All contractors handling CUI (not just "select" contracts)
• Flow-down to subcontractors accelerates

Reality: This is the big shift. C3PAO becomes required, not optional.

If you don't have a C3PAO certificate, you're ineligible for most contracts.

Timeline crunch: From November 2026 to when you need certification could be weeks, not months. Get in line early.

Phase 3: November 10, 2028 and Beyond

What's required:

• CMMC language in all applicable solicitations and contracts
• No exceptions
• Full implementation

Who's affected: Everyone.

If your contract involves FCI or CUI and is above the micro-purchase threshold ($10K), it will have CMMC requirements.

Reality: By 2028, CMMC is just part of doing DoD business. Like having a CAGE code or a DUNS number.

No cert = no eligibility = no contracts.

Timeline Milestones

December 2025 - March 2026: The Calm Before the Storm

What's happening:

• Phase 1 is live but enforcement is selective
• Most contractors are still preparing or procrastinating
• C3PAO waitlists are 3-6 months but manageable

What you should do:

• If you need Level 2: Schedule your C3PAO assessment NOW
• If you're self-assessing: Complete it and get certified
• If you haven't started: Do gap analysis and start implementing controls

Why this matters: This is your window. C3PAO capacity isn't overwhelmed yet. You can still get on the schedule.

Wait until mid-2026 and you'll be competing with thousands of other contractors for the same C3PAO slots.

April - October 2026: The Rush Begins

What's happening:

• Contractors realize Phase 2 is 6 months away
• C3PAO waitlists balloon to 6-12+ months
• Panic sets in

What you should do:

• If you're not scheduled yet: Get on a C3PAO waitlist immediately (even if you're not ready)
• If you're in process: Accelerate. Don't delay.
• If you're certified: Relax. You're ahead of 90% of competitors.

Why this matters: By October 2026, it'll be too late to get a C3PAO assessment before Phase 2 starts. Wait times will be 12+ months.

November 2026: Phase 2 Starts

What changes:

• C3PAO mandatory for most Level 2 contracts
• Self-assessment only allowed in specific low-risk scenarios
• Contractors without C3PAO certs start losing bids

What you should do:

• If you're certified: Leverage it. Highlight it in bids. It's a competitive advantage.
• If you're in process: Show proof (engagement letter from C3PAO, projected completion date)
• If you're not started: You're probably too late for Phase 2 contracts. Focus on getting certified for Phase 3.

Why this matters: This is when the haves and have-nots separate.

Certified contractors keep winning contracts. Uncertified contractors start losing.

2027: The Scramble

What's happening:

• Thousands of contractors racing to get certified before Phase 3
• C3PAO capacity is maxed out
• Some contractors exit DoD market entirely
• Primes consolidate supplier base (fewer subs, all certified)

What you should do:

• If you're certified: Maintain it. Re-assessment required every 3 years.
• If you're still not certified: Get in line. Even a 2028 certification date is better than nothing.
• If you're thinking about dropping DoD work: Make the decision. Don't linger.

Why this matters: By 2027, CMMC is a fait accompli. The only question is: are you compliant or not?

November 2028: Phase 3 (Full Implementation)

What changes:

• All applicable contracts require CMMC
• No more phased rollout
• No more "select" enforcement

What you should do:

• If you're certified: Business as usual
• If you're not certified: You're out of the DoD market

Why this matters: This is the final deadline. After this, there's no wiggle room.

What "Mandatory C3PAO" Really Means (Phase 2+)

During Phase 1, contracting officers can require C3PAO at their discretion.

During Phase 2, contracting officers must require C3PAO for most Level 2 contracts.

The difference?

Phase 1: "We prefer C3PAO but will accept self-assessment" Phase 2: "C3PAO required. Self-assessment not accepted."

There are narrow exceptions (low-risk contracts, certain programs), but for most contractors, Phase 2 = C3PAO or bust.

Why the DoD Is Doing This in Phases

You might wonder: if CMMC is so important, why not require it immediately for all contracts?

Answer: capacity.

Problem 1: Not Enough C3PAOs

As of December 2025, there are only 83 C3PAOs for 118,000 contractors.

If the DoD required everyone to get certified immediately, the system would collapse. Wait times would be 5+ years.

Phased rollout gives time for:

• More C3PAOs to get authorized
• ISACA to train more assessors (they took over in December 2025)
• Contractors to spread out assessments over time

Problem 2: Contractors Aren't Ready

Most defense contractors weren't doing NIST 800-171 before CMMC.

Requiring immediate compliance would have caused mass disruptions:

• Contract delays
• Loss of critical suppliers
• National security impact (fewer contractors = less competition = higher prices)

Phased rollout gives contractors time to implement controls and get certified without breaking the supply chain.

Problem 3: Litigation Risk

If the DoD had gone "full enforcement" immediately, contractors would have sued.

Phased rollout with advance notice reduces legal challenges. Hard to claim "we didn't have time to prepare" when you had 3+ years warning.

Preparing for Each Phase

If It's Currently Q4 2025 or Q1 2026

Priority: Schedule C3PAO assessment

Timeline: Aim for Q2-Q3 2026 assessment (before Phase 2)

Steps:

1. Do gap analysis (what controls do you have vs need?)
2. Implement missing controls (3-6 months)
3. Contact 3-5 C3PAOs and get quotes
4. Schedule assessment for mid-2026
5. Complete assessment and get certified

Result: You're certified before Phase 2, avoiding the rush

If It's Q2-Q3 2026

Priority: Accelerate timeline

Timeline: Try to complete before November 2026 (Phase 2 start)

Steps:

1. If not already implementing controls, START NOW
2. Get on C3PAO waitlist ASAP (even if you're not ready — you can always delay your slot)
3. Consider hiring consultant to accelerate implementation
4. Document everything (even partial compliance) to show good faith

Result: Maybe you get certified before Phase 2. If not, at least you're in process.

If It's Q4 2026 or Later

Priority: Get in line for 2027-2028 certification

Timeline: Realistically, you're looking at 2027-2028 completion

Steps:

1. Accept you missed Phase 2
2. Focus on Phase 3 (November 2028 deadline)
3. Get on C3PAO waitlist (yes, it'll be long)
4. In the meantime, pursue contracts that still allow self-assessment (if any)
5. Consider partnering with certified primes as a sub (you handle manufacturing, they handle CUI)

Result: You might lose some bids in 2027, but you'll be ready for Phase 3

Re-Assessment Requirements

CMMC certification isn't forever.

Level 1: Self-assessment required annually

Level 2: C3PAO assessment required every 3 years

Level 3: C3PAO + DIBCAC assessment every 3 years

What this means:

• If you get certified in 2026, you need re-assessment in 2029
• Budget for ongoing compliance, not just initial certification
• Maintain controls continuously (don't let things slip between assessments)

What If You're Already Certified?

If you got certified in 2024-2025 (early adopter), good job. You're ahead of the curve.

Next steps:

• Maintain compliance: Don't let controls lapse
• Prepare for re-assessment: Track your certification date + 3 years
• Leverage competitive advantage: Market your CMMC status in bids
• Help your supply chain: If you're a prime, help subs get certified (keeps your supply chain intact)

What If You Miss All the Deadlines?

If you get to November 2028 without certification, you have two options:

Option 1: Exit DoD Market

Stop bidding DoD contracts. Focus on commercial work.

Option 2: Get Certified Post-2028

You'll still be able to get certified after 2028. It's not a "window closes" situation.

But you won't be eligible for contracts until you're certified.

So if you go this route, expect a revenue gap:

• 2028: Lose DoD contracts (not certified)
• 2029: Get certified (but lost 1 year of revenue)
• 2030+: Resume DoD contracts

Most shops can't afford a 1-2 year revenue gap. So don't plan on this.

The Bottom Line

Phase 1 (now - November 2026): Selective enforcement, self-assessment still accepted

Phase 2 (November 2026 - November 2028): Broader enforcement, C3PAO mandatory for most

Phase 3 (November 2028+): Full enforcement, all contracts

If you need CMMC Level 2, your deadline is realistically mid-2026 to avoid the Phase 2 rush.

If you wait until 2027-2028, you'll get certified eventually. But you'll lose bids in the meantime.

The smart move: start now. Even if Phase 2 is 11 months away.

C3PAO wait times are already 3-6 months. By mid-2026, they'll be 12+ months. Don't be the contractor scrambling in October 2026 trying to find a C3PAO with availability.

---

Next Steps:

Not sure where to start? Take our 2-minute quiz to assess your readiness.

Need to understand what controls to implement? Read our NIST 800-171 priority guide.

Worried about finding a C3PAO? Read our C3PAO shortage guide for tips on getting scheduled.