Cyber One Solutions logo.
Get Support

CMMC

CMMC Phase 2 Begins November 10, 2026: Why a Level 2 Self-Assessment Will No Longer Be Enough

July 13, 2026 · Cyber One Solutions

The Department of Defense's Cybersecurity Maturity Model Certification program moves from self-assessment to third-party certification on November 10, 2026. For defense contractors and subcontractors touching Controlled Unclassified Information, the readiness clock is now measured in months, not years.

The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program enters its second phase on November 10, 2026. Under the final rule published in the Federal Register on September 10, 2025, and confirmed on the Department of Defense's CMMC program page, contracting officers will be authorized to require a Level 2 certification performed by a Certified Third-Party Assessment Organization (C3PAO) as a condition of contract award in applicable new solicitations, rather than accepting the Level 1 or Level 2 self-assessment that has applied since the program's Phase 1 start on November 10, 2025.

Why This Matters for CMMC-Covered Businesses

Phase 1 gave contractors a full year to operate under self-attestation: complete a Level 1 or Level 2 self-assessment, post a score to the Supplier Performance Risk System, and move forward on that basis. Phase 2 removes that option for the solicitations it covers. Once a contract or task order falls under Phase 2, the certification your business needs on file is one an outside assessor produced, not a form your own compliance team filled out.

This affects a wider group than prime contractors realize. Any subcontractor that receives Controlled Unclassified Information flowing down from a prime, not only companies holding a direct Department of Defense contract, can be pulled into a Level 2 requirement. Our service area includes a meaningful share of this supply chain: aerospace and manufacturing subcontractors around the Houston-Clear Lake corridor near NASA Johnson Space Center, engineering and logistics firms across the Dallas-Fort Worth defense corridor, and smaller machine shops and IT integrators throughout Texas and the broader 48-state defense industrial base who hold a subcontract carrying the CMMC flow-down clause without necessarily thinking of themselves as a defense contractor.

What This Means for Your Obligations

SC Media reported in November 2025 that industry estimates put total CMMC readiness at only about one percent of defense contractors, a gap that has had less than a year to close before third-party certification becomes a live requirement in new solicitations. If your organization has not started, the first question is not which controls you are missing. It is whether you actually know your required assessment level.

Confirm whether your work involves only Federal Contract Information, which keeps you at the Level 1 annual self-assessment, or Controlled Unclassified Information, which puts you at Level 2 and potentially in scope for a C3PAO assessment once your contract or option period falls under Phase 2. Ask your prime contractor directly which level your subcontract requires. The flow-down clause at DFARS 252.204-7021 obligates primes to pass the CMMC requirement to subcontractors, but it does not obligate them to explain it.

If Level 2 applies, do not wait to identify and engage a C3PAO. A third-party assessment is not something you schedule the week before a deadline. It requires a documented System Security Plan covering all 110 NIST SP 800-171 security requirements, evidence that those controls are actually operating, and a Plan of Action and Milestones with real target dates for anything not yet complete. Assessors evaluate evidence, not intentions.

Do not assume Phase 2 is someone else's timeline. The Department of Defense can insert the Level 2 certification requirement into individual Phase 1 procurements ahead of the general Phase 2 start, and it can also choose to delay a specific contract's certification requirement to a later option period. Either way, the only defensible position is to be ready before your own contract or option period requires it, not after.

The Bottom Line

November 10, 2026 does not mean every Department of Defense contractor needs a completed C3PAO assessment that day. It means the option to rely on self-assessment begins closing for new solicitations, and the businesses that build their System Security Plan, close out their Plan of Action and Milestones items, and identify an assessor now will not be scrambling when their own contract requires it. Cyber One Solutions helps defense contractors and subcontractors build and document CMMC Level 2 readiness through our CMMC compliance services, backed by IT and security assessments that establish your current control gaps and managed cybersecurity that keeps the required controls, including multi-factor authentication, endpoint detection, audit logging, and access control, operating day to day.

Sources

[Federal Register
Defense Federal Acquisition Regulation Supplement, Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)](https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of)
[U.S. Department of Defense CIO
About CMMC](https://dodcio.defense.gov/CMMC/About/)
[SC Media
CMMC enforcement commences](https://www.scworld.com/brief/cmmc-enforcement-commences)