TL;DR: CMMC Phase 2 begins on November 10, 2026 and makes C3PAO assessment the default for most DoD contracts involving CUI, with DoD estimates showing 93% of CUI-handling organisations will need Level 2 certification and 99% of organisations still awaiting completion, according to Secureframe and the 32 CFR rule. The practical issue is no longer awareness but scheduling, evidence quality, and whether readiness work starts early enough to beat assessment bottlenecks.
NHIMG editorial — based on content published by Secureframe: CMMC Phase 2: What to Expect and How to Prepare [2026]
By the numbers:
- Among organizations handling CUI specifically, 93% will require Level 2 (C3PAO) starting in Phase 2.
Questions worth separating out
Q: What breaks when CMMC Phase 2 readiness is treated like a last-minute compliance task?
A: The assessment timeline breaks first, then the contract strategy.
Q: Why do C3PAO lead times matter as much as control implementation?
A: Because certification depends on external availability as well as internal readiness.
Q: What do teams get wrong about conditional CMMC status?
A: They often treat it as a softer version of compliance, when it is really a narrow bridge for limited gaps.
Practitioner guidance
- Map contract scope to the CUI boundary now Confirm which systems, identities, and data flows sit inside the assessed enclave, then align the SSP, architecture diagrams, and access model to that boundary so the assessor sees one consistent operating picture.
- Separate must-have controls from POA&M candidates Classify controls that cannot remain unresolved at assessment time, especially MFA, external connection control, logging, and public-system restrictions, then push those to the front of remediation planning.
- Book the assessor before documentation is perfect Start C3PAO outreach during readiness work, not after it, because calendar delay can become the real blocker even when control remediation is on track.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- A step-by-step Phase 2 assessment workflow covering scoping, pre-assessment, on-site verification, scoring, and post-assessment follow-up.
- Checklist detail on which CMMC Level 2 requirements cannot sit on a POA&M and must already be met at assessment time.
- Practical examples of how conditional status works, including the 180-day remediation window and closeout assessment.
- Cost and timing estimates for C3PAO assessments that help teams plan budget and booking lead times.
👉 Read Secureframe's guide to CMMC Phase 2 preparation and assessment readiness →
CMMC phase 2: is your C3PAO readiness timeline realistic?
Explore further
Assessment readiness is now a procurement control, not a compliance afterthought. Phase 2 turns verification timing into a contract risk because defence buyers can only award work when evidence is ready and assessors are available. That means the organisation’s ability to bid depends on its identity and control documentation being assessable, not merely present. For security leaders, the practical conclusion is that readiness tracking belongs in the same governance tier as bid qualification.
A question worth separating out:
Q: Who is accountable when a contractor misses the Phase 2 certification window?
A: Accountability sits across security, compliance, and capture functions because the missed window affects both control assurance and contract eligibility. If evidence is incomplete, assessor booking is late, or scope is unclear, the organisation may lose award opportunities even if remediation was underway. Governance should assign one owner for certification status and one for evidence integrity.
👉 Read our full editorial: CMMC phase 2 shifts defence contracting to third-party verification