Signal Over Noise | The Clock on Your DoD Contract Just Got Louder
If your company touches the defense supply chain — as a prime, a sub, or a supplier — November 10, 2026 is the date to have circled in red.
Phase 2 of the CMMC rollout begins November 10, 2026. That's when mandatory Level 2 C3PAO certification assessments become standard for applicable contracts. Self-attestation is no longer sufficient for most contractors handling Controlled Unclassified Information. In plain terms: you can't just say you're compliant anymore. A certified third party has to verify it.
Phase 1 started in November 2025 and gave contractors room to self-assess. Phase 2 closes that door. The DoD will not award or extend defense contracts without proof of a CMMC third-party certification at the required level. There is no workaround and no shortcut.
Here's the problem: most organizations dramatically underestimate the lead time.
Reaching operational steady state with a managed security partner takes approximately 90 days, and that window sits inside the broader six to twelve month preparation timeline — not after it. When you work backward from November 10, 2026 and factor in both timelines, contractors who have not yet engaged a managed security partner will find the runway considerably shorter than it appears.
There's one more wrinkle worth knowing. NIST SP 800-171 Revision 3 will become mandatory for contractors subject to DFARS requirements, and it's not a minor update. It tightens requirements around access control, incident response, and supply chain risk management in ways that will require organizations to revisit documentation and controls they may believe are already in order.
Three things to do before the end of this month:
Run a gap assessment. You can't build a remediation plan without knowing where you stand against the 110 NIST SP 800-171 controls. This is step one and it takes time.
Schedule your C3PAO. Certified third-party assessors are getting booked out. Waiting until Q3 to schedule a Q4 assessment is a risk you don't want to take.
Review your subcontractor exposure. If you're a prime, your subs' compliance status affects your contracts too. Non-compliant suppliers are your problem on audit day.
Organizations that successfully navigate these deadlines will have three things in common: an early start, credible third-party partnerships, and a realistic assessment of the gap between where they are today and where they need to be.
netMethods works with defense contractors and manufacturing organizations across Southern California on exactly this. If November is feeling closer than it should, let's talk about where you stand →