If you haven't started CMMC Compliance yet, you're already behind. I'm going to be blunt: if your company handles Department of War (DoW) contracts and you haven't started working toward CMMC certification, you have a problem. Not a future problem. A right-now problem. The certification requirements that the government contracting community has been hearing about for years are no longer theoretical. CMMC clauses are showing up in real solicitations, real contracting officers are checking compliance scores, and real companies are losing bids because they aren't ready.
The Cybersecurity Maturity Model Certification program went from proposed rule to enforceable reality faster than most small businesses expected. The CMMC program rule took effect in December 2024. The DFARS acquisition rule — the one that actually puts CMMC requirements into contracts — followed in November 2025. We are now in Phase 1 of a four-phase rollout, and Phase 2 hits on November 10, 2026. That's when third-party certification assessments become mandatory for many Level 2 contracts.
Seven months might sound like breathing room. It isn't. Preparation alone takes three to nine months, and that's before you get in line for an assessment with one of the fewer-than-100 accredited assessment organizations in the country. The math doesn't work in your favor if you're starting from scratch.
Here's what you need to know — and a realistic month-by-month timeline to get ready.
What CMMC Actually Requires (Without the Jargon)
CMMC boils down to one question: how well does your company protect sensitive government information?
The answer determines which of three levels applies to you:
Level 1 is for contractors who handle Federal Contract Information — think invoices, project schedules, general correspondence. You need to meet 15 basic cybersecurity practices, and you self-assess annually. If you're using strong passwords, keeping your software updated, and controlling who has access to what, you're most of the way there. No third-party audit required.
Level 2 is where things get serious. This applies to contractors who handle Controlled Unclassified Information — technical data, engineering drawings, test results, anything the government has specifically marked as CUI. Level 2 maps directly to all 110 security requirements in NIST SP 800-171 Revision 2. During Phase 1 (right now through November 2026), many contracts accept a self-assessment. After that, expect third-party certification to become the standard. An estimated 80,000 defense contractors fall into this category.
Level 3 is the highest tier, reserved for contractors working with the most sensitive CUI — the kind that advanced persistent threats (nation-state hackers, essentially) would target. It adds 24 additional requirements from NIST SP 800-172 on top of Level 2, and requires a government-led assessment by DIBCAC. Only about 1,500 companies are expected to need Level 3.
Most small businesses reading this need Level 2. That's the one I'll focus on.
Why November 2026 Is the Real Deadline
You may have seen different dates floating around. Let me cut through the noise.
The CMMC rollout has four phases:
Phase 1 (November 2025 – November 2026): Self-assessments are required in applicable solicitations right now. If you bid on a DoW contract that includes DFARS clause 252.204-7021, you need a minimum SPRS score of 88 out of 110. Some contracting officers are already exercising their discretion to require third-party certification even during this phase.
Phase 2 (November 2026 – November 2027): Third-party C3PAO certification becomes mandatory for select Level 2 contracts. Level 3 government-led assessments begin. This is the phase where self-assessment alone stops being enough for many contractors.
Phase 3 (November 2027 – November 2028): CMMC requirements extend beyond new awards to contract renewals and option exercises. Existing contracts start requiring compliance.
Phase 4 (November 2028 onward): Full implementation. Every DoW solicitation and contract (except commercial off-the-shelf purchases) requires CMMC as a condition of award.
Phase 2 is the inflection point. It's when the government shifts from trusting your word to verifying it independently. And the pipeline to get verified is already backed up.
The Bottleneck Nobody's Talking About Enough
Here's the number that should worry you: roughly 80,000 companies need Level 2 certification. The number of accredited C3PAOs (Certified Third-Party Assessment Organizations) available to conduct those assessments? Fewer than 100. The total number of certified assessors? About 600, with only half qualified to lead assessment teams.
The Cyber AB — the organization that accredits C3PAOs — has acknowledged this gap. Their CEO, Matt Travis, called the assessor shortage "the long pole in the tent" and estimated the ecosystem needs 2,000 to 3,000 assessors to meet demand. As of early 2026, only about 500 defense contractors have actually completed Level 2 certification. That leaves tens of thousands of companies competing for limited assessment slots.
Some C3PAOs already have backlogs stretching into the following year. Every month you wait, the line gets longer.
What It Costs (Honestly)
I won't sugarcoat this — CMMC compliance isn't cheap for small businesses. But neither is losing your ability to bid on DoW contracts.
The DoW's own regulatory analysis estimates approximately $101,000 for a small business to achieve Level 2 CMMC certification. That includes planning, preparation, remediation, and the assessment itself.
Real-world costs vary widely depending on where you're starting from. One company reported moving from zero to full compliance in two months at roughly $1,300 per employee seat, with $32,000 for the assessment — but they used a managed service provider who accelerated the process. Companies that try to go it alone and hit snags during their assessment can see costs balloon past $400,000 when you factor in rework, rescheduled audits, and extended remediation timelines.
On the brighter side, there's a proposed Small Business Cybersecurity Act that would provide a tax credit of up to $50,000 for CMMC-related expenses for companies with 50 or fewer employees. It hasn't passed yet, but it signals that lawmakers understand the burden. Don't bank on it, but keep an eye on it.
For Level 1, the costs are minimal — the DoW estimates $4,000 to $6,000 in internal labor to conduct the self-assessment. If Level 1 is genuinely all you need, count yourself lucky.
Your Month-by-Month Timeline: March 2026 to November 2026
If you're starting today, here's a realistic breakdown of how to get from "we should probably look into this" to assessment-ready.
March – April 2026: Know Where You Stand
First, figure out which CMMC level you actually need. Review your active contracts and any solicitations you're targeting. If any of them involve CUI — and if you're doing technical work for the DoW, they almost certainly do — you need Level 2. Check whether your contracts already include DFARS clause 252.204-7021.
Then do an honest gap assessment against the 110 NIST SP 800-171 requirements. Not a checkbox exercise — a real evaluation. Where do you have documentation? Where do you have policies but no enforcement? Where do you have nothing at all? This is the foundation everything else builds on. Most companies discover they're meeting 40-60% of requirements but lack the documentation to prove it.
May – June 2026: Fix the Gaps
Based on your gap assessment, prioritize remediation. The most common shortfalls for small businesses are access controls, audit logging, incident response plans, and — the big one — documentation. CMMC assessors don't just check whether you do something. They check whether you have a written policy that says you do it, evidence that you've been doing it consistently, and a plan for what happens when something goes wrong.
This is where most of the time and money goes. Implementing multi-factor authentication is a weekend project. Writing a 110-control System Security Plan that accurately reflects your environment, training your team on it, and collecting three months of evidence? That's a multi-month effort.
July – August 2026: Get in Line for Assessment
Start contacting C3PAOs now — not when you think you're ready. Assessment organizations are booking months in advance, and you need to secure a slot. The official directory is the Cyber AB Marketplace at cyberab.org. Vet your C3PAO carefully: ask about their experience with companies your size, their timeline, and their communication process.
Run an internal mock assessment. Walk through all 110 requirements as if a real assessor were sitting across from you. Can you produce evidence for every control? Can your IT staff explain the policies? If the answer is "mostly, with some gaps," you still have time. If the answer is "we'd fail half of these," you need to accelerate or consider whether November 2026 is realistic.
September – October 2026: Final Prep and Pre-Assessment
Many C3PAOs offer a pre-assessment or readiness review — take advantage of it. This isn't the official certification assessment, but it gives you a preview of what they'll focus on and where you'll get flagged. Fix everything they identify. Update your System Security Plan. Re-collect any evidence that's gone stale.
Make sure your SPRS score is current. Under Phase 1 rules, you already need a minimum score of 88 out of 110 to bid on Level 2 contracts. If your score is lower, you're leaving opportunities on the table right now.
November 2026: Assessment Window
If you've done the work, the assessment itself takes one to two weeks depending on your company's size and complexity. The assessor reviews your documentation, interviews key personnel, and examines technical evidence. If you meet all 110 requirements, you receive your CMMC certification — valid for three years with annual affirmation that you're maintaining compliance.
If you fall short, you may receive a conditional certification with a 180-day Plan of Actions and Milestones (POA&M) to close remaining gaps. That's not ideal, but it's not fatal either. What you can't afford is to show up with fundamental gaps that require starting over.
One More Thing to Watch
CMMC isn't staying inside the DoW. GSA has begun developing CMMC-like cybersecurity rules for civilian federal contracts, which means these requirements could eventually apply to contractors who don't work with the military at all. A March 2026 GAO report also flagged that DoW is still basing CMMC on NIST SP 800-171 Revision 2 from 2020, even though Revision 3 came out in 2024 — so expect the technical requirements to evolve too.
The contractors who invest in cybersecurity compliance now aren't just checking a box. They're building a competitive advantage that will compound as these requirements expand across the federal market.
The Bottom Line
I talk to business owners every week who assume they have more time than they do. "We'll deal with CMMC next quarter." "We're waiting to see if it really gets enforced." "Our IT guy says we're fine." These are the companies that will be scrambling in October, discovering that every C3PAO has a six-month waitlist and their documentation isn't close to ready.
CMMC compliance isn't optional anymore. It's the cost of doing business with the Department of War. The companies that act now will be positioned to bid confidently when Phase 2 hits. The ones that wait will be watching contracts go to competitors who took this seriously. If the timeline and requirements feel overwhelming, that's exactly why working with a team that handles government certifications daily makes the difference between meeting the deadline and missing it entirely.