The Cybersecurity Maturity Model Certification program turned operational on November 10, 2025, when the 48 CFR rule that adds CMMC clauses to DoD contracts took effect. That activated Phase 1 of the four-phase rollout defined in 32 CFR Part 170, the program rule that has been in effect since December 16, 2024. Phase 2 follows on November 10, 2026, and shifts a substantial fraction of contracts from self-assessment to mandatory third-party certification by Certified Third-Party Assessor Organizations (C3PAOs). With Phase 2 less than seven months away as of the time of writing, the realistic question for most prime contractors and subcontractors is no longer whether to prepare but how to demonstrate Level 2 readiness in time for assessment scheduling, which is already a bottleneck across the C3PAO ecosystem.
What changed on November 10, 2025?
The 48 CFR amendment to the DFARS clause set introduced 252.204-7021 (the CMMC requirement clause) into DoD solicitations and contracts where applicable. Phase 1 gives the DoD program offices discretion to require Level 1 or Level 2 self-assessments and to require Level 2 certification assessments in specific contracts at their discretion. The default Phase 1 posture is self-assessment, but the DoD has signaled that certain high-CUI-exposure contracts in research and development, satellite communications, and nuclear-adjacent industrial work will require Level 2 certification during Phase 1 itself. Prime contractors began conducting flow-down audits on their subcontractor base in late 2025, with documented Senior Official Affirmations of Compliance now expected at award and at annual renewal.
What does Phase 2 add on November 10, 2026?
Phase 2 makes C3PAO Level 2 certification the default expectation in solicitations whose performance involves processing, storing, or transmitting Controlled Unclassified Information. Self-assessment alone will no longer suffice for most CUI-handling contracts after that date. Phase 3 (November 10, 2027) extends the requirement to Level 3 assessments by the DCMA-DIBCAC for higher-sensitivity programs. Phase 4 (November 10, 2028) folds the requirement into all DoD contracts except those solely for commercial off-the-shelf items. The phased structure was designed to ease C3PAO capacity constraints and to give contractors time to remediate, but the capacity question is acute: as of early 2026, only several dozen C3PAOs were operational and certification slots for the back half of 2026 were already filling.
How does Level 2 map to NIST SP 800-171?
CMMC Level 2 implements the 110 security requirements of NIST SP 800-171 Rev 2 plus a small number of CMMC-specific scoping and process expectations. Rev 3 of SP 800-171, published in May 2024, restructured those requirements but has not yet been incorporated into the CMMC rule — Level 2 assessments through 2026 continue to be against Rev 2 controls, with Rev 3 transitions anticipated later. A contractor that has carried a current System Security Plan and a Plan of Action and Milestones under DFARS 252.204-7012 since 2017 should have a baseline; the gap from "documented" to "assessable" is typically two to four quarters of remediation work, longer when CUI scope has crept into developer laptops, contractor-owned mobile devices, or unscoped cloud sandbox accounts.
Where do contractors most often fail readiness reviews?
Five recurring failure patterns. First, CUI scoping: contractors over-scope because they cannot tell which systems handle CUI, which inflates the assessment surface and creates audit findings everywhere. Second, asset inventory: SP 800-171 expects an authoritative, current inventory and most contractors maintain at least three inventories that disagree. Third, identification and authentication: MFA coverage gaps for privileged and remote users persist, especially around legacy build servers and CAD workstations. Fourth, audit log retention and review: logs exist but review cadence and retention do not match the control text. Fifth, supply chain risk and external services: contractors who use SaaS for engineering data (PLM, code repositories, CI/CD) often cannot demonstrate that those services meet FedRAMP Moderate equivalency or otherwise carry equivalent protections for CUI handled within them.
What does Phase 2 mean for subcontractor flow-down?
The 32 CFR Part 170 rule extends CMMC obligations down the supply chain in proportion to the CUI being handled at each tier. A prime that holds Level 2 certification must ensure that any subcontractor processing, storing, or transmitting CUI on its behalf holds at least an equivalent CMMC level for the contract scope. Phase 2 will accelerate subcontractor-decisioning: primes that have not already inventoried their sub base by CUI exposure will face contract-award delays. Subs that handle only Federal Contract Information (FCI) and no CUI remain at Level 1 self-assessment, but the line between FCI and CUI is fuzzy in practice and many subs have been quietly handling CUI without acknowledging it in their documentation.
# CMMC Level 2 readiness checklist (priority order)
1. Define CUI scope: identify the assets, networks, and people who handle CUI
2. Produce authoritative asset inventory for in-scope environment
3. Confirm MFA on all privileged and remote users (no exceptions)
4. Verify FIPS-validated cryptography for CUI at rest and in transit
5. Establish audit log generation, retention (>= 90 days hot), and review cadence
6. Document and test incident response with named roles and timelines
7. Evidence flow-down clauses with every CUI-handling subcontractor
8. Demonstrate FedRAMP Moderate or equivalent for SaaS handling CUI
9. Maintain a current SSP and POAM with no high-severity gaps at assessment
10. Schedule C3PAO assessment 6-9 months in advance of contract need
What about the DoD's "equivalent" path for SaaS handling CUI?
DFARS 252.204-7012 requires that cloud services handling CUI meet FedRAMP Moderate baseline or equivalent. The "or equivalent" path has been contentious for years; DoD CIO memos in 2023 and reaffirmed guidance through 2025 require a documented equivalency body of evidence reviewed by the prime, including a SP 800-171-aligned control assessment, a vulnerability scan and remediation history, and an incident response capability statement. Phase 2 assessors are paying close attention to this evidence because SaaS-leaked CUI has been a recurring DIB incident pattern. Contractors who rely on a SaaS engineering tool that lacks FedRAMP Moderate authorization should either migrate to an authorized alternative or assemble a defensible equivalency package before assessment.
How Safeguard Helps
Safeguard maintains a continuous, machine-readable inventory of software components, container images, and SBOMs in your in-scope environment, satisfying the asset-inventory and configuration-management controls that consistently trip up Level 2 assessments. Griffin AI maps CVEs, KEV entries, and reachability evidence to your CUI boundary, so vulnerability management and risk assessment evidence is current and auditable rather than reconstructed at assessment time. TPRM workflows score every CUI-touching SaaS against FedRAMP Moderate equivalence requirements, producing a sub-by-sub status view that primes can attach to flow-down obligations. Policy gates can also block deployments that would introduce non-FedRAMP-authorized SaaS into a CUI workflow, removing one of the most common Phase 2 finding categories before it reaches the C3PAO.