The Self-Assessment Grace Period Is Ending — Here's What Phase 2 Actually Requires
Starting November 10, 2026, most new Department of Defense contracts that touch Controlled Unclassified Information will require an independent C3PAO certification — not a self-attestation. With a limited assessor pool and a six-to-twelve-month runway, the contractors who wait are the ones who lose awards.
For three years, CMMC felt like something you could keep an eye on from the sidelines. That window has closed. When the acquisition rule took effect on November 10, 2025, the Cybersecurity Maturity Model Certification stopped being a policy debate and became a condition of contract award. The only question left is which phase your next solicitation falls under — and whether you'll be ready when it does.
If you handle Controlled Unclassified Information (CUI), Phase 2 is the milestone that matters. It's the point where a self-assessment is no longer enough and an independent assessor has to verify your environment. Here's where things stand, what changes in November, and how the most prepared contractors are getting there faster and at a fraction of the expected cost.
Where CMMC Actually Stands in 2026
CMMC rolls out in four phases over three years. Each phase widens the requirement and raises the bar on how you prove it. Knowing which phase your contracts fall into tells you exactly how much runway you have left.
2025
Self-Assessment as a Condition of Award
Applicable solicitations require a Level 1 or Level 2 self-assessment with your score submitted to SPRS, plus an annual affirmation from a senior official. The DoD can already require Level 2 certification on select contracts at its discretion.
2026
Mandatory C3PAO Level 2 Certification
Most contracts involving CUI will require third-party certification by a Certified Third-Party Assessment Organization. Self-attestation no longer satisfies the requirement — an independent assessor has to validate all 110 practices.
2027
Level 3 Assessments Begin
The most sensitive programs add Level 3 requirements, which layer NIST 800-172 enhanced practices on top of Level 2 and are assessed directly by the government rather than a C3PAO.
2028
CMMC in Every Applicable Contract
The requirement extends across all relevant solicitations and contracts, including option-year renewals. By this point CMMC is simply the cost of doing business with the DoD.
Self-Assessment Was the Easy Part
The jump from Phase 1 to Phase 2 is bigger than it looks. Under self-assessment, you scored your own environment against NIST SP 800-171 and uploaded the result. Under Phase 2, a C3PAO walks your evidence, interviews your people, and tests your controls against all 320 assessment objectives behind the 110 Level 2 practices. A few realities catch contractors off guard:
Your SPRS score has to clear 88 out of 110 to certify with an open plan of action, and not every gap is forgivable — several high-weight practices can't be deferred to a POA&M at all. Any items you do place on a POA&M must be closed within 180 days. Certification lasts three years, but it comes with a standing obligation: continuous compliance, an annual senior-official affirmation, and notification to your contracting officer whenever you materially change a system that handles CUI. And the requirement flows down — your subcontractors need the same level of certification for any CUI you pass to them.
The Real Cost — and the Smarter Way to Cut It
Most contractors price CMMC as if they have to harden their entire corporate network. That's where the budget spirals. The smarter move is to pull CUI into a defined, isolated enclave so that only the enclave — not your whole company — falls inside the assessment boundary.
Shrink the Boundary, Shrink the Bill
When your CUI lives in an enclave built on FedRAMP High authorized infrastructure, a meaningful share of the 110 practices are satisfied below the application layer — and documented for your assessor before you start. Here's a sample of what the hosting foundation carries for you:
Physical access, monitoring, and environmental safeguards are implemented and documented at the infrastructure layer.
Boundary protection, network segmentation, and FIPS-validated encryption for CUI in transit and at rest are in place from day one.
Audit log generation, aggregation, and retention with SIEM connectivity are pre-configured and continuously maintained.
Continuous threat monitoring, malware defense, and vulnerability remediation run around the clock from our SOC.
System maintenance is performed and logged under documented procedures by cleared, U.S.-based personnel.
Hardened configuration baselines and automated drift detection keep the enclave in a known, assessable state.
Your Virtual Compliance Team — Already Included
Building CMMC readiness in-house usually means hiring talent that's scarce and expensive: a security engineer, a compliance lead, and someone who actually knows how a C3PAO assessment runs. With a GovDataHosting enclave, that team comes with the environment and operates as your virtual compliance department. Here's what they carry on your behalf:
We stand behind the infrastructure — fully.
Every GovDataHosting cloud infrastructure and platform service is guaranteed to meet government security assessment requirements. The infrastructure-layer controls in your CUI enclave are pre-implemented, continuously monitored, and documented for your assessor. You own the application and organizational controls — we handle everything below the application layer, so your C3PAO assessment starts from a known, defensible baseline.
Why Starting Now Is the Whole Game
There are tens of thousands of contractors who need Level 2 and a finite number of C3PAOs to assess them. A typical readiness effort runs six to twelve months before you're ready to sit for an assessment, and assessor calendars are already filling. The math is unforgiving: a contract awarded after November 10, 2026 that requires certification won't wait for you to get ready.
There's an upside for the prepared, though. Walking into a proposal with a defined CUI enclave and a documented path to certification is a discriminator — evaluators have been burned by contractors who underestimated compliance, and demonstrable readiness reads as lower risk. The firms that move now don't just avoid the bottleneck; they turn compliance into a reason to win.
"The contractors who treat CMMC as a scoping problem — not a network-wide project — are the ones who certify on time and on budget. Shrink the boundary, inherit what you can, and the rest gets manageable fast."
GovDataHosting Compliance Team
With 25+ years of federal experience and a track record across HHS, DHS, Treasury, the VA, and DOJ, our team has guided contractors through exactly this kind of scoping and assessment. The compliant enclave, the inherited controls, and the compliance guarantee are already in place. The only variable left is how soon you start.
Get to CMMC Level 2 Without the Complexity
Schedule your free CUI Enclave Scoping Assessment and find out exactly how small your assessment boundary can be — and how fast your team can be certification-ready on FedRAMP High infrastructure.
Schedule Your Free Scoping Assessment →
