The CMMC Timeline Is Real: What Small Primes and Subs Need to Do Before Q4 2026

CMMC (Cybersecurity Maturity Model Certification) Level 2 assessments are now mandatory for most Department of Defense contracts handling CUI (Controlled Unclassified Information). The 32 CFR Part 170 Final Rule, published October 15, 2024 and effective December 16, 2024, locked the enforcement timeline. Small defense contractors who started compliance work in early 2025 are already behind. The window to close the gap before Q4 2026 contract requirements begin to disqualify non-compliant bidders is narrowing to months, not years. For a comprehensive overview, see CMMC Compliance for Small Defense Contractors: The Complete Guide.

DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012, which required NIST (National Institute of Standards and Technology) SP 800-171 compliance, has been in effect since December 2017. Most small primes and SDVOSB (Service-Disabled Veteran-Owned Small Business) subcontractors were never meaningfully audited against it. CMMC changes that. The new DFARS 252.204-7021 clause introduces third-party verification that removes self-attestation as a viable compliance posture. The question is not whether you need to comply. It is whether you have enough runway left to do it.

What Phase Is CMMC Actually in Right Now?

CMMC 2.0 is being rolled out in four phases tied to the DFARS 252.204-7021 clause. Understanding where the program stands determines how much time you have.

Phase 1 (November 10, 2025 through November 9, 2026, active now): Level 1 and Level 2 self-assessment requirements appear in new DoD solicitations. Contractors must submit a current SPRS (Supplier Performance Risk System) score at sprs.csd.disa.mil to be eligible for award. An honest self-assessment against all 110 controls in NIST SP 800-171 with a score of 110 requires full control implementation. Most contractors score significantly below that and must document a POA&M (Plan of Action and Milestones) for unimplemented controls.

Phase 2 (November 10, 2026 through November 9, 2027): C3PAO (Certified Third-Party Assessment Organization) assessments become required at contract award for all Level 2 applicable contracts. Level 2 certification by a C3PAO replaces self-attestation. The Cyber AB (Cybersecurity Assessor and Instructor Certification Body) maintains the authorized C3PAO marketplace. This is the phase that matters most for small contractors pursuing DoD work in 2026.

Phase 3 (November 10, 2027 through November 9, 2028): Level 3 DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) government-led assessments begin. Level 3 is reserved for contracts involving information supporting critical programs and technologies. Most small primes will not encounter Level 3 requirements, but their subs on those programs will.

Phase 4 (November 10, 2028 onward): Full implementation across all DoD contracts touching CUI. Every DFARS-covered contract will require the appropriate CMMC level as a condition of award.

Why Q4 2026 Is the Critical Milestone for Small Primes?

Beginning November 10, 2026, C3PAO assessment requirements will be flowing through DoD solicitations that touch CUI, not just high-priority programs. Contracting officers will begin applying the CMMC level requirements to new solicitations as standard practice rather than as exceptions. A small prime that cannot produce a current Level 2 certification, or a subcontractor that cannot produce one when the prime requests it, will not be eligible for award. There is no waiver path. The DoD CIO CMMC program office has been explicit that the phased rollout is a compliance ramp, not an extension of the deadline.

The math on lead times makes Q4 2026 the inflection point. Scheduling a C3PAO assessment requires an organization to have completed its SSP (System Security Plan), closed most POA&M items, and passed at least one pre-assessment review. Getting from a gap assessment to that state takes, conservatively, two to three quarters for a small organization that starts from a partial NIST SP 800-171 baseline. Add 6 to 12 months of C3PAO scheduling lead time and you arrive at a start date that has already passed for most contractors who are not actively engaged in remediation today.

What Is the Realistic Remediation Sequence?

The path from wherever you are now to a completed C3PAO assessment follows a fixed sequence. Skipping steps does not compress the timeline. It creates assessment findings that require remediation and restart the clock.

1. Gap assessment against NIST SP 800-171 controls (Quarter 1): Enumerate every system in your assessment scope. Map each of the 110 controls against your current implementation. Document met, partially met, and not met. Assign an honest SPRS score. Do not inflate it. Inflated SPRS scores are a federal false claims exposure under 31 U.S.C. 3729.
2. SSP documentation (Quarters 1-2): The SSP is the foundational document for a CMMC assessment. It describes your system boundary, the users and data the system handles, and the specific implementation of each control. Assessors spend more time in the SSP than anywhere else. A thin SSP will generate findings regardless of your technical implementation.
3. POA&M for identified gaps (Quarter 2): Every unimplemented control requires a documented remediation timeline, assigned owner, and estimated completion date. The POA&M is not a place to park controls indefinitely. Assessors evaluate whether your POA&M items are being actively addressed or are parked with no progress.
4. Technical control implementation (Quarters 2-3): MFA (Multi-Factor Authentication) on all accounts accessing CUI systems. FIPS (Federal Information Processing Standards) validated cryptography for data in transit and at rest. Audit logging and log review processes that satisfy controls 3.3.1 and 3.3.2. Documented incident response procedures and tested capability for 3.6.1 and 3.6.2. Continuous monitoring evidence for 3.14.2 and 3.14.6. See our detailed SSH persistence analysis for what continuous monitoring actually needs to catch.
5. SPRS score submission (Quarter 3): Update your SPRS score to reflect the completed implementation. A score submitted before controls are actually implemented is a liability. A score that accurately reflects your current posture, with a clean POA&M showing the path to 110, is a defensible compliance posture.
6. C3PAO assessment scheduling and pre-assessment (Quarters 3-4): Engage a C3PAO listed on the Cyber AB marketplace. Most C3PAOs offer a pre-assessment or readiness review that identifies remaining gaps before the formal assessment. Use it. Finding a gap in a pre-assessment costs a few days. Finding the same gap during a formal assessment costs months.
7. Formal C3PAO assessment (Quarter 4): The formal assessment produces a finding report and, if successful, a certification recommendation submitted to the DoD CMMC program office. Certification is valid for three years.

Where Do Small Contractors Actually Fail?

The controls that generate findings in CMMC pre-assessments are not exotic. They are the controls that require sustained operational discipline rather than one-time technical configuration.

Controls 3.3.1 and 3.3.2 (audit log generation and review) fail because organizations have logging turned on but no documented review process and no evidence that logs are actually being examined. An assessor will ask to see log review records, not just that a SIEM (Security Information and Event Management) is running. Control 3.4.2 (baseline configurations) fails because organizations have no documented baseline for their CUI systems, which means any deviation from the secure configuration is undetectable. Controls 3.6.1 and 3.6.2 (incident response) fail because the incident response plan exists as a document that has never been tested. Assessors ask for tabletop exercise records or actual incident documentation. The threat context for why 3.14.6 matters is not theoretical: adversaries are actively operating persistence techniques that a passive logging posture cannot catch.

Control 3.13.11 (FIPS-validated cryptography) fails because organizations are using TLS 1.2 or TLS 1.3 implementations that are not running on FIPS-validated modules, often because their cloud provider or SaaS application has not published their FIPS validation certificate. The NIST Cryptographic Module Validation Program database is the authoritative source for validated modules. Controls 3.14.2 and 3.14.6 (continuous monitoring) fail because organizations conflate having an endpoint protection product with having a continuous monitoring program. The control requires documented procedures, a monitoring frequency, and evidence of review. Having software installed does not satisfy the control.

None of these are expensive to fix. They are labor-intensive to document. That is where small contractors most often underestimate the work.

What About Flowdown to Subcontractors?

Primes must flow the CMMC requirement down to any subcontractor that handles CUI, in any form, at any tier. This is not optional and it is not negotiable. The DFARS 252.204-7021 clause requires it explicitly. If a prime's subcontractor fails a CMMC assessment, the prime cannot certify the security of their own supply chain, which is a condition of their own contract performance.

This is creating significant pressure on SDVOSB teaming relationships. Prime contractors pursuing large CUI-intensive programs are conducting subcontractor due diligence at a level they have not applied since the early days of DFARS 252.204-7012. A small SDVOSB with no documented SSP, a non-existent SPRS score, and no C3PAO engagement is not a viable teaming partner for a prime that needs to certify their supply chain before the next solicitation closes. The capability gap in SDVOSB set-aside competitions will widen as CMMC assessment requirements become standard in solicitations: firms that have invested in compliance infrastructure will have a material advantage over firms that have not.

For the architecture question of how to handle CUI in an AI-assisted environment without creating supply chain exposure, the enclave approach we document there is also relevant to how small primes should think about scoping their CMMC assessment boundary. Narrowing the boundary through enclave architecture can reduce assessment cost and complexity substantially.

What If You Are Genuinely Behind?

Start with scope triage. Not every piece of work a defense contractor does involves CUI. A firm with five active contracts may have CUI on two of them. Scope the CMMC assessment to only the systems and people that touch CUI. A tightly scoped assessment on two contracts is faster to complete and cheaper to certify than a full-enterprise assessment.

If full compliance within the timeline is not achievable, talk to your prime and contracting officer now rather than at proposal time. Contracting officers cannot grant CMMC waivers, but they can work with contractors on transition plans for existing contracts. New award is a different matter. You cannot bid on a CMMC-required solicitation without the certification in hand.

The CUI Registry at archives.gov/cui is the authoritative source for what qualifies as CUI. Some contractors discover that data they assumed was CUI is not, and some discover the opposite. A clean scope determination before beginning the SSP can save significant remediation work.

The program is real. The timeline is fixed in federal regulation. The contractors who act before Q4 2026 will be positioned to bid. The ones who wait for the contract requirement to appear in a solicitation before they start will not be eligible for that solicitation or the next several after it.