CMMC Phase 2 Deadline Is November 2026: What Texas Defense Contractors Must Do Now

The CMMC Phase 2 rule takes effect in November 2026. If your company holds DoD subcontracts and you haven’t started preparing, you are already behind. Roughly 76,000 organizations in the defense industrial base need certification, and fewer than 80 Certified Third-Party Assessor Organizations (C3PAOs) are currently authorized to conduct assessments. The math does not work in your favor, and every month you wait makes it worse.

This post is written for the owner of a 100-person manufacturing company with DoD subcontracts. You don’t need to become a cybersecurity expert. You need to understand what’s coming, what it costs, and what to do this month.

The Assessor Bottleneck You Can’t Ignore

The DoD finalized the CMMC Program rule (32 CFR Part 170) in October 2024, with Phase 1 already underway. Phase 2, which requires third-party assessments for Level 2 certification, kicks in at the one-year mark in November 2026.

The capacity problem is straightforward. The Cyber AB has authorized a small number of C3PAOs to date. According to industry analysis from Ridge IT and TSI Support, the current count sits around 80 organizations nationwide. Meanwhile, an estimated 76,000 companies need Level 2 certification because they handle Controlled Unclassified Information (CUI).

Even if every C3PAO ran assessments back-to-back with zero downtime, each organization would wait months for an open slot. A typical Level 2 assessment takes one to three weeks depending on your organization’s size and complexity. And assessor capacity isn’t scaling fast enough to absorb the demand before the deadline.

If you wait until summer 2026 to start, you won’t be scheduling an assessment. You’ll be joining a waitlist.

Level 1 or Level 2: How to Decide

Not every defense contractor needs Level 2. The distinction comes down to what type of information flows through your systems.

Level 1 (Self-Assessment) applies if your company only handles Federal Contract Information (FCI). FCI is information provided by or generated for the government under a contract that isn’t intended for public release. If you’re a subcontractor manufacturing parts to a spec but you never receive engineering drawings marked CUI, you may qualify for Level 1. This level requires 15 basic security practices aligned with FAR 52.204-21, and you can self-assess annually.

Level 2 (Third-Party Assessment) applies if your company handles Controlled Unclassified Information. CUI includes technical drawings, test data, specifications, and other sensitive but unclassified information the DoD marks for protection. Most manufacturing subcontractors working from government-furnished technical data packages will fall into Level 2. This level maps directly to all 110 security requirements in NIST SP 800-171 Rev 2 and requires a C3PAO assessment every three years.

The fastest way to determine your level: review the DFARS clause 252.204-7012 in your contracts and check whether CUI flows through your environment. If you’re unsure, your prime contractor’s compliance team can confirm. Don’t guess on this. Getting it wrong wastes months of preparation aimed at the wrong target.

What a Gap Assessment Covers and Where POA&Ms Fall Short

Once you know your required level, the next step is a gap assessment against the 110 NIST SP 800-171 controls. These controls span 14 families: access control, incident response, audit and accountability, system and communications protection, and ten others.

You don’t need to memorize all 110 controls. NIST publishes the full requirements in SP 800-171 Rev 2, and your assessor or MSP will walk through each one with you. A gap assessment evaluates your current security posture against every applicable control and produces a detailed report showing what you meet, what you partially meet, and what you’re missing entirely.

Here’s where many contractors get tripped up: Plans of Action and Milestones (POA&Ms). Under CMMC 2.0, POA&Ms are permitted for Level 2, but the guardrails are strict. According to analysis from Elevate Consult and E-N Computers, you cannot use POA&Ms on certain high-weight controls, all POA&Ms must be closed within 180 days of your assessment, and carrying too many open items can still result in a failing score. A POA&M is not a free pass. It’s a commitment to fix a specific gap on a specific timeline, and assessors will evaluate whether your plan is credible.

The bottom line: you cannot walk into a C3PAO assessment with a dozen unresolved controls and expect POA&Ms to carry you. Remediation needs to happen before the assessment, not after.

Budgeting for Assessment, Remediation, and Ongoing Costs

CMMC compliance has three cost layers, and underestimating any of them puts your timeline at risk.

Gap assessment: A professional gap assessment from a qualified consultant or MSP typically runs $15,000 to $30,000 for a 100-person organization. This produces your remediation roadmap and prioritized action list.

Remediation: This is usually the largest line item. Depending on your current security posture, remediation can range from $50,000 to $200,000 or more. Common investments include:

• Deploying multi-factor authentication across all systems
• Implementing a SIEM or log management platform
• Encrypting CUI at rest and in transit
• Upgrading endpoint protection
• Building documented incident response procedures
• Establishing a formal security awareness training program

Organizations with mature IT environments will land on the lower end. Companies still running legacy systems without centralized management will spend significantly more.

C3PAO assessment: The formal third-party assessment typically costs $50,000 to $100,000 depending on your scope and the assessor organization. This is a fixed cost you cannot avoid for Level 2.

Ongoing compliance: CMMC certification is valid for three years, but maintaining compliance requires continuous monitoring, annual self-assessments, and regular policy updates. Budget $2,000 to $5,000 per month for managed security services that keep your controls active and documented between assessment cycles.

Factor these numbers into your 2026 and 2027 operating budgets now rather than scrambling for approval in Q3.

Your 7-Month Timeline: April Through November 2026

Seven months is workable if you start this month. Delay further and you’re gambling with your DoD contracts.

April 2026: Determine your required CMMC level. Review contracts for DFARS 252.204-7012 clauses. Engage your MSP or a CMMC consultant. If your current IT provider doesn’t have specific CMMC experience, start searching for one that does.

May 2026: Complete your gap assessment against all 110 NIST SP 800-171 controls. Get your findings report and prioritized remediation roadmap. Begin contacting C3PAOs to reserve an assessment slot for Q4. Do not wait on this.

June 2026: Finalize your remediation plan and secure budget approval. Begin procurement for any new tools or infrastructure. Start developing required policies and documentation.

July and August 2026: Execute remediation. Deploy technical controls, implement new processes, conduct security awareness training, and build your evidence documentation. This is the most labor-intensive phase and the one most likely to slip without dedicated project management.

September 2026: Run an internal readiness review. Validate every control against NIST SP 800-171 requirements. Close gaps in documentation. Identify any remaining items that may require POA&Ms and confirm they meet the allowable criteria.

October 2026: Confirm your C3PAO assessment date. Complete any final remediation. Package your System Security Plan (SSP) and supporting evidence for the assessor.

November 2026: Complete your C3PAO assessment and receive your certification determination.

One critical note: reach out to C3PAOs in May, not October. Assessment scheduling is first-come, first-served, and the calendar will tighten dramatically as the deadline approaches.

Start the Conversation With Your MSP This Month

If you’re running a manufacturing operation with 100 employees and DoD subcontracts, CMMC compliance is not something your internal IT team can handle alone. The 110 NIST SP 800-171 controls require specialized knowledge in access management, encryption, incident response, audit logging, and continuous monitoring.

The right MSP brings CMMC experience, established toolsets, and the ability to manage your compliance posture on an ongoing basis. The wrong one will treat this like a standard IT project and leave you unprepared at assessment time.

Infonaligy supports CMMC readiness as part of our compliance services. We work with Texas defense contractors to run gap assessments, build remediation roadmaps, implement technical controls, and prepare organizations for C3PAO assessment. If you already have an MSP, make sure they can walk you through the 14 NIST control families and explain your POA&M options. If they can’t, it’s time for a different conversation.

For a deeper overview of CMMC levels and what each requires, see our complete CMMC compliance guide for Texas defense contractors.