It’s June 2026. CMMC Phase 1 has been in effect for seven months. Phase 2 — the moment third-party C3PAO certification becomes mandatory for most contracts involving Controlled Unclassified Information — arrives November 10, 2026. That’s less than five months away. And the capacity math has gotten ugly: fewer than 600 Certified CMMC Assessors exist today against a projected need of 2,000–3,000, the roughly 80 authorized C3PAOs are now serving over 80,000 contractors who need Level 2 certification, and industry analysts are projecting wait times to exceed 18 months for new clients by Q3 2026.

Translation: if you’re a DoD subcontractor anywhere in Orange County — Anaheim, Irvine, Fullerton, Santa Ana — and you haven’t already started serious C3PAO preparation, the ability to book an assessment for the Q4 2026 enforcement window is essentially closed. The decisions you make in the next 90 days will determine whether your business is still in the defense supply chain in 2027.

Here’s the full CMMC enforcement timeline 2026, what Phase 2 actually changes for subcontractors specifically, and what every defense subcontractor must have ready before Q4.

Nov 10, 2026
Phase 2 begins — mandatory C3PAO certification for most CUI contracts
< 600
Certified CMMC Assessors in existence (vs. 2,000–3,000 needed)
~80
authorized C3PAOs serving 80,000+ contractors
18 months
projected C3PAO wait time for new clients by Q3 2026

The four-phase CMMC enforcement timeline 2026, plainly

The Department of Defense finalized CMMC under 32 CFR Part 170 in December 2024, with the implementing DFARS rule (48 CFR) taking effect November 10, 2025. The rollout is phased across three years, four phases, each starting one year after the last. Here’s exactly what each phase means:

Phase 1 — November 10, 2025 (in effect): Contracting officers began including CMMC Level 1 and Level 2 self-assessment requirements in applicable solicitations and contracts. Self-attested SPRS scores are now required for award. DoD also has discretion to require Level 2 C3PAO certification in select Phase 1 procurements — and is doing so.

Phase 2 — November 10, 2026 (less than five months away): The big one. Mandatory C3PAO Level 2 certification becomes a requirement for most contracts involving CUI. Self-attestation is no longer sufficient for these contracts. DoD also begins incorporating Level 3 (government-led) assessment requirements into a limited number of high-priority procurements. This phase runs through November 10, 2027.

Phase 3 — November 10, 2027: Level 3 certification requirements expand significantly. Most contracts handling sensitive CUI involve full government-led assessments.

Phase 4 — November 10, 2028 (full implementation): CMMC requirements apply universally to every applicable DoD contract handling FCI or CUI, including renewals and option periods on existing contracts. The transition window closes.

What Phase 2 actually changes for subcontractors

Most of the noise about CMMC has been pitched at primes. The subcontractor reality is messier and, in several specific ways, more dangerous. Three rules every OC defense subcontractor needs to understand cold:

The CMMC level required of a subcontractor follows the data it handles — not the prime’s level. If your prime is certified at Level 2 but flows you information that only constitutes Federal Contract Information (FCI), you may only need Level 1. Conversely, if a Level 1 prime flows CUI down to you (which can happen in poorly-scoped contracts), you need Level 2 regardless of what your prime carries. The DoD does not let the prime’s level shield the subcontractor.

The obligation flows with the data, not with the conversation. Subcontractors are routinely surprised by this. If a prime flows CUI to your environment, your compliance obligation attaches at the moment that data arrives — not when the prime gets around to formally notifying you. The DoD has been explicit that supply chain enforcement is a stated priority. Primes are already issuing compliance demands to their suppliers ahead of Phase 2; if your prime hasn’t asked yet, that’s a delay, not a reprieve.

The first FCA enforcement action against a subcontractor has already been brought. The False Claims Act enforcement pattern that started with MORSE Corp’s $4.6M settlement and Health Net’s $11.25M settlement has now extended downward. Subcontractors whose SPRS scores don’t match reality face the same civil liability — treble damages, per-claim penalties, and qui tam exposure. The “we’re just a small sub” defense doesn’t exist.

Red flag: If your prime hasn’t sent you a flow-down letter, that doesn’t mean you’re outside the scope. The obligation attaches to the data, not the documentation. Many subcontractors handling CUI today will not receive an explicit prime notice — and will discover their non-compliance during the prime’s next supplier review or, worse, during an FCA investigation triggered by a breach.

Where you should be at each milestone

Milestone Where you should be What happens if you aren’t
Today (June 2026) Gap assessment done; remediation 50%+ complete; C3PAO booking secured Schedule risk for Nov 2026 enforcement; bid eligibility threatened
Q3 2026 (July–Sept) Remediation complete; assessment in progress or scheduled C3PAO backlog likely makes Q4 certification impossible
Q4 2026 (Oct–Dec) — Phase 2 begins Nov 10 Level 2 C3PAO certification active; SPRS updated Locked out of new CUI contract awards
2027 (Phase 2 mid-rollout) Continuous monitoring + annual affirmation maintained Existing contracts at risk during option periods
Nov 10, 2027 (Phase 3) Level 3 prep underway if handling sensitive CUI Higher-tier contracts move to certified competitors
Nov 10, 2028 (Phase 4 — full implementation) All DoD work fully covered, every option period included Practical exit from the defense market

What’s actually required to pass Phase 2

Three deliverables, and they need to be accurate rather than aspirational:

Your SPRS score must reflect reality. Inflated self-scores are the single most common driver of FCA enforcement in the CMMC era. If you submitted a 95 in SPRS last year and your real posture is a 40, that gap doesn’t just mean a failed assessment — it means a documented allegation that you misrepresented your security posture across every contract award since. Correct an inaccurate score now, not when the C3PAO finds it.

Your evidence must be demonstrable. This is where most CMMC efforts collapse. A System Security Plan that describes how a control “should” work isn’t enough. The C3PAO will ask for logs, configurations, screenshots, training records, access reviews — the operational evidence that the controls in your SSP are actually functioning. Policies that say one thing while system behavior shows another is the most common reason assessments fail.

Your POA&M must qualify. Plans of Action and Milestones can address some gaps — but the rules are restrictive. Your overall score must be 88 or higher to even be eligible for a conditional certification. Only certain low-weight controls qualify for POA&M treatment. Six specific controls are entirely excluded from POA&M eligibility. The conditional certificate expires at 180 days — miss the deadline and you lose the certification entirely. POA&M is a finishing tool, not a substitute for implementation.

The capacity crisis nobody is solving in time

The structural math is now the most pressing single issue for unprepared subcontractors. The Cyber-AB has authorized roughly 80 C3PAOs nationwide. There are fewer than 600 Certified CMMC Assessors. Industry consensus is that 2,000–3,000 assessors will eventually be needed to meet certification volume. Many existing C3PAOs are already booked through the end of 2026 — meaning the wait time for a new client booking is, in mid-2026, already crossing six to twelve months for the better assessors, with projections reaching 18+ months by Q3.

For a subcontractor that hasn’t started remediation, the timeline math is brutal: 6–12 months of remediation work, then 3–6 months waiting for a C3PAO, then 1–3 months actually undergoing the assessment. That’s a 10–21 month total cycle, beginning today, with Phase 2 enforcement five months away. The contracts that flow CUI to your business are not going to wait.

Key takeaway: The CMMC enforcement timeline 2026 doesn’t care whether you intended to be ready. Phase 2 begins November 10. The contracting officer is required not to award a contract to an offeror that doesn’t meet the CMMC requirements in the solicitation. There’s no informal grace period. There’s no “we’re working on it” allowance. The math is now the math, and the C3PAO calendar is the binding constraint for most subcontractors.

The 90-day playbook every OC subcontractor needs to run, starting now

Realistically, what does the next 90 days look like for an unprepared subcontractor? The honest sequence:

  • Determine your CMMC level requirement, in writing. Pull every active DoD contract and subcontract. Identify whether each handles FCI, CUI, or neither. The level you need follows the highest sensitivity data flowing into your environment — not the prime’s level.
  • Run a real gap assessment against NIST 800-171’s 110 controls. Not an internal checklist. Not a vendor’s tool with marketing-grade scoring. An honest assessment by someone whose answer is allowed to be embarrassing. The defensible low score beats the fictional high one.
  • Fix your SPRS score if it’s wrong. Inflated scores correct slowly through remediation; misrepresentations correct quickly through FCA enforcement. Choose accordingly.
  • Book a C3PAO immediately. Even if your remediation isn’t complete. The booking window for late 2026 and early 2027 is closing rapidly. Some C3PAOs will hold preliminary slots tied to remediation milestones.
  • Sequence remediation by impact and audit visibility. Multi-factor authentication everywhere, access control, audit logging, encryption, incident response — the controls assessors test first. Documentation and evidence collection runs in parallel.
  • Build evidence capture into operations. The goal is not to produce evidence the week before assessment. The goal is for evidence to be generated continuously as a byproduct of how your systems run.
  • Engage a CMMC-experienced IT and security partner if you don’t have one. A real CMMC compliance partner for Orange County defense subcontractors compresses a 12-month effort into 6 months because they’ve already done it for similar businesses. At this point in the timeline, that compression is the difference between certified and not.

The honest version

The CMMC enforcement timeline 2026 is not theoretical anymore. Phase 1 is operational. Phase 2 is five months out. The first FCA enforcement actions against subcontractors have already been filed. The C3PAO capacity crunch is real and getting worse. And the November 10, 2028 horizon for full implementation means even subcontractors who scrape through Phase 2 will face an expanded compliance footprint within 24 months.

The honest truth for any OC subcontractor who hasn’t started is this: you may not make Q4 2026. That doesn’t mean you abandon defense work — it means you need to know exactly where you stand, what’s recoverable, and what timeline you’re actually working against. The first call is a gap assessment. Everything else follows from that.

Find out where you actually stand against Phase 2 — before November 10.

Intelecis has been helping Orange County defense subcontractors prepare for and pass CMMC assessments since well before CMMC 2.0 was finalized. NSA-Accredited, with documented experience across NIST 800-171, DFARS 252.204-7012, and the full CMMC Level 2 framework. Book a free CMMC readiness assessment and we’ll show you, in writing, exactly where you stand — and whether Q4 2026 is still achievable.

Get Your Free CMMC Assessment →

📞 949-266-2088 · Fullerton, CA · NSA-Accredited · Serving OC since 2010

Related reading:
CMMC Compliance Services for OC Defense Contractors ·
CMMC 2026: The Contract Game-Changer for Manufacturers ·
CMMC Self-Assessment vs C3PAO Audit: What Contractors Are Getting Wrong ·
What Happens to Production When Ransomware Hits a Factory — Hour by Hour ·
Schedule Your Free CMMC Assessment