Mandatory third-party assessments arrive in DoD contracts on November 10, 2026. Here is the six-step path from "we think we're close" to a certificate you can put in a proposal.

The deadline that changes everything

For years, "CMMC" lived in the future tense. That is over. The CMMC acquisition rule that puts the requirement directly into Department of Defense contracts took effect on November 10, 2025, and the program phases in over three years.

The date most contractors should circle is November 10, 2026. That is when Phase 2 begins and the bar rises from a self-attestation to a certified third-party assessment (C3PAO) for the majority of contracts that involve Controlled Unclassified Information (CUI). DoD estimates that roughly 8,350 medium and large entities will need that third-party certification as a condition of award.

In plain terms: if your contracts touch CUI and you are not assessment-ready by late 2026, you risk being ineligible to bid or to take an option year. A roadmap built today is the difference between competing and sitting out.

CMMC Level 2 is not a new standard. It is NIST SP 800-171, with an auditor in the room. If you have ever been through a federal A&A, you already know most of the muscles.

What Level 2 actually requires

CMMC Level 2 maps directly to the 110 security requirements of NIST SP 800-171, organized into 14 control families - access control, audit and accountability, configuration management, identification and authentication, incident response, system and communications protection, and more.

Three things are worth internalizing before you start:

  • The SPRS score is the currency. Your NIST 800-171 self-assessment produces a score (maximum 110) that lives in the Supplier Performance Risk System. Assessors and contracting officers look at it. Inflated scores are the fastest way to fail.
  • Every control needs an answer. For Level 2, all 110 must be addressed. A limited number can sit on a POA&M at assessment time, but only within strict limits - the most critical controls cannot.
  • Evidence beats intent. "We have a policy" is not the same as "here is the policy, the configuration that enforces it, and the log that proves it ran." Assessors verify, they don't assume.

The six-step readiness roadmap

This is the sequence KSG uses to take an organization from uncertainty to a defensible assessment. The order matters - scoping mistakes early cost the most later.

  1. Scope the CUI boundary. Map where CUI is stored, processed, and transmitted, and draw the assessment boundary tightly around it. Over-scoping is the most common and most expensive error; pulling your entire enterprise into scope can multiply the cost of certification for no benefit.
  2. Run an honest gap assessment against all 110 controls. Score every requirement as met, partially met, or not met, with the rationale. The deliverable is a clear scorecard and your current SPRS score - the truth you build everything else on.
  3. Write the System Security Plan (SSP). The SSP describes how each of the 110 controls is implemented in your environment. It is the single most scrutinized artifact in an assessment, and a missing or thin SSP is grounds for failure on its own.
  4. Remediate by priority. Close gaps in order of risk and assessment weight, capturing the rest in a realistic POA&M with owners and dates. Technical fixes (MFA, encryption, logging), policy fixes, and documentation fixes all count.
  5. Generate evidence and lock the SPRS score. For each control, assemble the artifacts an assessor will ask for: configurations, screenshots, policies, training records, logs. Re-score and post an accurate SPRS number.
  6. Run a pre-assessment (mock audit). Have an independent reviewer walk the controls as a C3PAO would, including interviewing your staff. Surprises should happen here, in a dry run - not in the assessment that decides your eligibility.

The shared-responsibility trap

If you run in a cloud or use a managed IT provider, some controls are theirs and some are yours. Get a written responsibility matrix early. "We assumed the cloud covered it" is one of the most common reasons a confident organization fails its assessment.

Five pitfalls to avoid

  • Over-scoping. Treating the whole company as in-scope instead of isolating the CUI environment.
  • A self-graded SPRS score that won't survive scrutiny. Optimistic scoring feels good until an assessor asks for the evidence.
  • Treating the SSP as a formality. It is the spine of the assessment, not paperwork to generate at the end.
  • POA&M as a parking lot. Deferring controls that cannot be deferred, or filling a POA&M with no real owners or dates.
  • Starting too late. Remediation takes time - procuring tools, changing configurations, and building habits cannot be compressed into the final weeks.

How long it takes - and why now

A typical readiness-to-certification effort runs 6 to 12 months, depending on the size of your CUI environment and how far your current controls are from the standard. Working backward from November 10, 2026, the organizations that will be ready are the ones scoping and gap-assessing now.

KSG has delivered the exact disciplines a C3PAO looks for - controls assessment and authorization, SSP and POA&M development, and continuous monitoring - for federal and state agencies since 2016, as an ISO 27001-certified firm led by CISSP, CISA, and CRISC practitioners. CMMC Level 2 is the same work, pointed at the same standard, with certification at the end.

If you want to know exactly where you stand against the 110 controls, the fastest first step is a scoped gap assessment. That single deliverable tells you your real SPRS score, your remediation list, and a credible timeline.