CMMC Phase 2: What Dallas Contractors Need by Nov 2026

Phase 2 of CMMC begins November 10, 2026, shifting most defense contractors from self-attestation to a mandatory third-party (C3PAO) assessment of all 110 NIST SP 800-171 controls. This guide breaks down what changes, who is affected in the Dallas defense corridor, what certification really costs, and the 12-month readiness plan to beat the assessor backlog.

Back to Blog
15 min read
Isometric illustration of defense industrial cybersecurity compliance, a shield protecting an aerospace and manufacturing facility behind layered security rings

There is a date circulating through every defense contractor's inbox right now: November 10, 2026. Some vendors describe it as a cliff edge — the day self-attestation dies and the entire Defense Industrial Base must hold a third-party certificate or lose the right to bid. That framing is wrong in the details and right in the urgency. Phase 2 of the Cybersecurity Maturity Model Certification (CMMC) program does not flip a switch across all 80,000-plus contractors at once. It changes which clause a contracting officer is authorized to place in a new solicitation — and once that clause appears, a certified assessment is a condition of award, not a goal for next year [Strikegraph].

For the Dallas–Fort Worth defense corridor — one of the densest concentrations of aerospace, manufacturing, and logistics suppliers in the country — the practical takeaway is the same regardless of how you read the calendar: if your organization handles Controlled Unclassified Information (CUI) under a Department of Defense contract, the runway to a passing assessment is measured in quarters, not weeks. This guide explains exactly what Phase 2 changes, who it affects, what the 110 controls demand, what certification costs, and the readiness plan a North Texas contractor should already be executing.

✓ Key Takeaways

  • Phase 2 begins November 10, 2026. From that date, DoD contracting officers can require a full CMMC Level 2 third-party (C3PAO) certification as a condition of contract award for solicitations involving CUI [Strikegraph].
  • Self-attestation is no longer enough for most CUI work. A passing self-assessment in SPRS satisfied Phase 1; Phase 2 shifts the default to an independent assessment validating all 110 NIST SP 800-171 controls [DoD CIO].
  • Readiness takes 6–12 months and assessor capacity is constrained — fewer than 100 authorized C3PAOs serve a backlog of tens of thousands of contractors, with lead times of 9–12 months [BitLyft].
  • Budget realistically. First-cycle certification commonly runs $138,000–$285,000 once preparation, remediation, and the assessment itself are combined [PreVeil].
  • The clock is contract-driven, not universal. You are affected the moment a covered clause lands in a solicitation you intend to bid — which for many DFW suppliers is well before the headline date.

What Actually Changes on November 10, 2026

CMMC is implemented through two federal rules. The 32 CFR program rule, effective December 16, 2024, defined the framework, the assessment levels, and the certification ecosystem [Federal Register]. The 48 CFR acquisition rule — published September 10, 2025 and effective November 10, 2025 — is the one that gives the framework teeth. It amends the Defense Federal Acquisition Regulation Supplement (DFARS) so contracting officers can insert clause 252.204-7021 into solicitations. Once that clause is present, holding the required CMMC status becomes a condition of award and of continued performance [BDO].

The DoD chose a deliberately phased rollout over four years so the assessor ecosystem could scale and contractors could prepare. Understanding the phases is the difference between panicking about a single date and planning around the date that actually applies to your contracts.

Isometric roadmap showing the four-phase CMMC rollout progressing toward a secured certification checkpoint

CMMC phases in to defense contracts over four years — Phase 2 is the point where third-party certification becomes the default for CUI work.

1

Phase 1 — Began November 10, 2025

Contracting officers may require Level 1 or Level 2 self-assessments for new contracts. Program managers retain discretion to require a full C3PAO assessment early, but self-attestation in SPRS is the baseline.

2

Phase 2 — Begins November 10, 2026

The inflection point. Contracting officers can require a full CMMC Level 2 C3PAO certification as a condition of award for contracts involving CUI. Self-attestation is no longer sufficient for most covered work.

3

Phase 3 — Begins November 10, 2027

Adds Level 3 certification requirements for the most sensitive programs, assessed by the government's DIBCAC rather than a commercial C3PAO.

4

Phase 4 — Begins November 10, 2028

Full implementation. CMMC requirements apply to all applicable DoD solicitations and contracts, including options exercised on existing awards.

Two nuances trip up Dallas contractors. First, Phase 2 is permissive, not automatic: the rule authorizes certification requirements, and the DoD has signaled it will scale them onto solicitations as assessor capacity allows — meaning some contracts will demand a certificate the day Phase 2 opens, while others phase in later. Second, the requirement attaches to the solicitation, not to your calendar. If a prime flows CUI down to you on a re-competed contract in early 2027, you need a current certificate at award, full stop.

Who Phase 2 Hits in the Dallas Defense Corridor

Texas hosts one of the largest defense supplier bases in the nation, spanning aerospace primes, precision manufacturers, engineering and logistics firms, and the IT and energy companies that support them. The Dallas–Fort Worth metroplex sits at the center of that base. Phase 2 reaches far beyond the household-name primes — it follows the data downstream to every subcontractor that touches CUI in performance of a contract [DoD CIO].

Definition

Controlled Unclassified Information (CUI)

Government-created or -owned information that requires safeguarding under law, regulation, or policy but is not classified. In defense work it includes technical drawings, specifications, engineering data, source-selection material, and other sensitive program information. Handling CUI under a DoD contract is what triggers the CMMC Level 2 obligation.

The litmus test is straightforward. If your contracts already include DFARS clause 252.204-7012 — the long-standing requirement to safeguard covered defense information by implementing NIST SP 800-171 — then you almost certainly handle CUI and fall within Level 2 scope. The DoD estimates that roughly 80,000 companies in the Defense Industrial Base will ultimately need a Level 2 C3PAO certification, and that the large majority of affected contractors fall into that third-party-assessed category rather than the lighter self-assessment tier [Strikegraph].

This is where many North Texas suppliers underestimate their exposure. A machine shop producing a single CUI-bearing part, an engineering firm receiving controlled drawings, or a logistics provider with access to shipment specifications all inherit the same obligation as a major prime — there is no small-business carve-out from the controls themselves. If you are unsure whether your environment is in scope, an independent cybersecurity assessment is the fastest way to map where CUI actually lives in your systems.

The 110 Controls: What Level 2 Actually Requires

CMMC Level 2 is, at its core, a verification that you have implemented NIST SP 800-171 Revision 2 — 110 security requirements organized into 14 control families [DoD CIO]. The framework is not new; what changes under Phase 2 is that an independent assessor confirms it rather than taking your word for it. The 14 families span the full operational surface of a modern IT environment:

  • Access Control & Identification and Authentication: least-privilege access, multifactor authentication, and unique accounts for everyone touching CUI.
  • Awareness & Training: role-based security training so staff recognize the threats that target defense suppliers.
  • Audit & Accountability: logging that captures who did what, plus the ability to review and retain those records.
  • Configuration Management: hardened baselines, change control, and an accurate inventory of systems in scope.
  • Incident Response, Maintenance & Media Protection: the ability to detect, report, and recover from incidents and to control how CUI moves on removable and physical media.
  • System & Communications / System & Information Integrity: network segmentation, encryption, boundary defense, and timely patching and malware defense.
  • Personnel, Physical, Risk & Security Assessment: the governance layer — screening, facility controls, risk management, and the System Security Plan that documents it all.

Your implementation produces a numerical SPRS score on a scale that tops out at 110. A perfect score means every control is fully met. A conditional path exists — discussed below — but the assessment standard is unambiguous: each of the 110 requirements is evaluated as met or not met, with no partial credit for a control that is only "mostly" in place.

Secured server room with network racks behind a glass partition and a biometric access door, representing a controlled CUI enclave

A scoped CUI enclave — isolating controlled data behind access controls and segmentation — is often the most cost-effective route to Level 2.

The single most consequential scoping decision is where CUI is allowed to live. Many contractors discover that the most affordable path to certification is to build a tightly bounded enclave — a segmented environment, often on a government-community cloud like Microsoft 365 GCC High, where all CUI is processed, stored, and transmitted. Shrinking the assessment boundary to that enclave dramatically reduces the number of systems an assessor must evaluate, and it keeps the rest of your corporate network out of scope. Designing that boundary correctly requires deliberate network segmentation and managed network services, not an afterthought firewall rule.

Several control families also map directly to specific technologies. Multifactor authentication and least-privilege access — central to the Access Control and Identification families — are exactly where a managed identity and password platform earns its keep. ITECS is an authorized 1Password reseller and managed services partner, and we deploy enterprise credential management as part of meeting those access-control requirements. Boundary defense and information integrity, meanwhile, depend on managed firewall services and continuous endpoint detection and response to satisfy the malware-defense and incident-detection controls.

Self-Assessment vs. C3PAO: The Phase 2 Inflection

The heart of Phase 2 is who signs off on your compliance. Under Phase 1, most Level 2 contractors could conduct a self-assessment, submit the score to the Supplier Performance Risk System (SPRS), and have a senior official affirm it annually. Phase 2 makes a Certified Third-Party Assessor Organization (C3PAO) assessment the default for CUI-handling contracts. The distinction matters because the two paths differ in cost, timeline, and rigor.

Dimension Level 2 Self-Assessment Level 2 C3PAO Certification
Who validates Your own staff; affirmed by a senior official Independent accredited assessor
Phase 2 applicability Only a narrow set of lower-risk CUI contracts The default for most CUI-handling contracts
Evidence standard Documentation and score in SPRS Document review, interviews, and technical validation of all 110 controls
Result Annual self-affirmation Certificate of CMMC Status, valid three years
Lead time Internal — weeks 9–12 months to schedule an assessor today

That last row is the operational crisis hiding inside Phase 2. With fewer than 100 authorized C3PAOs and a backlog of tens of thousands of contractors, assessment lead times already run 9–12 months and are growing [BitLyft]. A contractor that waits until a Phase 2 solicitation appears to start looking for an assessor will not have a certificate in hand when the award decision is made. The scheduling queue, not the technical work, is what makes November 2026 a genuine deadline rather than a soft target.

"The contractors who lose bids in 2027 will not fail the controls — they will fail the calendar. Assessor capacity, not security maturity, is the binding constraint."

— Cybersecurity Compliance Practice, ITECS

What CMMC Level 2 Really Costs

Cost is the question every contractor asks first, and the honest answer is that the C3PAO's invoice is the smaller part of the bill. DoD planning estimates put the assessment phase alone near $100,000 for a typical Level 2 organization — roughly $76,700 for the assessment, $20,700 for planning and preparation, and the balance for reporting [PreVeil]. But independent analyses consistently find the assessment fee represents only about a quarter to a third of total compliance spend; the majority goes to the remediation and technology work required to make controls passable in the first place.

$138K–$285K

Typical first-cycle certification cost, all-in

~80,000

DIB companies expected to need Level 2 certification

9–12 mo

Current C3PAO scheduling lead time

Sources: PreVeil CMMC cost analysis; DoD CIO; BitLyft assessment guidance

The wide range exists because cost scales with how far your current environment sits from the 110-control standard and how large your assessment scope is. A 25-person engineering firm with a clean, segmented CUI enclave will land near the bottom of that range. A 200-person manufacturer with CUI scattered across shop-floor systems, shared file servers, and unmanaged endpoints will land near the top, because every one of those systems must either be brought into compliance or carved out of scope. This is precisely why the enclave-and-segmentation decision discussed earlier is also the single biggest lever on your total cost. The fastest way to overspend on CMMC is to bring your entire network into scope when a well-designed enclave would have covered the same contractual obligation for a fraction of the price.

The 12-Month Readiness Plan

If a Phase 2 solicitation could realistically appear in your pipeline within the next 18 months, the planning horizon is now. A defensible readiness program moves through five stages, and the early stages are where Dallas contractors create — or lose — their margin against the assessor scheduling queue.

1

Scope & Gap

Map where CUI lives and assess current state against all 110 controls.

2

Design Enclave

Segment the environment and select compliant infrastructure (e.g., GCC High).

3

Remediate

Deploy MFA, EDR, logging, and policies; close control gaps.

4

Document

Finalize the System Security Plan and evidence for every control.

5

Assess

Book the C3PAO early; complete the certification assessment.

Step 5 deserves emphasis because of the queue: book the assessor while you are still in remediation, not after. A useful readiness checklist for a North Texas contractor looks like this:

CMMC Level 2 Readiness Checklist

  • ☐ CUI inventory complete — every system that stores, processes, or transmits it is identified
  • ☐ Assessment boundary defined and CUI consolidated into a segmented enclave
  • ☐ Multifactor authentication enforced on all access to the enclave
  • ☐ Endpoint detection, centralized logging, and patch management deployed in scope
  • ☐ System Security Plan (SSP) written and current
  • ☐ Plan of Action & Milestones (POA&M) documents any open items
  • ☐ Self-assessment score submitted to SPRS
  • ☐ C3PAO engaged and assessment slot reserved

⚠ The 180-Day POA&M Window

CMMC allows a conditional Level 2 certification if you reach a minimum score and place a limited set of unmet, lower-weighted controls on a Plan of Action & Milestones. But every item on that POA&M must be fully closed and validated within 180 days, or the conditional status lapses. Treat the POA&M as a short bridge, never as a substitute for doing the work.

The conditional path is real relief for contractors who are close but not perfect on assessment day — yet it is narrow by design. High-value controls cannot be deferred at all, and the 180-day clock is unforgiving. The safest posture is to enter the assessment with a genuine 110, treating the POA&M as insurance rather than strategy.

How ITECS Helps Dallas Contractors Get Certified

CMMC readiness is not a software purchase; it is an operating posture that has to hold up under independent scrutiny and stay current for three years. That is squarely a managed-services problem. ITECS works with Dallas–Fort Worth defense suppliers across the full readiness arc — scoping the CUI boundary, designing the segmented enclave, deploying the access, endpoint, firewall, and logging controls the 110 requirements demand, authoring the System Security Plan, and standing watch over the environment so it does not drift out of compliance between assessments.

Because we deliver these as managed IT services rather than a one-time project, the controls keep working after the certificate is issued — which is exactly what the three-year validity period and annual affirmations require. For manufacturers and engineering firms in the defense base, we pair that with industry-specific experience in manufacturing IT and cybersecurity, where shop-floor systems and legacy equipment complicate the scoping conversation. Our CMMC compliance services page details how we structure an engagement from gap assessment through assessment-readiness.

Start Your CMMC Phase 2 Readiness Now

The assessor queue is the deadline that bites first. A scoping and gap assessment tells you exactly where your CUI lives, what the 110 controls will cost in your environment, and how long your remediation runway really is.

Book a CMMC Readiness Assessment →

November 10, 2026 is not the day every contractor must be certified. It is the day the DoD can start demanding certification on the contracts you want to win — and given a 9-to-12-month assessor queue and a 6-to-12-month remediation effort, the contractors who treat it as a 2026 problem are already behind. For the Dallas defense corridor, the move is to scope today, segment this quarter, and reserve an assessor before the queue absorbs the rest of the Defense Industrial Base.

Sources

continue reading

More ITECS blog articles

Browse all articles

About ITECS Team

The ITECS team consists of experienced IT professionals dedicated to delivering enterprise-grade technology solutions and insights to businesses in Dallas and beyond.

View full profile and articles

Share This Article

Continue Reading

Explore more insights and technology trends from ITECS

View All Articles