CMMCDocs.comAs of 2026, CMMC Phase 2 is officially in effect. The DoD is now including CMMC Level 2 certification requirements in new contracts involving CUI. This is no longer a future concern — it is a current procurement reality.
What Phase 2 Means
During Phase 1 (late 2024 through 2025), CMMC requirements appeared in a limited number of contracts, primarily as self-assessment requirements. Phase 2 expands this significantly: new solicitations and contract awards involving CUI will require CMMC Level 2 certification from a C3PAO. The 110 NIST SP 800-171 Rev 2 controls must be independently verified before contract award.
The Timeline Pressure
C3PAO assessment capacity is limited. The Cyber AB has authorized a growing but still constrained pool of assessors. Booking an assessment now takes weeks to months depending on your location and scope. Contractors who wait until an RFP drops to begin preparation will find themselves unable to schedule an assessment in time to bid.
What You Need Ready
Your System Security Plan must be current and accurate. Your SPRS score must be posted. Your POA&M items must have clear remediation plans within the 180-day window. Your evidence must be organized by control family and current — not screenshots from 2023. Your team must be trained and prepared for control owner interviews.
The contractors who started preparation in 2024 and 2025 are now in strong positions. If you are starting now, the good news is that with structured tooling like CMMCDocs, you can compress the timeline significantly. The bad news is that every month of delay narrows your window.