CMMC Phase 2 Is Six Months Out and Most Contractors Still Can't Get on an Assessor's Calendar
November 10, 2026. That's when CMMC Level 2 shifts from self-attestation to mandatory third-party assessment for any DoD contract involving Controlled Unclassified Information. Six months from today.
Here's the math that should keep defense contractors up at night: roughly 80 authorized C3PAOs exist to serve an estimated 76,000 to 80,000 contractors who need Level 2 certification. Fewer than 600 Certified CMMC Assessors are active. The DoD's own projections show capacity for 517 assessments in Year 1. As of February 2026, fewer than 1,100 organizations had completed certification.
That's 99% of the defense industrial base still waiting.
The gap is worse than you think
SSE, a Registered Practitioner Organization that has conducted more than 60 gap assessments across small and mid-size defense suppliers, published a number that should end every "we're probably fine" conversation: the average delta between a company's self-assessed SPRS score and its evidence-based post-assessment score was negative 133 points.
Not negative 13. Negative 133.
Companies walked in believing they were close. They weren't. The gap wasn't a missing firewall or an unpatched server. It was incomplete documentation, misunderstood control boundaries, and incorrect assumptions about what counts as CUI and where it lives.
This matters because the DOJ is already collecting. Nine cybersecurity-related False Claims Act settlements in FY2025 totaled $52 million, tripling year-over-year. One defense contractor paid $4.6 million after their own head of security blew the whistle on a fabricated SPRS score. The actual score was negative 142. The whistleblower walked away with $851,000.
In December 2025, the DOJ hit its first supply-chain-tier target: a precision machining subcontractor in Illinois paid $421,000 after a former quality control manager reported inadequate protections for technical drawings. Not a prime contractor. A sub.
The enforcement pattern is clear. It's moving downstream.
You won't fail on controls. You'll fail on proof.
Federal News Network ran a piece in April 2026 that nailed the real problem: most organizations can implement the technical controls, but they'll fail on documentation, evidence, and audit trail.
A C3PAO assessment doesn't ask "do you have MFA?" It asks "prove MFA has been enforced continuously, show the logs, show the policy, show the exception process, show who approved the exceptions and when."
That's 110 controls, each requiring documented evidence of continuous enforcement. If your infrastructure doesn't generate compliance artifacts by default, you're building a documentation project on top of a security project on top of your actual business. The documentation burden alone consumes more time than the technical implementation.
This is where most compliance efforts collapse. The -133 point gap from SSE's assessments isn't a technology failure. It's an evidence failure.
Assessment costs are climbing with demand
Current C3PAO assessment fees range from $31,000 to $76,000 for small and mid-size firms. Industry projections put that at $75,000 to $150,000 by late 2026 as capacity tightens and demand spikes. Delayed planning adds 20 to 30 percent to total certification costs from compressed timelines and rushed remediation.
Small businesses represent 73 percent of DoD suppliers. They receive roughly 25 percent of prime contracts. The SBA Office of Advocacy has repeatedly warned that compliance costs could force small firms out of defense work entirely. And manufacturing has been the most-targeted industry for cyberattacks four years running.
The conditional certification path exists as a fallback. Score 80 percent (88 of 110 controls MET) and you get conditional status. But POA&M items must close within 180 days or eligibility expires. That's not a reprieve. It's a shorter clock with a higher bar.
The two-standard problem nobody's talking about
While the DoD holds contractors to NIST 800-171 Rev 2 for CMMC, GSA issued a Procedural Guide in January 2026 requiring Rev 3 for all GSA contracts involving CUI. No phase-in period. Nine controls GSA considers mandatory. A one-hour incident reporting window.
If you work both GSA and DoD contracts, you now face diverging compliance baselines with no harmonization timeline. And Rev 3 is coming to DoD too. The DoD is actively developing Organization-Defined Parameters guidance for Rev 3 implementation, expected late 2026 to early 2027. Companies that build to bare-minimum Rev 2 will face a second compliance cycle within a year.
One more trap: cloud providers claiming compliance equivalency based on running inside a major cloud platform. That doesn't count. A cloud service provider lacking all Body of Evidence elements fails DIBCAC assessment regardless of what infrastructure sits underneath it. The compliance posture of your hosting provider is not your compliance posture.
Infrastructure that generates evidence by default
The difference between a 12-month compliance project and a migration is whether your infrastructure was built with NIST 800-171 controls in mind from the start.
LTFI's managed infrastructure runs on isolated, dedicated servers. Not shared hosting with hundreds of other tenants. Every deployment includes hardened configurations, automated patching, centralized logging, and default-deny firewall policies. The security controls that CMMC assessors look for aren't bolted on after the fact. They're how the infrastructure ships.
That means access controls with documented enforcement. Audit logs that capture what the assessment requires. Encryption at rest and in transit. Configuration baselines that don't drift because they're enforced by automation, not by policy documents that nobody reads.
When a C3PAO walks in, the question shifts from "can you prove this?" to "here's where to find it." The evidence exists because the infrastructure produces it as a side effect of operating correctly.
Rev 3 readiness without a second migration
Building to NIST 800-171 controls rather than CMMC-specific checklists means the infrastructure is framework-agnostic. When Rev 3 requirements arrive for DoD contracts, the controls are already in place. The work becomes mapping and documentation, not re-architecture.
Companies building to the minimum today will rebuild tomorrow. That's two compliance projects, two budget cycles, and two assessment engagements in 18 months. The infrastructure you choose now determines whether the Rev 3 transition is a spreadsheet exercise or another fire drill.
Six months is not enough time to start from scratch
If you haven't engaged a C3PAO yet, the November deadline is already a problem. Prep takes 6 to 12 months. The assessor pipeline is constrained. Costs are rising. And the DOJ has demonstrated it will pursue both primes and subs who misrepresent their compliance posture.
The fastest path to assessment-ready is migrating to infrastructure that already meets the controls, rather than trying to retrofit what you have. The -133 point gap doesn't come from missing technology. It comes from infrastructure that was never designed to prove what it does.
LTFI builds managed infrastructure for businesses that need enterprise-grade security without building an enterprise-size team to maintain it. If your November timeline depends on the infrastructure under your operations, talk to us.