
For most of the last decade a defense contractor could satisfy the Department of Defense's cybersecurity expectations with a promise. You reviewed your controls against NIST SP 800-171, posted a self-assessment score to a government database, and kept working. That promise is now being replaced by proof on a timeline written into federal acquisition regulation, and for the majority of companies that handle Controlled Unclassified Information the pivot arrives in November 2026. This post explains what is actually changing, why that specific window matters, and how much time a contractor realistically has to get ready.
Two rules, one program
The Cybersecurity Maturity Model Certification program is built on two separate but interlocking federal rules, and confusing them is the first mistake most contractors make. The first is the program rule, codified at 32 CFR Part 170 (the CMMC Program final rule, published October 15, 2024 and effective December 16, 2024). It defines the machinery: the certification levels, the types of assessment, how scoring works, when a Plan of Action and Milestones is permitted, and the affirmations a company must make. The second is the acquisition rule, which adds the contract clause DFARS 252.204-7021 (published September 10, 2025 and effective November 10, 2025). This is the piece that gives the program teeth, because it is the clause that makes a specific CMMC level a condition of contract award. The program rule tells you what certification means; the acquisition rule tells you when it starts showing up in the contracts you bid on.
CMMC has three levels. Level 1 (Foundational) covers the fifteen basic safeguarding requirements from FAR 52.204-21 and is met by an annual self-assessment. Level 2 (Advanced) is the one most of the Defense Industrial Base cares about: it maps directly to the 110 security requirements of NIST SP 800-171 Revision 2, assessed against the 320 assessment objectives enumerated in NIST SP 800-171A. Level 3 (Expert) layers a subset of NIST SP 800-172 on top and is assessed by the government's own Defense Industrial Base Cybersecurity Assessment Center. If your contracts involve CUI, Level 2 is almost certainly your target, and Level 2 is where the November 2026 change lands hardest.
The phased rollout, and why November 2026 is the hinge
The acquisition rule does not switch CMMC on all at once. It phases the requirement in over four annual steps keyed to the rule's November 10, 2025 effective date. Phase 1 began on that date: solicitations started to include Level 1 or Level 2 self-assessment requirements, an incremental tightening of the status quo. Phase 2 begins on November 10, 2026, and this is the consequential one. From Phase 2 forward, the requirement to hold a Level 2 certification assessment conducted by an accredited third party is expected to appear as a condition of award for most contracts that involve CUI. Phase 3 (November 10, 2027) extends the certification requirement to the exercise of option periods and introduces Level 3 requirements at award; Phase 4 (November 10, 2028) reaches full implementation across all applicable DoD solicitations and contracts.
The substance of the Phase 2 change is the word that matters most in this whole program: from self-attestation to independent certification. Under Phase 1 you could largely still tell the government you met the requirements. Under Phase 2, for CUI work, an outside assessor has to verify it. That single shift is why the DoD's own economic analysis for the program projected that a large share of the DIB — on the order of tens of thousands of organizations — would ultimately require a third-party Level 2 certification rather than a self-assessment. It is worth stating plainly where the uncertainty lies: DoD retains discretion over exactly which solicitations carry the clause and when, so treat November 10, 2026 as the scheduled opening of the Phase 2 window rather than a guarantee that every contract flips on that morning. The direction and the mechanism are fixed even where the per-contract timing is not.
What actually changes when you can no longer self-attest
A self-assessment is a document you produce about yourself. A certification assessment is an examination someone else performs on you. A CMMC Third-Party Assessment Organization (a C3PAO) evaluates your environment against all 320 objectives using the three assessment methods defined in NIST SP 800-171A — Examine, Interview, and Test. Every objective either has demonstrable evidence behind it or it does not, and "we intend to implement that next quarter" stops being an acceptable answer for most of the 110 requirements. The comfortable ambiguity of a self-reported score collapses into a binary that a stranger will check.
The program rule does leave a narrow bridge. A contractor that meets a minimum threshold can receive a Conditional CMMC Status and finish specific, limited remediation on a Plan of Action and Milestones, but that path runs on a strict 180-day clock and excludes the most heavily weighted controls. (We cover exactly what is allowed on a POA&M and how the 180-day close-out works in a dedicated post in this series.) On top of the assessment itself, a senior company official must submit an annual affirmation of continuous compliance in the Supplier Performance Risk System. Certification is not a one-time gate you clear and forget; it is a posture you have to keep affirming.
The runway problem
The reason November 2026 should be a 2026 conversation and not a late-2026 scramble is capacity and lead time working against each other. The pool of authorized C3PAOs is finite, and the population of contractors that will eventually need a Level 2 certification is measured in the tens of thousands. Assessment slots are a constrained resource, and constrained resources get scarcer and more expensive as a deadline approaches. Meanwhile, genuine readiness — writing an accurate System Security Plan, closing real control gaps, and assembling defensible evidence for 320 objectives — is not a two-week project. For an organization starting from a soft self-assessment score, it is frequently a six-to-eighteen-month effort involving procurement, architecture changes, and policy work that cannot be rushed at the end.
There is a flow-down dimension that catches subcontractors by surprise. Prime contractors carry the CMMC requirement down their supply chains, so a small shop that never bids directly on a DoD solicitation can still be told by its prime that it must be certified to keep the work. If a Phase 2 solicitation lands and you are not certified at the required level, the consequence is simple and unforgiving: you are not eligible for award. There is no partial credit at the contracting officer's desk. The asset you are protecting by starting early is not just a certificate — it is your continued eligibility to compete.
Where a contractor should start
The sequence that works is not glamorous. Establish an honest SPRS score first, because a real number tells you the size of the gap before you spend a dollar closing it; our companion post on how to calculate and improve your SPRS score walks through the scoring math, and the free SPRS score estimator lets you produce a first figure without an email gate. Next, scope your CUI boundary deliberately, because the assets that touch CUI define the size and cost of everything that follows. Then build the System Security Plan and the underlying evidence, and track your posture against all 320 objectives rather than the 110 requirements, since the objectives are what an assessor actually tests.
Where Valty fits, honestly
A precise disclosure matters here because the market is full of vague claims. Valty is not a C3PAO, does not perform certification assessments, and cannot grant or guarantee any CMMC status — certification comes only from an accredited assessor and the DoD ecosystem. What the Valty platform does is support readiness: tracking your environment against the 320 assessment objectives, computing and monitoring your SPRS score, managing the 180-day POA&M lifecycle, and generating the machine-readable OSCAL artifacts — System Security Plan, Security Assessment Plan, Security Assessment Report, and POA&M — that a modern assessment package increasingly expects. All of it is framed as decision-support and readiness evidence, not as authorization. If you want the full mandate picture, the CMMC overview and the federal and regulatory capability page lay out the coverage. The point of starting now is not to buy a shortcut through the assessment; it is to arrive at the assessment with the gap already closed and the evidence already assembled, on a deadline that is no longer hypothetical.