CMMC Phase 2 Is Here: What Every Defense Contractor Needs to Know

After years of delays and rewrites, CMMC is no longer a future problem. The DoD finalized the CMMC Program Rule (32 CFR Part 170) on October 15, 2024, and the companion 48 CFR rule amending the DFARS went into effect on June 11, 2025. That second rule is the one that matters most to contract officers, because it gives them the clause they need to actually require CMMC in a solicitation. In 2026, we are squarely in Phase 2 of the DoD's four-phase rollout, and the pressure is real.

If you handle Controlled Unclassified Information (CUI), Phase 2 is the phase where the words “CMMC Level 2 certification required” start appearing in contracts you actually want to bid on. Not self-attestation. Not a promise to get there eventually. An active certification from a DoD-authorized C3PAO, on file, before award.

What Phase 2 Actually Requires

The DoD structured CMMC as a phased rollout so that the assessor ecosystem would have time to scale and contractors would have time to prepare. The phases are layered on top of each other:

• ✓Phase 1 introduced Level 1 and Level 2 self-assessment requirements in new solicitations.
• ✓Phase 2 adds Level 2 third-party (C3PAO) assessment requirements for contracts involving CUI. This is where we are now.
• ✓Phase 3 adds Level 3 assessment requirements for the most sensitive programs.
• ✓Phase 4 is full implementation, where CMMC requirements apply to all applicable DoD contracts and option periods.

Phase 2 is the phase where “we will be ready by the next renewal” stops being a workable answer.

The SPRS Score You Actually Need

Under DFARS 252.204-7019 and 7020, defense contractors handling CUI are already required to have a current NIST SP 800-171 Rev 2 self-assessment score posted in the Supplier Performance Risk System (SPRS). The scoring methodology starts at 110 and subtracts weighted points for every control that is not fully implemented. Negative scores are common and allowed on paper, but they paint a clear picture to a contract officer evaluating risk.

For CMMC Level 2 certification, the bar is higher than just “a score on file.” A C3PAO assessment requires that all 110 controls be met, with any gaps captured in a Plan of Action and Milestones (POA&M) that closes within 180 days and does not touch a defined list of non-POA&M-eligible controls. In practice, a realistic target before you walk into a formal assessment is a SPRS score of 88 or higher with a credible path to 110, not a score of 42 with a hope and a prayer.

What Contracts Are Including CMMC Now

In Phase 2, contracting officers across the services are applying the new DFARS 252.204-7021 clause to new solicitations where the work involves CUI. That clause is the trigger. When it shows up, the prime (and every relevant sub) must hold a current CMMC certification at the required level before contract award. The clause also flows down. If you are a sub on a prime contract that has a CMMC requirement, the same requirement applies to you.

We are seeing the clause turn up most consistently in research and development awards, weapons systems sustainment, aerospace subcomponent manufacturing, and IT services touching defense networks. But the trend is broader than any single category. Any contract touching CUI is a candidate.

What to Do This Quarter

If you are reading this in April 2026 and you do not yet have a plan, the next 90 days matter more than the next 12 months. Here is a realistic sequence:

• Confirm whether your contracts involve CUI. If the answer is yes or maybe, treat it as yes.
• Run a current gap assessment against all 110 NIST SP 800-171 Rev 2 controls. Document every partial implementation.
• Update your SPRS score. An outdated score is a red flag, and a conservative honest score is better than an inflated one that will not survive an assessment.
• Build a remediation plan with real dollar figures and owners. Tie each gap to a control, a cost, and a close date.
• Get on a C3PAO waitlist early. Assessor capacity is limited and it will get worse as more contractors realize Phase 2 is not negotiable.

The contractors who treat Phase 2 as a sprint instead of a marathon are the ones who will be holding certifications in time for the contracts they want to win in 2027. The rest will be explaining to their customers why they missed a bid.