The CMMC Deadline Is 9 Months Away. Here's What Small Contractors Should Do Now.

On November 10, 2026, CMMC Phase 2 goes into effect. New DoD solicitations will begin requiring CMMC Level 2 certification, and contractors who handle Controlled Unclassified Information (CUI) without it won't be eligible to bid.

Nine months sounds like plenty of time. For most small contractors, it isn't.

Between conducting a gap assessment, remediating findings, and scheduling a C3PAO audit -- which are already booking out months in advance -- the timeline is tighter than it appears. Contractors who start now can make it. Those who wait until summer are rolling the dice.

This guide breaks down what the deadline means for small defense subcontractors, what compliance actually involves, and the specific steps to take between now and November.

What's Changing on November 10

Under the current DFARS interim rule, defense contractors self-assess against NIST SP 800-171 and submit a score to SPRS. That system has no teeth. Contractors self-report scores with little verification, and there are no real consequences for inflated numbers.

CMMC changes that. Level 2 requires a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO). An assessor walks through all 110 controls, reviews documentation, interviews staff, and examines technical evidence. You either pass or you don't.

For small subcontractors, the practical impact is straightforward: if your prime's contract includes a CMMC clause, you need to be certified at the appropriate level or the prime will find a sub who is.

A Realistic Timeline

Getting from where most small contractors are today to CMMC Level 2 certified involves three phases. Each takes longer than you'd expect.

Phase 1: Gap Assessment (2-4 weeks)

A qualified assessor evaluates your environment against all 110 NIST 800-171 controls. The output is a detailed report of what you meet, what you partially meet, and what you're missing entirely. This is the foundation for everything that follows. Skipping it to save money almost always costs more in wasted remediation effort.

Phase 2: Remediation (2-6 months)

This is where the calendar gets eaten. Common findings for small shops include flat networks with no segmentation, inconsistent MFA deployment, missing audit logs, and incomplete or nonexistent security policies. Fixing these issues involves procurement, configuration, testing, documentation, and staff training. Two months is aggressive. Six months is realistic if your starting point is rough.

Phase 3: C3PAO Assessment (scheduling + 1-2 weeks onsite)

The formal audit. C3PAOs are the bottleneck. There are a limited number of accredited organizations, and demand is increasing as the deadline approaches. Contractors who wait until Q3 to schedule may not find availability before November. Booking in Q1 or early Q2 is the move.

Working backward from November 10: if remediation takes four months and the C3PAO needs to be booked by July, the gap assessment needs to happen in February or March. That window is open right now. It won't be for long.

The Controls That Trip Up Small Contractors

CMMC Level 2 maps to all 110 controls in NIST SP 800-171. Most small contractors meet 40-60 of them without any special effort -- things like having antivirus installed or using passwords. The other 50-70 are where the work is.

Five control families cause the most findings in small environments:

Access Control. Role-based access, least privilege, session timeouts, and remote access policies. The typical small contractor has a flat Active Directory with broad permissions and no formal access review process. Restructuring this takes time and careful planning to avoid disrupting operations.

Audit and Accountability. Centralized logging with regular review and correlation. You need to know who accessed what, when, and be able to demonstrate that someone actually reviews those logs. This usually means deploying a SIEM or log management solution, which involves both cost and configuration time.

Configuration Management. Documented baselines for every system, a change management process, and restrictions on unauthorized software. "We update things when we remember to" doesn't pass. You need written baselines, a change log, and evidence that systems are configured according to those baselines.

Identification and Authentication. MFA on every system that touches CUI. Not just email and VPN -- workstations, servers, cloud applications, everything in scope. Phishing-resistant methods (FIDO2, hardware tokens) are strongly recommended over SMS or app-based push notifications.

System and Communications Protection. Encryption at rest and in transit, plus network segmentation. If CUI lives on the same network segment as the break room TV and the guest WiFi, that's a finding. Segmentation projects can be straightforward or complex depending on your current architecture.

What It Actually Costs

Budget ranges for a small contractor (20-100 employees):

• Gap assessment: $5,000 - $15,000. The diagnostic. Worth every dollar because it prevents you from spending money on the wrong things during remediation.
• Remediation: $20,000 - $75,000 for most small contractors. Wide range because it depends entirely on your starting point. A company with a modern cloud environment and decent security hygiene might be on the low end. A company running a flat on-prem network with no documented policies will be on the high end.
• C3PAO assessment: $20,000 - $50,000. The official certification audit. Price depends on the number of assets in scope and the complexity of your environment.
• Annual maintenance: $5,000 - $15,000 per year for continuous monitoring, policy updates, and annual self-assessments between certification cycles.

Total investment from start to certified: $50,000 - $150,000. Significant for a small business, but the math works when you consider the alternative. A single DoD subcontract can be worth multiples of that investment. Being locked out of the defense contracting market entirely is the more expensive outcome.

A Month-by-Month Plan

February - March: Conduct your gap assessment. Get an accurate picture of where you stand across all 110 controls. Use the results to build a prioritized remediation roadmap with realistic timelines and cost estimates.

March - April: Develop your System Security Plan (SSP) and Plan of Action & Milestones (POA&M). The SSP documents your security environment and how each control is met. The POA&M tracks deficiencies and remediation timelines. Both are required artifacts that your C3PAO will review.

April - August: Execute remediation. Deploy MFA, configure logging, segment your network, write policies, train staff. Prioritize the controls that require procurement or infrastructure changes first, since those have the longest lead times. Keep your SSP and POA&M updated as you close findings.

May - June: Book your C3PAO assessment. Earlier is better. Target an assessment date in September or October to leave room for any last-minute fixes.

September - October: Conduct a readiness review. Walk through the assessment process internally. Verify documentation is complete, technical controls are functioning, and staff can answer assessor questions about security practices. Fix anything that surfaces.

October - November: Complete your C3PAO assessment. If you pass, you're certified and eligible to bid on CMMC-required contracts from day one. If findings come back, you'll have specific items to address for a reassessment.

What Happens If You're Not Ready

November 10 isn't a cliff where every contract suddenly requires CMMC. The requirement will be phased into new solicitations over the following months. But the trajectory is clear, and primes aren't waiting for the deadline to evaluate their supply chains.

Large primes are already sending compliance questionnaires to their subcontractors. They're assessing which subs can handle CUI under the new framework and which can't. Contractors who can demonstrate progress -- even if not yet fully certified -- are in a better position than those who haven't started at all.

The competitive advantage of early compliance is real. While others are scrambling to get assessed in early 2027, certified contractors will already be winning work.

Three Things You Can Do Today

1. Read NIST SP 800-171 Rev 2. It's 113 pages, freely available from NIST. Do a rough self-assessment against the 110 controls. You'll quickly see where you stand and where the gaps are.

2. Verify your SAM.gov registration. Make sure your entity information, NAICS codes, and capabilities narrative are current. An active SAM registration is a prerequisite for bidding on any federal contract.

3. Start tracking contracts in your space. Understand which solicitations are already including CMMC requirements and which agencies are moving fastest. The data tells the story better than any analyst can.