CMMC Phase 2 Is 5 Months Away: The Subcontractor Triage Checklist
Key Takeaways
CMMC Phase 2 begins November 10, 2026 and the self-attestation window for handling Controlled Unclassified Information closes with it
If you only handle Federal Contract Information you are Level 1 and a self-assessment is enough; the moment CUI lands on your systems you are Level 2 and a C3PAO audit is required
Scope is the single largest cost driver — every system that processes, stores, transmits, or connects to CUI is in scope
Phase 1 is already active for SPRS, so any new DoD solicitation requires a current self-assessment uploaded by your senior official
350,000 suppliers competing for a fixed pool of authorized assessors means audit slots are filling now, not later
November 10, 2026. That is when CMMC Phase 2 begins, and the days of self-attestation for Controlled Unclassified Information end. If you subcontract on DoD work, this is the last quarter to triage your posture before the audit window slams shut.
Here is the triage checklist for any small or mid-sized subcontractor sitting inside the defense industrial base supply chain.
Do you actually handle CUI?
The first triage question is also the most consequential. If you only handle Federal Contract Information and never touch CUI, you are a Level 1 organization and a self-assessment is enough. If CUI ever lands on your systems, in an email, in a shared drive, in a design file, you are Level 2 and a C3PAO audit is in your future. Misclassify yourself and the audit will find it.
Have you scoped your CUI boundary?
Scope is the single largest cost driver in a CMMC engagement. Every system that touches CUI is in scope. Every system that processes, stores, or transmits CUI. Every system that connects to those systems. The narrower and cleaner the scope, the lower the cost and the higher the chance of passing. The wider the scope, the more expensive the audit and the more places to fail.
Is your SPRS score current?
Phase 1 is already active. Every new DoD solicitation requires a current Supplier Performance Risk System score uploaded by your senior official. If your score is stale or missing, you are not eligible for award. Fix this in days, not months.
Do you have a System Security Plan?
An SSP is not optional. Every Level 2 organization needs one and assessors review it first. The most common finding on initial reviews: the SSP describes a system that does not match the live environment. Get them aligned before the audit, not during.
Where are you on the 110 controls?
NIST 800-171 has 110 controls. A current self-assessment tells you which are implemented, which have a plan of action, and which are gaps. The hidden cost is in the controls you think are done but cannot evidence. A Compliance Snapshot will reveal those before the auditor does.
Have you booked a C3PAO?
350,000 suppliers competing for a fixed number of authorized assessors. The math is not in your favor if you wait. Schedule the audit window now, even if you are not ready for it yet. You can always reschedule. You cannot conjure an open slot in October 2026.
The window is real
Phase 2 starts November 10, 2026. Final mandatory compliance hits October 31, 2027. Most subcontractors need 9 to 12 months to remediate. June is when the calendar actually closes. Triage now or accept that the 2027 bid cycle goes to a competitor that did.
If you have not yet checked your CUI scope, your SPRS score, and your audit slot availability, this is the week to start. The math on November 10 does not care when you began.
A Compliance Snapshot will surface the gaps in two weeks, with a clean roadmap and no commitment beyond the assessment. Leave a comment below or reach out at hello@tailoredcompliancesolutions.com to talk through where you are.
