TL;DR: Per the DoD CMMC final rule timeline and recent industry coverage, CMMC Phase 2 begins November 10, 2026 - approximately five months from today. After Phase 2, contracts that touch Controlled Unclassified Information (CUI) will require third-party C3PAO certification at Level 2, not the current self-assessment. Per industry guidance, the typical remediation runway is 6-12 months. The math is now adverse: NC defense contractors that have not started CMMC remediation are statistically likely to miss the window for early-2027 contract bids, and major primes including Lockheed Martin, Boeing, and Northrop Grumman are already requiring documented compliance from suppliers.
Key takeaway: The CMMC clock is no longer hypothetical. Five months from June 2026 to November 10, 2026 is enough time to close a small remediation gap, complete a pre-assessment, and book a C3PAO slot - but only if the work starts this quarter. NC contractors that wait until Q3 are likely to find C3PAO calendars fully booked.
Need a CMMC remediation sprint and C3PAO booking plan? Preferred Data Corporation provides managed CMMC compliance, pre-assessment, and remediation for NC defense contractors. Call (336) 886-3282 or request a CMMC readiness review.
What changes on November 10, 2026?
The DoD CMMC program officially transitions from Phase 1 (self-assessment plus SPRS posting) to Phase 2 (third-party assessment for CUI contracts). Per the DoD CMMC final rule, the M2 Technology 2026 brief, and Workstreet's CMMC timeline:
| Phase | Effective Date | Requirement |
|---|---|---|
| Phase 1 | November 10, 2025 to November 9, 2026 | Level 1 self-assessment; Level 2 self-assessment for most CUI contracts |
| Phase 2 | November 10, 2026 | Mandatory C3PAO third-party assessment for most Level 2 contracts (CUI) |
| Phase 3 | November 10, 2027 | Expanded C3PAO requirement to all applicable contracts |
| Full implementation | November 10, 2028 | Full CMMC program in effect across DoD acquisitions |
Per the Alston & Bird legal analysis, the Phase 2 transition is the deadline that converts CMMC from a paper exercise into an audit-driven, pass-fail gate.
What is a C3PAO and why does it matter?
A C3PAO (Certified Third-Party Assessment Organization) is an independent firm authorized by the Cyber AB (the CMMC Accreditation Body) to perform CMMC Level 2 certification assessments. Per Kiteworks' 2026 C3PAO guide and Cyber AB's marketplace, as of June 2026 there are fewer than 100 fully authorized C3PAOs in the United States.
Three implications for the NC defense supplier base:
- Limited supply, high demand. Industry analysts project C3PAO calendars will be fully booked by late summer 2026, with assessment slots pricing $30,000-$150,000+ depending on scope.
- No "almost passing." C3PAO assessment is binary: 110 NIST SP 800-171 controls must be implemented; assessor verifies via interview, documentation review, and technical test. Anything other than "met" requires a POA&M and remediation.
- The cert lasts three years. Once achieved, a CMMC Level 2 certification is valid for three years with annual affirmations.
How big is the typical NC defense contractor's remediation gap?
Per PDC's 2025-2026 readiness data across NC defense suppliers and industry CMMC pre-assessment benchmarks, the typical "we have NIST 800-171 in place" small defense contractor is actually at SPRS scores between 60 and 95, against a required score of 110.
| SPRS Score | Status | Typical Remediation Time |
|---|---|---|
| 110 | Fully compliant | Pre-assessment polish, 1-2 months |
| 95-109 | Near compliant | 3-6 months remediation |
| 80-94 | Partial - common starting point | 6-9 months remediation |
| 60-79 | Significant gaps | 9-12 months remediation |
| Below 60 | Major program build-out | 12-18+ months |
The math: an NC contractor below SPRS 95 today, starting in June 2026, has roughly five months until Phase 2 plus another 2-3 months to book a C3PAO. That is below the typical remediation runway. Starting now is the difference between contracts in 2027 and a year-plus gap.
What does a 5-month CMMC sprint look like for an NC SMB?
Sequence the work in three phases. None of this is theoretical - PDC has executed this playbook with NC defense suppliers in 2025-2026.
- Month 1 - Scope and gap. Define the CUI boundary (data flow map, asset inventory). Run a NIST SP 800-171A gap assessment against all 110 controls. Identify the enclave strategy: full company in scope, or CUI enclave (GCC High, Azure Government, or on-prem segmented environment).
- Months 2-3 - Foundation rollout. Implement the top-impact controls: FIPS-validated encryption at rest and in transit, audit logging with 90-day retention, MFA on all CUI-accessing accounts, incident response plan with documented contacts and timelines, configuration baselines, vulnerability scanning cadence, security awareness training.
- Months 4-5 - Pre-assessment and POA&M. Conduct a mock C3PAO assessment with a Registered Practitioner (RP) or Certified CMMC Professional (CCP). Close any remaining gaps. Book the C3PAO assessment slot (book this early in Month 4; calendars fill fast). Submit the final SPRS score.
Quotable definition: A CMMC enclave is a logically isolated portion of an organization's IT environment where CUI is processed, stored, and transmitted. The enclave approach (versus enterprise-wide CMMC) is the most common cost-effective strategy for NC small business defense suppliers because it limits the in-scope footprint to the smallest viable boundary.
What controls are the most common gap for NC defense suppliers?
Per PDC's NC CMMC pre-assessment data and the Kiteworks armament manufacturer guide, five control families are the highest-frequency gap:
| Control Family | Common Gap | NC SMB Frequency |
|---|---|---|
| 3.1 Access Control | MFA not on all CUI accounts; least-privilege not enforced | 85% |
| 3.3 Audit and Accountability | No centralized log retention; no audit review cadence | 75% |
| 3.4 Configuration Management | No documented baselines; no change control | 70% |
| 3.8 Media Protection | No documented sanitization; portable media not controlled | 65% |
| 3.13 System and Communications Protection | No FIPS validation on encryption; no DLP | 60% |
The remediation cost for an NC small business is generally $50,000-$250,000 inclusive of tooling, services, training, and pre-assessment, plus the C3PAO assessment fee. Per the M2 Technology 2026 CMMC cost guide, the typical small defense contractor budget is 1.5-3.5% of annual revenue for the first compliance cycle.
What happens if I miss the November 10, 2026 deadline?
Three documented consequences:
- Loss of CUI contract eligibility. Per Alston & Bird's legal analysis, DoD acquisitions after Phase 2 begins will incorporate the CMMC requirement at the relevant level, and bids without certification (where required) will be non-responsive.
- Prime contractor pressure. Lockheed Martin, Boeing, Northrop Grumman, and other major primes are already requiring CMMC documentation from suppliers, and some FY2026 contracts have advanced certification requirements above the official DoD timeline.
- Loss of CUI flow-down work. Many subcontractor opportunities depend on the prime's compliance posture. An NC supplier without CMMC may lose work even when the prime contract did not officially require it yet.
Should I use a CMMC enclave or take the whole company through?
For most NC defense suppliers, a CMMC enclave is the right answer. Per the FedRAMP / GCC High / CMMC cloud compliance environment, three patterns recur:
| Strategy | Best Fit | Cost Floor |
|---|---|---|
| Enterprise-wide CMMC | CUI flows through every desk and system | $250,000-$1M+ |
| GCC High enclave | Most knowledge-worker CUI; cloud-first | $100,000-$350,000 |
| On-prem segmented enclave | Manufacturing CUI; ITAR; air-gapped engineering | $150,000-$500,000 |
| Hybrid (GCC High + on-prem) | Engineering + cloud collaboration mix | $175,000-$450,000 |
PDC scopes the enclave decision in the first two weeks of every CMMC engagement.
Does cyber insurance cover CMMC remediation or assessment failure?
No. Cyber insurance covers breach response and certain liability scenarios, not CMMC implementation cost or audit failure cost. However, per the 2026 cyber insurance environment for defense suppliers, a documented CMMC Level 2 posture is increasingly a positive signal at underwriting and frequently results in 5-15% premium reductions versus comparable contractors without certification.
Need to start the 5-month CMMC sprint this quarter? Call (336) 886-3282 or request a CMMC readiness review.
How does Preferred Data Corporation help?
PDC supports NC defense contractors with the full CMMC lifecycle:
- Managed cybersecurity with NIST SP 800-171 implementation, FIPS-validated encryption, audit logging, MFA hardening, incident response plan development, security awareness training.
- Managed IT services with configuration baselines, vulnerability management, patch SLA, asset inventory, documented evidence packages for assessor review.
- Cloud Solutions including GCC High enclave architecture and Azure Government migration for CMMC-scoped workloads.
- CMMC pre-assessment with Registered Practitioner-led mock assessments, POA&M development, and C3PAO scheduling support.
PDC has served NC small businesses, manufacturers, and defense suppliers for over 37 years - founded in 1987 - with on-site coverage within 200 miles of High Point. The combination of local NC presence, deep manufacturing context, and CMMC-specific expertise is what gets a contractor from SPRS 80 to SPRS 110 inside the Phase 2 window.
Frequently Asked Questions
What is the CMMC Phase 2 deadline?
Per the DoD CMMC final rule, Phase 2 begins November 10, 2026. After that date, contracts that involve Controlled Unclassified Information (CUI) will require Level 2 certification by a C3PAO rather than the current self-assessment.
What is the difference between CMMC Level 1 and Level 2?
CMMC Level 1 (Foundational) covers Federal Contract Information (FCI) and includes 15 basic safeguards from FAR 52.204-21. Level 1 remains self-assessment in most contracts. CMMC Level 2 (Advanced) covers CUI and includes all 110 controls from NIST SP 800-171. Level 2 requires C3PAO assessment in Phase 2 and beyond for most CUI contracts.
How long does CMMC remediation typically take?
Per industry benchmarks summarized by KMLCS and PDC's NC defense supplier data, typical remediation runs 6-12 months from kickoff to C3PAO-ready, depending on the starting SPRS score. NC contractors below SPRS 80 should expect closer to 12 months; contractors at SPRS 95+ may compress to 3-6 months.
Can a managed service provider help with CMMC compliance?
Yes, and many small defense contractors rely on an MSP/MSSP partner for the day-to-day operations side of CMMC (audit logging, MFA, patch management, incident response). However, the MSP itself must be CMMC Level 2 compliant if they process or store CUI on the contractor's behalf, and the contractor remains accountable for the assessment.
Where can I find an authorized C3PAO?
The official list is at the Cyber AB Marketplace. PDC maintains relationships with multiple C3PAOs serving the Carolinas and can scope the C3PAO selection as part of the pre-assessment engagement.
Related Resources
- Managed Cybersecurity Services for NC Businesses - NIST SP 800-171, MFA, audit logging
- Managed IT Services for NC Businesses - Configuration baselines, vulnerability management
- Cloud Solutions for NC Businesses - GCC High and Azure Government
- CMMC Phase 2 November 2026 Deadline NC Defense Contractors - Companion guide
- CMMC Enclave Strategy for NC Manufacturers - Enclave deep dive
- CMMC Compliance Cost & Pricing Guide - Budget planning
- Contact Preferred Data Corporation - Schedule a CMMC readiness review