TL;DR: CMMC 2.0 Phase 2 begins November 10, 2026, when third-party C3PAO certifications become a mandatory condition for Level 2 contract awards. Only about 1% of 220,000 affected defense contractors are estimated to be fully prepared. North Carolina manufacturers, machine shops, and primes targeting 2027 contracts must have a remediation roadmap active now, because Level 2 readiness typically requires 6 to 12 months. The October 31, 2026 cutover marks the point at which all new DoD contracts will require certification at the contract-specified level.
Key takeaway: November 10, 2026 is not a soft deadline. It is the inflection point at which Level 2 contracts begin requiring third-party C3PAO certification before award. Contractors without an active roadmap by Q2 2026 will likely be unable to bid on covered contracts.
Need a CMMC readiness assessment fast? Contact Preferred Data Corporation at (336) 886-3282 for a CMMC Level 2 gap assessment and remediation roadmap. We support High Point, Greensboro, Charlotte, Raleigh, and Winston-Salem defense contractors with documented, audit-ready compliance.
What Happens on November 10, 2026 for NC Defense Contractors?
On November 10, 2026, CMMC 2.0 enters Phase 2, when DoD begins requiring third-party C3PAO certification as a mandatory condition for Level 2 contract awards. This is the inflection point that transforms CMMC from a phased rollout into a binding contractual requirement for the majority of defense suppliers handling Controlled Unclassified Information (CUI).
The full timeline as of May 2026:
| Phase | Effective Date | What Changes |
|---|---|---|
| Phase 1 | November 10, 2025 | DoD begins inserting CMMC requirements into new contracts; Level 1 and Level 2 self-assessments accepted with SPRS submission |
| Phase 2 | November 10, 2026 | C3PAO certifications mandatory for Level 2 contracts; self-attestation no longer sufficient for most CUI work |
| Phase 3 | November 10, 2027 (planned) | Level 2 certification expanded to include option contracts and a wider universe of awards |
| Phase 4 | November 10, 2028 (planned) | All applicable contracts include CMMC requirements at the appropriate level |
| Final cutover | October 31, 2026 | All new DoD contracts will require certification at a specific CMMC level based on whether they handle CUI or FCI |
For North Carolina defense contractors, the squeeze comes from two directions. Primes are pushing CMMC requirements down through their supply chains under DFARS 252.204-7021, which makes Prime contractors responsible for their entire subcontractor base. Subcontractors that fail to certify lose their place in the supply chain regardless of past performance.
The ramp is unforgiving. Industry estimates suggest only about 1% of 220,000 affected defense contractors are fully prepared, and the average manufacturer requires 6 to 12 months to reach audit readiness. North Carolina shops targeting 2027 contract awards must have a remediation roadmap active by Q2 2026 at the latest.
What CMMC Level Does My NC Business Need?
Your CMMC level depends on the type of information your contract handles. The CMMC 2.0 framework defines three levels mapped to data sensitivity, and your contracts will specify the level required.
Level 1 (Foundational): Required for contractors that handle Federal Contract Information (FCI) but not CUI. Level 1 covers 17 basic safeguarding practices defined in FAR 52.204-21 and can be satisfied with an annual self-assessment and SPRS submission. Most small subcontractors that simply provide products or services without sensitive technical data fall under Level 1.
Level 2 (Advanced): Required for contractors that handle CUI. Level 2 aligns with the 110 controls of NIST SP 800-171. Most NC manufacturers, machine shops, engineering firms, and IT service providers in the defense supply chain will need Level 2. Beginning November 10, 2026, Level 2 requires C3PAO third-party certification for most contracts.
Level 3 (Expert): Required for contractors handling CUI in the highest-priority programs. Level 3 builds on Level 2 with additional controls from NIST SP 800-172. Level 3 is uncommon for small businesses but applies to higher-tier primes and specific programs.
For most North Carolina defense suppliers, the operational answer is Level 2. If your contracts include CUI markings, your DoD primes are sending you technical data packages, drawings, or specifications, or you have ever signed a DD Form 254, plan for Level 2 certification.
What Are the 110 Controls Required for CMMC Level 2?
The 110 controls required for CMMC Level 2 align directly with NIST SP 800-171 and span 14 control families that govern how CUI is protected throughout your environment. These are not aspirational. C3PAO assessors verify implementation through evidence, interviews, and technical review.
| Control Family | Number of Controls | Common SMB Gap Areas |
|---|---|---|
| Access Control (AC) | 22 | Privileged access, separation of duties |
| Awareness and Training (AT) | 3 | Documented role-based training records |
| Audit and Accountability (AU) | 9 | Centralized log retention, log review process |
| Configuration Management (CM) | 9 | Baseline configurations, change management |
| Identification and Authentication (IA) | 11 | MFA on all CUI access, password policies |
| Incident Response (IR) | 3 | Documented IR plan with testing |
| Maintenance (MA) | 6 | Maintenance personnel access controls |
| Media Protection (MP) | 9 | CUI media marking, sanitization |
| Personnel Security (PS) | 2 | Position risk designations, screening |
| Physical Protection (PE) | 6 | Visitor logs, physical access controls |
| Risk Assessment (RA) | 3 | Annual risk assessment, vulnerability scanning |
| Security Assessment (CA) | 4 | System Security Plan (SSP), POA&M |
| System and Communications Protection (SC) | 16 | Boundary protection, FIPS-validated cryptography |
| System and Information Integrity (SI) | 7 | Anti-malware, patching cadence, monitoring |
The two artifacts assessors examine first are the System Security Plan (SSP) and the Plan of Action and Milestones (POA&M). The SSP must accurately describe how each control is implemented in your environment, and the POA&M must list any partial implementations with deadlines and owners.
Key takeaway: CMMC Level 2 is not a checklist. It is a documented, evidence-backed implementation of 110 controls, validated by a third-party assessor against your actual environment.
How Long Does CMMC Level 2 Implementation Take for NC Small Manufacturers?
CMMC Level 2 implementation typically takes 6 to 12 months for a small North Carolina manufacturer that is starting from a typical commercial security posture. The timeline depends on the size of the CUI environment, the existing maturity of IT controls, and whether the business uses an enclave strategy to limit scope.
A realistic phased timeline for a 50 to 250 employee NC manufacturer:
Months 1-2: Scoping and gap assessment. Identify what counts as CUI in your environment, map data flows, define the boundary of the assessment scope, and conduct a gap assessment against all 110 controls. Many manufacturers reduce scope through an enclave strategy that isolates CUI in a dedicated environment.
Months 2-4: Foundational control deployment. Deploy MFA on all CUI access, implement endpoint protection and EDR across in-scope assets, establish centralized logging, and roll out baseline configurations. Most "quick wins" land in this phase.
Months 3-6: Documentation and policy. Author the System Security Plan, write the supporting policies (acceptable use, incident response, configuration management, media handling, etc.), and create the Plan of Action and Milestones. Documentation is often the longest-running task.
Months 5-8: Advanced controls and integration. Deploy FIPS-validated cryptography, configure boundary protection (firewall, DLP, NAC), implement privileged access management, and establish continuous monitoring. Integrate logging into a SIEM with retention.
Months 7-10: Self-assessment and remediation. Conduct an internal self-assessment against all 110 controls, identify remaining gaps, and remediate. Many businesses also engage a third-party for a mock assessment in this phase.
Months 9-12: Formal C3PAO assessment. Schedule and complete the formal C3PAO assessment. Plan for 4 to 8 weeks of evidence preparation and 1 to 3 weeks of on-site or virtual assessment activity.
| Business Profile | Expected Timeline | Likely Cost Range (excluding hardware) |
|---|---|---|
| Small machine shop, 10-25 employees, single-site | 6 to 9 months | $50,000 to $150,000 |
| Mid-size manufacturer, 50-250 employees | 9 to 12 months | $150,000 to $400,000 |
| Multi-site manufacturer or prime, 250+ employees | 12 to 18 months | $400,000 to $1,000,000+ |
These ranges include consulting, tooling, third-party assessment, and remediation labor. Manufacturers that adopt an enclave strategy often land at the lower end of these ranges by reducing scope.
What Is an Enclave Strategy and Why Should NC Manufacturers Use It?
An enclave strategy is the practice of isolating CUI into a dedicated, well-bounded environment so that CMMC Level 2 controls apply only to that enclave rather than the entire business network. For North Carolina manufacturers running mixed commercial and defense work, an enclave strategy can reduce CMMC scope by 60 to 90 percent and cut implementation cost proportionally.
The enclave can take several forms:
- Dedicated cloud environment. Microsoft 365 GCC High or AWS GovCloud creates a clean boundary that meets FIPS, FedRAMP Moderate, and many of the technical CMMC controls out of the box.
- Segmented on-premise enclave. A physically and logically separated network segment with its own access controls, EDR, logging, and storage. Common for manufacturers with sensitive engineering files or production systems handling CUI.
- Hybrid enclave. Cloud-based identity and document management combined with segmented on-premise production systems for CUI-related manufacturing data.
Enclave strategies work best when:
- CUI is concentrated in identifiable systems (engineering, contracts, project management)
- The business has a mix of commercial and defense work
- Leadership accepts the operational discipline of "CUI never leaves the enclave"
Successful enclaves are paired with strict data handling policies, training, and technical controls that prevent CUI from flowing to commercial systems. A managed CMMC partner can stand up an enclave in 60 to 120 days, often using GCC High as the foundation.
Key takeaway: An enclave strategy is the highest-leverage decision for SMBs pursuing CMMC Level 2. It reduces scope, cost, and complexity without compromising the integrity of CUI protection.
Need help scoping your CMMC enclave strategy? Contact Preferred Data Corporation at (336) 886-3282 to schedule a CMMC scoping workshop and Level 2 readiness assessment. Visit us at 1208 Eastchester Drive, Suite 131, High Point, NC 27265.
What Should NC Subcontractors Do If Their Prime Demands CMMC Compliance?
If your prime demands CMMC compliance, you have three viable paths and one path that ends your role in the supply chain. Subcontractors in the Piedmont Triad and across North Carolina that are receiving compliance flow-down letters from primes should act now, not at the deadline.
Path 1: Pursue Level 2 certification. This is the most common path for subcontractors that intend to remain on defense work. Engage a managed services partner with CMMC experience, conduct a gap assessment, deploy controls, document an SSP and POA&M, and schedule a C3PAO assessment within the prime's required timeline.
Path 2: Pursue Level 1 self-assessment. If your scope is limited to FCI without CUI, Level 1 self-assessment may satisfy the requirement. Confirm in writing with the prime that Level 1 is acceptable for the contract scope before investing.
Path 3: Accept work that does not require CMMC. For subcontractors with limited bandwidth, focus on commercial work or defense work that does not involve CUI. This is a viable strategy for shops where defense work is a small portion of revenue.
Path that ends your role: Ignore the requirement and assume the prime will accept past performance as a substitute. Under DFARS 252.204-7021, primes are responsible for their supply chain. Primes will replace non-compliant subs because their own contract performance depends on it.
For North Carolina machine shops, fabricators, and engineering firms, the operational reality in 2026 is that Level 1 covers a small portion of CUI-adjacent work and most defense subcontracts will require Level 2. The earlier the decision, the cheaper the path.
What Are the Most Common CMMC Implementation Mistakes for SMBs?
The most common CMMC implementation mistakes for SMBs are the mistakes that most extend the timeline and inflate the cost. North Carolina manufacturers and contractors planning their Level 2 path should avoid each of these:
- Treating CMMC as an IT project rather than a business transformation. CMMC affects HR, legal, operations, and finance, not just IT. Without executive sponsorship and cross-functional ownership, implementations stall in the documentation phase.
- Skipping the scoping phase. Businesses that do not scope CUI carefully end up applying Level 2 controls across their entire environment, multiplying cost. A clear scoping decision is the highest-leverage action of the entire program.
- Choosing the wrong cloud platform. Standard Microsoft 365 Commercial does not meet CMMC Level 2 requirements for CUI. Migration to GCC High or GCC Moderate takes 60 to 180 days. Starting on the wrong platform doubles the cost.
- Underestimating documentation. SSPs run 200 to 600 pages for typical SMBs. Most businesses underestimate the writing effort by 3x to 5x. Plan accordingly.
- Hiring a CMMC consultant without a managed services partner. Consultants help write the SSP and POA&M but cannot operate the controls. A managed services partner who runs the controls daily is essential for sustained compliance.
- Waiting for the deadline to engage a C3PAO. C3PAO capacity is constrained. Manufacturers waiting until Q3 2026 to schedule their assessment may not get a slot until 2027, missing contract opportunities.
For NC defense suppliers, the path of least cost and risk is a combined consulting and managed services engagement that starts no later than Q2 2026 for Q1 2027 contract eligibility.
Frequently Asked Questions
What is the difference between CMMC Phase 1 and Phase 2?
CMMC Phase 1 began November 10, 2025 and allowed Level 1 and Level 2 self-assessments with SPRS score submission. Phase 2 begins November 10, 2026 and requires third-party C3PAO certification for Level 2 contract awards. Phase 2 is the cutover from self-attestation to formal third-party validation.
How much does a CMMC Level 2 assessment cost?
CMMC Level 2 third-party assessments typically cost $30,000 to $150,000 depending on the size and complexity of the environment. Total program cost, including remediation, tooling, and consulting, ranges from $150,000 to $400,000 for a typical mid-size NC manufacturer pursuing Level 2.
Can I use Microsoft 365 Commercial for CMMC Level 2?
No, Microsoft 365 Commercial does not meet CMMC Level 2 requirements for handling CUI. NC manufacturers handling CUI typically migrate to Microsoft 365 GCC High or implement an enclave strategy that isolates CUI from commercial productivity tools.
What is an SPRS score and how does it relate to CMMC?
The Supplier Performance Risk System (SPRS) score is the self-assessed numerical score against the 110 NIST SP 800-171 controls, used during Phase 1 to demonstrate compliance posture. Beginning Phase 2, the SPRS score remains relevant but third-party C3PAO certification supersedes self-attestation for most Level 2 contracts.
Does CMMC apply to subcontractors who never see CUI?
CMMC Level 1 applies to contractors that handle Federal Contract Information (FCI) but not CUI. Subcontractors that handle no FCI or CUI may not require CMMC, but primes often impose Level 1 as a minimum baseline through DFARS 252.204-7021 supply chain requirements.
What is a C3PAO?
A C3PAO is a Certified Third-Party Assessor Organization, accredited by the Cyber AB (formerly the CMMC Accreditation Body) to conduct CMMC Level 2 certification assessments. C3PAOs schedule, conduct, and submit assessment results to the DoD.
How long is a CMMC certification valid?
A CMMC Level 2 certification is valid for three years, with annual self-affirmation and ongoing compliance during that period. Failures to maintain compliance during the three-year window can trigger conditional re-assessment or contract review.
How does Preferred Data Corporation help NC defense contractors achieve CMMC compliance?
Preferred Data Corporation provides CMMC scoping workshops, Level 2 gap assessments, enclave architecture, managed cybersecurity for the implementation phase, and ongoing managed compliance services that maintain the controls after certification. We support manufacturers, machine shops, engineering firms, and primes across High Point, the Piedmont Triad, Charlotte, Raleigh, and Winston-Salem.