TL;DR: CMMC 2.0 Phase 2 enforcement begins November 10, 2026 - just six months from now. According to industry analysis, only about 1% of the ~220,000 affected defense contractors are fully prepared, and C3PAO assessment lead times have already grown to 3-6 months. Most NC manufacturers and subcontractors who have not started will not be assessment-ready in time. This article lays out what to do in each of the remaining six months to keep your DoD revenue intact.
Need a CMMC readiness assessment? Preferred Data Corporation has supported NC defense suppliers and manufacturers since 1987. Call (336) 886-3282 or request a CMMC gap analysis.
What changes on November 10, 2026?
CMMC 2.0 Phase 2 begins requiring third-party Level 2 assessments by Certified Third-Party Assessment Organizations (C3PAOs) for applicable DoD contracts. According to Radicl's deadline analysis and the DoD's CMMC 2.0 program page, Phase 1 (which began November 2025) allowed self-assessment paths; Phase 2 closes that door for contracts handling Controlled Unclassified Information (CUI).
The four-phase rollout overview:
| Phase | Effective Date | Requirement |
|---|---|---|
| Phase 1 | Nov 2025 | DoD adds CMMC Level 1/2 self-assessment to applicable contracts |
| Phase 2 | Nov 10, 2026 | DoD adds Level 2 C3PAO certification to applicable contracts |
| Phase 3 | Nov 2027 | DoD adds Level 3 (DIBCAC) assessment to applicable contracts |
| Phase 4 | Nov 2028 | All applicable DoD contracts include CMMC clauses at award |
Key takeaway: "Applicable contracts" is the operative phrase. Once a contract includes the CMMC clause, your business cannot be awarded that contract without the matching certification level. NC subcontractors who think they have until 2028 may find their prime contractor flowing down requirements much earlier.
Why are only ~1% of NC defense contractors ready?
Three reasons: scope confusion, cost shock, and assessor capacity. Industry estimates summarized by Breach Craft and M2 Technology put full Level 2 readiness at roughly 1% of the 220,000+ contractors in scope. The bottlenecks NC small businesses hit:
- Scope confusion. Many NC manufacturers treat CMMC as a "cybersecurity policy" project when it is actually a 110-control implementation rooted in NIST SP 800-171. The scope of "what holds CUI" is often broader than expected.
- Cost shock. Average Level 2 readiness investment runs $50,000 to $250,000 for a small contractor when policies, technology, and assessment fees are combined. C3PAO assessment costs alone typically run $30,000 to $150,000.
- Assessor capacity. C3PAOs are reporting 3-6 month wait times in May 2026; that capacity will compress further as the deadline approaches. Contractors who have not booked assessments by July 2026 may not be certified by November.
- Implementation time. TSI Support and others note the real timeline runs 12 to 18 months from kickoff to assessment-ready, meaning many NC contractors who started in late 2025 are still mid-implementation.
Read about CMMC compliance services →
What is the realistic six-month action plan for NC defense contractors?
Here's a month-by-month plan for an NC small contractor in scope for Level 2 who has not yet started seriously, ranked by what is achievable in time and what must wait:
May 2026 (Month 1): Scoping and Gap Analysis
- Identify every system, network, and storage location that processes, stores, or transmits CUI
- Define the CMMC assessment boundary (the "CMMC enclave")
- Run a gap analysis against all 110 NIST SP 800-171 controls
- Document a System Security Plan (SSP) and Plan of Action and Milestones (POA&M)
- Submit Supplier Performance Risk System (SPRS) self-assessment score
June 2026 (Month 2): Foundation Controls
- Deploy MFA on every system that touches CUI (this alone covers 5+ controls)
- Implement endpoint detection and response (EDR) on every endpoint in scope
- Establish encrypted backup with documented test cadence
- Stand up GCC High or FedRAMP-authorized cloud workloads if cloud is in scope
- Implement DNS filtering and email security (anti-phishing, DMARC enforcement)
July 2026 (Month 3): Network and Identity
- Segment the CMMC boundary from non-CUI networks
- Deploy a SIEM or managed XDR with CUI event logging
- Implement role-based access control with documented permissions reviews
- Apply privileged access management for administrators
- Schedule the C3PAO assessment for September-October 2026 (book NOW)
August 2026 (Month 4): Documentation and Training
- Author or refresh 50+ required policies (incident response, configuration management, access control, etc.)
- Conduct security awareness training for all CUI-touching personnel
- Run a tabletop exercise covering incident response and breach notification
- Test backup restoration with documented results
- Conduct internal pre-assessment against the 110 controls
September 2026 (Month 5): Pre-Assessment Cleanup
- Address all critical and high gap findings
- Validate every control with documentary evidence (logs, screenshots, policy versions)
- Complete physical security improvements (access logs, visitor management, secure media handling)
- Conduct a mock assessment with an RPO (Registered Practitioner Organization) if available
October 2026 (Month 6): Assessment
- Host the C3PAO on-site (or remote) assessment
- Provide evidence packages for every control
- Address any minor findings via POA&M (Level 2 allows up to 80% scoring with POA&M for non-critical controls)
- Receive certification or remediation guidance
Key takeaway: This is a sprint, not a marathon, for contractors starting in May 2026. NC businesses that delay past June will face a near-impossible compression schedule and may need to accept a contract gap during the certification process.
What if my NC business cannot make November 2026?
You have three realistic options, ranked by cost and revenue impact:
| Option | Description | Revenue Impact |
|---|---|---|
| 1. Assessment by Q1 2027 | Continue compliance work, accept short contract gap | 1-3 months of contract pause |
| 2. Subcontract through certified primes | Stay below the contract clause threshold by working through certified larger contractors | 5-15% margin compression |
| 3. Exit DoD work | Pivot to commercial customers in adjacent industries | Revenue diversification, but multi-year transition |
For most NC manufacturers in defense supply chains, Option 1 or 2 is far more profitable than Option 3. Defense contracts typically carry 15 to 25% gross margins above commercial work and provide multi-year revenue visibility that is hard to replace.
Read our CMMC compliance cost and pricing guide →
How does the CMMC enclave strategy save NC small businesses money?
A CMMC enclave dramatically reduces the assessment scope, often cutting compliance costs by 40 to 70%. Instead of certifying your entire business, you build a small, well-defined network and storage segment that holds all CUI. Only that enclave requires Level 2 controls and assessment.
A typical NC manufacturer enclave includes:
- A dedicated GCC High or FedRAMP High M365 tenant
- Hardware-isolated workstations (or virtual desktops) for engineers handling CUI
- Encrypted file storage with strict access controls
- A dedicated network segment with its own firewall and monitoring
- Documented processes for moving data into and out of the enclave
The contractor's commercial business, accounting, HR, and non-CUI engineering work stay outside the enclave and are subject to standard cybersecurity hygiene only.
Read our CMMC enclave strategy guide →
What does CMMC compliance actually cost NC small businesses?
Total program cost ranges from $50,000 to $500,000+ for Level 2 over the first 18 months, with ongoing annual costs of $25,000 to $150,000 for managed services and continuous compliance.
A realistic cost breakdown for a 25-50 person NC defense contractor:
| Cost Category | Year 1 | Year 2+ |
|---|---|---|
| Gap assessment (RPO/consultant) | $10,000 - $30,000 | $5,000 - $15,000 |
| Technology (EDR, SIEM, MFA, cloud licensing) | $25,000 - $100,000 | $20,000 - $80,000 |
| Policy development | $10,000 - $40,000 | $2,000 - $10,000 |
| Training | $3,000 - $15,000 | $3,000 - $15,000 |
| Penetration testing | $5,000 - $25,000 | $5,000 - $25,000 |
| C3PAO assessment | $30,000 - $150,000 | $0 (3-year cert cycle) |
| Managed cybersecurity services | $40,000 - $150,000 | $40,000 - $150,000 |
| Total | $123,000 - $510,000 | $75,000 - $295,000 |
Compare that to the average DoD contract value at the small contractor tier ($500,000 to $5M annually) and the math typically favors investment unless your defense revenue is below $250,000 annually.
Get a CMMC readiness assessment →
Why are NC defense contractors particularly affected?
North Carolina hosts more than 60,000 defense industry jobs across the state, with concentrations near Fort Liberty (formerly Fort Bragg), Camp Lejeune, Seymour Johnson AFB, and the Piedmont Triad's manufacturing base in High Point and Greensboro. NC small manufacturers in furniture, textiles, machine shops, electronics, and aerospace component supply chains all find themselves flowed down CMMC requirements through prime contractors.
Three NC-specific dynamics:
- Tier-3 and Tier-4 supply chain depth. Furniture and textile manufacturers supplying military barracks and uniforms often discover CMMC clauses in unexpected contracts.
- Geographic concentration of primes. Major defense primes operate in Charlotte and Raleigh-Durham and routinely flow down CMMC requirements to their NC supplier base.
- Workforce and infrastructure. NC's combination of military bases, defense primes, and small manufacturers creates a tight ecosystem where one contractor's CMMC failure ripples through dozens of relationships.
Read about manufacturing IT services in NC →
How does PDC help NC defense contractors meet the November 2026 deadline?
Preferred Data Corporation provides end-to-end CMMC 2.0 readiness services for NC defense contractors, including gap analysis, enclave architecture, GCC High and FedRAMP cloud deployments, continuous control monitoring, and pre-assessment validation. Our team has supported NC manufacturers through the transition from DFARS 252.204-7012 to CMMC 2.0, and our managed cybersecurity services map directly to the 110 NIST SP 800-171 controls.
We are not a C3PAO and do not perform certifying assessments (that would be a conflict of interest). Instead, we get NC small businesses ready, partner with C3PAOs for the assessment itself, and operate the controls long after certification.
Schedule a CMMC readiness gap analysis:
- Call (336) 886-3282
- Visit preferreddata.com/contact
- Email [email protected]
Frequently Asked Questions
Is CMMC Phase 2 a hard deadline?
It's a contract-level deadline, not a calendar-level deadline. Beginning November 10, 2026, the DoD adds Level 2 C3PAO certification requirements to applicable new contracts and contract options. If your existing contracts are not renewed or extended with CMMC clauses, you have more time. If they are - and most are renewed annually or every 5 years - you face the deadline at renewal. TSI Support explains the nuance well.
Do subcontractors need CMMC certification too?
Yes, if they handle CUI. Prime contractors flow down CMMC requirements to subcontractors at the level matching what they handle. A subcontractor that machines a part from a CUI-controlled drawing must meet Level 2; a subcontractor that only ships finished goods may only need Level 1. Read our subcontractor CMMC guide.
Can I use my SPRS self-assessment score for Phase 2?
No. The SPRS self-assessment satisfied DFARS 252.204-7012 requirements and Phase 1 of CMMC. Phase 2 requires a third-party assessment by a C3PAO and a CMMC certification, not a self-assessment. Your SPRS score is still useful as a baseline for tracking improvement.
What happens if we fail a C3PAO assessment?
You receive a remediation plan with specific findings. Most contractors can remediate critical findings and re-engage the C3PAO for a focused re-assessment within 60 to 90 days. Level 2 also allows POA&Ms (Plans of Action and Milestones) for up to 20% of controls if scored above 80%, meaning some gaps can be planned for remediation post-certification.
Should we wait for the rule to change instead of investing now?
No. The CMMC 2.0 final rule was published in October 2024 and the four-phase implementation timeline is locked. Waiting saves nothing - assessment capacity is the binding constraint, and waiting only pushes you to the back of a longer line. Even if specific contract clauses delay, your competitive position erodes if peers certify first.
Related Resources
- Cybersecurity Services for NC Businesses
- CMMC 2.0 Compliance Guide for NC Defense Contractors
- CMMC Enclave Strategy for Manufacturers
- CMMC Requirements for Subcontractors
- CMMC Compliance Cost and Pricing Guide
- CMMC Level 1 Self-Assessment Guide
- GCC High and FedRAMP Cloud Compliance
- Manufacturing IT Services in NC
- IT Services in High Point
- IT Services in Greensboro