CMMC Deadline · Running Reference

    The CMMC November 2026 Deadline

    From November 10, 2026, new DoD awards involving CUI require CMMC Level 2 certification by a third-party assessor. No current certification means no award. Here is what to do now.

    The date is November 10, 2026. From that day, Phase 2 of the CMMC rule takes effect: new DoD contract awards involving Controlled Unclassified Information require CMMC Level 2 certification by a third-party assessor, not a self-assessment. No current certification means no award. It is that simple and that brutal.

    This page is the running reference. We update it as DoD guidance moves. Last updated: July 10, 2026.

    The timeline, plainly

    • November 10, 2025 (Phase 1, already in effect): self-assessments required in new contracts. Your SPRS score is live ammunition; primes are reading it.
    • November 10, 2026 (Phase 2): C3PAO certification required for Level 2 awards involving CUI. Assessor capacity is finite and the queue grows every month closer to the date.
    • What primes are doing now: not waiting. Prime contractors are flowing certification requirements to subcontractors ahead of the rule, because their compliance depends on yours. The practical deadline for many subs is whenever their prime says it is, and that letter may already be in someone's inbox at your company.

    What Level 2 actually requires

    110 security practices from NIST SP 800-171 Rev. 2, assessed with evidence. The ones that take real calendar time:

    1. A System Security Plan that reflects reality, roughly 80 pages that must match what an assessor observes
    2. MFA everywhere, enterprise-wide, and understand its limits: infostealer markets are now moving over a million logs containing credentials with active session cookies that carry the MFA claim, which is why the monitoring family below exists
    3. FIPS-validated encryption for CUI at rest and in transit
    4. Continuous monitoring, logging, and incident response with a track record. Assessors ask how long your monitoring has been operating and want evidence, not intentions
    5. Vulnerability management on a cadence you can prove, and the adversary is running their own cadence against you: this year's Iranian-nexus campaign against U.S. targets weaponized CVE-2024-55591 and CVE-2026-1281 in exactly the perimeter appliances small contractors run and forget

    Why the monitoring track record cannot be crammed

    Two dates from this spring make the argument better than any consultant deck.

    On March 11, 2026 at 3:30 a.m. EDT, operators who had spent weeks quietly inside a major medtech company's identity layer issued a bulk wipe through the victim's own Intune console and destroyed roughly 200,000 systems before sunrise. Every early phase of that kill chain, the February password spraying, the phishing proxy at sso.bookairway.com, the Rclone exfiltration to ordinary cloud buckets, was detectable for weeks by anyone watching.

    In April, CISA's AR26-113a documented the FIRESTARTER backdoor persisting inside a federal agency's Cisco firewall through reboots and patches while generating no log events at all. Finding it takes flow-to-authentication reconciliation and dormant account analysis, hunting, not alerting.

    That is the standard your monitoring is being measured against, by assessors and by adversaries. A capability stood up the month before assessment has no history to show either of them.

    The math on the time remaining

    Count backward from November 10, 2026. C3PAO assessments are scheduled months out and tightening. Remediation of a typical small contractor's gap analysis runs 6 to 12 months. The gap analysis takes weeks. Monitoring controls need months of operating history to produce assessment-grade evidence. Paperwork can be accelerated. A track record cannot. Start with the controls that have a time dimension.

    What we handle

    ThreatHunter.ai carries the monitoring-heavy control families for DIB contractors: 24/7 hunt team coverage, audit log collection and review (3.3.x), incident response with your DFARS 72-hour DIBNet clock in mind (3.6.x), and system integrity monitoring (3.14.x), with assessor-ready evidence. The compliance side is what our JAXBERT platform is built for: walking all 110 NIST SP 800-171 practices, your live SPRS score, your SSP and POA&M, and the C3PAO assessment package. We are not your C3PAO and not a paperwork mill. We are the part of your 110 controls that has to actually operate at 3:30 a.m., with proof it did.

    Frequently Asked Questions

    Do I need CMMC certification if I only hold FCI, not CUI?

    Level 1 self-assessment covers FCI-only contractors. Level 2 certification applies where CUI is involved. Check your contracts and ask your contracting officer, not your gut.

    Can I get certified after November 10, 2026?

    Yes, but you cannot win affected awards until you are, and assessor queues will be at their worst exactly then.

    Does an MDR provider get me CMMC certified?

    No provider certifies you. A monitoring provider carries the audit, incident response, and system integrity families and supplies evidence; the certification is yours to earn.