CMMC Level 2 for Tier-2 Defense Manufacturers: What Phase 2 Means in November 2026

Quick Answer: CMMC (Cybersecurity Maturity Model Certification) Phase 2 takes effect November 10, 2026. From that date, Tier-2 defense manufacturers handling Controlled Unclassified Information (CUI) must hold a CMMC Level 2 certification verified by a third-party assessment from an Authorized C3PAO. Self-attestation is no longer sufficient for new contract awards through Prime contractors.

CMMC Level 2 is built on the 110 security controls in NIST SP 800-171 Rev 2. Tier-2 suppliers should schedule their C3PAO assessment now: the assessor ecosystem is constrained, and missing the Phase 2 cutover means losing eligibility for new defense contract awards.

A procurement officer at a Prime defense contractor preparing the supplier base for the November 10, 2026 CMMC Phase 2 transition has roughly five months to confirm every Tier-2 supplier handling Controlled Unclassified Information will pass a third-party assessment. A supplier who self-attests today and cannot produce a clean C3PAO assessment by Phase 2 effectively loses eligibility for new contract awards through that prime. The math of the CMMC rollout schedule is unforgiving, and the assessment ecosystem (Authorized C3PAOs, certified assessors, scheduling capacity) is already constrained heading into the second half of 2026.

This post walks through what Phase 2 actually changes, what CMMC Level 2 substantively requires, and what defense Tier-2 manufacturers should be doing now to remain qualified after the Phase 2 cutover.

Where we are in the CMMC rollout

32 CFR Part 170, the CMMC program final rule, was published October 15, 2024 and took effect December 16, 2024. The implementing DFARS rule (Case 2019-D041) published September 10, 2025 and operates through DFARS 252.204-7021 (NOV 2025) on contracts, with DFARS 252.204-7025 appearing in solicitations.

The rollout proceeds in four phases under 32 CFR 170.3(e):

| Phase | Effective Date | What Changes | |---|---|---| | Phase 1 | November 10, 2025 | Level 1 and Level 2 self-assessment requirements appear in new solicitations. Level 2 C3PAO third-party certification may be required at DoD's discretion on select contracts. | | Phase 2 | November 10, 2026 | Level 2 C3PAO third-party certification becomes the standard requirement for new contracts processing CUI. Self-assessment alone is no longer sufficient for most Level 2 contracts. | | Phase 3 | November 10, 2027 | Level 2 C3PAO requirements expand broadly across the contract portfolio. Level 3 DIBCAC assessments introduced for high-priority programs. | | Phase 4 | November 10, 2028 | Full implementation. CMMC requirements apply to all applicable solicitations, contracts, options, and task/delivery orders. |

A Tier-2 manufacturer reading this in mid-2026 is in the Phase 1 window. New contracts being solicited today carry CMMC requirements; new contracts being solicited after November 10, 2026 will increasingly require third-party certification rather than self-attestation.

What CMMC Level 2 substantively requires

CMMC Level 2 is built on NIST SP 800-171 Revision 2, not Rev 3, despite Rev 3 having been finalized May 14, 2024. The 32 CFR Part 170 program rule incorporates Rev 2 by reference; moving CMMC L2 to Rev 3 would require a new rulemaking cycle, and that has not happened as of 2026.

The substantive requirements:

• 110 security controls organized across 14 control families covering access control, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
• Annual affirmation in the Supplier Performance Risk System (SPRS) confirming compliance status.
• Three-year certification cycle when assessed by a C3PAO.
• Minimum passing score 80% (88 of 110 points). POA&Ms (Plan of Action and Milestones) are permitted on certain 1-point controls but never on 3-point or 5-point controls, with one narrow exception.
• 180-day POA&M closure window for conditional certifications: open items must be remediated and re-verified within six months.

The 110-control set has been in operative use since the original Rev 2 publication in January 2021. Defense Tier-2 manufacturers who completed credible self-assessments in 2023 and 2024 have most of the technical work in place; the Phase 2 transition is largely about converting that internal posture into a verifiable third-party assessment.

What Phase 2 specifically changes

Three things shift on November 10, 2026:

1. Self-attestation alone stops being sufficient for most Level 2 contracts. A supplier currently relying on a self-completed NIST 800-171 DoD Assessment Methodology score in SPRS will need to schedule and complete a C3PAO assessment to maintain eligibility for new awards on contracts processing CUI.

2. C3PAO assessment scheduling becomes the bottleneck. The CMMC Accreditation Body (Cyber AB) lists Authorized C3PAOs publicly. The number of authorized assessors is finite, and the demand wave from Phase 2 onward will compress scheduling windows. Suppliers waiting until late 2026 to start the assessment process are likely to face multi-month wait times.

3. The MSP and cloud-provider scope question gets settled at the contract level. Under 32 CFR 170, managed service providers and cloud providers handling CUI are explicitly in scope. A supplier whose IT is largely outsourced needs to verify that the MSP's CMMC posture supports the supplier's intended assessment scope, and that the MSP has its own assessment posture documented.

What the Tier-2 supplier should already be doing in mid-2026

Six steps that materially de-risk a Phase 2 transition:

1. Confirm operative SPRS score. The most recent NIST 800-171 DoD Assessment Methodology score posted to SPRS should be current and defensible. A stale or low score signals supplier risk to the prime's procurement team independent of CMMC status.

2. Inventory the CUI handling footprint. Where does CUI live: file shares, ERP, drawing repositories, email? Which workstations process it? Which networks transit it? The Phase 2 assessment evaluates control implementation across the actual scope, not the documented scope.

3. Identify the C3PAO and book the assessment window. C3PAO scheduling is the binding constraint. A supplier targeting a Q3 or Q4 2026 assessment should have a C3PAO selected and an assessment window booked by mid-2026 at the latest.

4. Run a gap assessment against the 110 controls. A pre-assessment review by a qualified consultant or CCP (Certified CMMC Professional) identifies remediation needs while there is still time to close them before the formal assessment.

5. Document the System Security Plan (SSP) and Plan of Action and Milestones (POA&M). Both are required artifacts for the assessment. An SSP that doesn't match operational reality fails the assessment regardless of the underlying control posture.

6. Verify the MSP / cloud-provider scope alignment. If a managed service provider handles CUI on behalf of the supplier, the MSP's posture is part of the supplier's assessment scope. Independent MSP attestations or shared-responsibility documentation must be in place.

How New Tech Metals operates under CMMC

New Tech Metals operates under NIST and CMMC Cybersecurity Compliant posture as documented in NTM's Certified Quality section. CUI handling procedures, system security planning, and access control are layered into the broader ISO 9001:2015 quality management system. NTM's compliance footprint (ISO 9001:2015, AWS Certified Welders, ITAR, DFARS Material Compliant, NIST and CMMC Cybersecurity Compliant, DDTC Registered) supports the contract flowdown typical of Tier-2 defense fabrication work.

A procurement officer onboarding NTM as a new Tier-2 supplier receives the compliance documentation as part of the standard supplier qualification package.

Action

If you are evaluating Tier-2 defense suppliers in the second half of 2026, request three items at minimum: current SPRS score, target C3PAO assessment window, and a copy of the System Security Plan covering CUI handling. A supplier who can produce all three within one business day is meaningfully ahead of the Phase 2 transition curve. A supplier who needs three weeks to assemble the package is operating on a timeline that may not survive Phase 2.

For CMMC-aware fabrication quotes, contact New Tech Metals.