The CMMC November 2026 Deadline Is a Myth (Here’s What’s Actually Happening)

A

All right, folks, it is March of 2026, and this is episode 150 of the podcast. We'll talk about that at the end. Anyways, we got things to talk about. Let's clear this up right away. November of 2026 is not the deadline for all CMMC Level 2 certifications. It never has been. That is not what the phased rollout says. November 2026 is actually the point when more CMMC Level 2 certifications begin appearing in new DoD contracts. That's it. It's not a cliff. It's not a mass deadline. It is a starting point. And that's what we're going to talk about today. Jason, the November 2026 deadline is a scourge on everyone's LinkedIn feeds right now. I hear it. I see see it. It is everywhere right now. And I don't know where this misinterpretation is coming from, but it is a misinterpretation, really. There's sort of two myths floating around here. One is that a hundred thousand contractors need to be level two certified by November of 2026. Oh, my God. That's seven months away. And everyone needs to have the certification by that deadline. And by, by extension, the ecosystem cannot support that amount of assessment volume. And so all this bad stuff is going to happen today. We're going to talk about that first one. We're going to talk about that November 2026 phantom deadline.

B

Okay, so we're only tackling the first one because I don't think we have enough time in a whole episode to do both. And I doubt we have a whole enough time in a whole episode to do the first one. I agree with you that misinterpretation of the November 2026 hard deadline is something that apparently just took over like a pandemic. And it's a constant questions being asked. Some are like, april, I want to be ready by April. Summer, I have to be ready by November. That's the hard deadline. While I appreciate the energy, it's not necessarily the hard deadline for everyone. I'm saying you won't have to get the certification. Just saying, not for everyone. And it's good we're talking about it today.

A

Yeah. And that's really the key takeaway is the phase rollout does not establish deadlines. November of 2026 might be your deadline if your customer told you that that's your deadline. Might be your deadline if that's when a specific contract that you're going after is going to be awarded. But November 2026 is not the deadline for everyone in the dip. So we can, we can figure this out on our own. People can go check it for themselves by looking at what phase two actually means in the regulation. Right. So the confusion comes for misunderstanding what phase two says in the CMMC regulation. So if you go to the CMMC rule and you read the section called applicability, specifically section 170.3, paragraph D, sub paragraph 2, it is surprisingly short. Phase two is described in just four sentences. So here's the key idea, right? Phase two begins one year after phase one started. Phase one started in November 10, 2025. So we're currently, as of this conversation, we're pretty much almost in the middle of phase one. So phase two will start in November of 2026. That's the key word. It will start, it will begin, it will not complete. It's not a deadline. It's not. It ends, it begins, it commences, it. Fill in your vocabulary word from there, right? Phase two starts in November of 2026. It's not a deadline.

B

Phase two starts as far as the program goes and phase two starts as far as CMMC2 level two requirements being levied down by the DoD itself, where it doesn't have any separation is what the prime does. Like you had mentioned, and you mentioned one thing specifically here, what phase two actually means and where you have to go to find it. Unfortunately, the people that are coming and saying I have a November 2026 hard deadline aren't the type of people and not saying anything bad about them, but aren't the kind that just regularly go and read government regulations, no matter how much they apply and how much that applicability is there. So knowing this caveat and then getting the word of mouth from somebody that does go and read these things and maybe doesn't interpret it the right way is the reason why we are in the situation that we're in right now with this huge misunderstanding.

A

Yeah, like we said, if your customer gave you November as the deadline, that's your customer in your specific situation. If a contract that you're going to bid on in August is going to get awarded in November, then you might have a November deadline. DOD's very, very general high level phase rollout has no deadlines in it. So if a person on a marketing team is telling you that you have that deadline, do your own research, read the regulation for yourself. We'll link to it below, you can check it out and you can read it. So things actually do change in November of 2026. Like nothing happens in November of 2026. People are just blowing it out of proportion, maybe misinterpreting what it actually says. So there's two things that are going to happen in November. First, more contracts are going to require CMMC Level 2 certification status. Right? So DoD will start including CMMC Level 2 C3 PAO status requirements in. Here's the key word. Applicable solicitations and contracts. That word matters. That word does a lot of lifting here. Applicable, not all applicable. Right. So what determines applicability? In January of 2025, the DoD put out a memo to its acquisition workforce. We'll link to the podcast that we did below. You can go to the memo and you can read it for yourself. And it is guidance to the acquisition workforce, literally called determining CMMC applicability. Right. How do you determine what status level you put into the solicitation for contractors to meet? So here's the rough summary. Right? If you don't handle any controlled and classified information, then the applicable status is CMMC Level 1 because you don't have data that would trigger the requirements to protect controlled and classified information. If you do have controlled and classified information pursuant to that contract, then the minimum is going to be CMMC level 2 status. Please prove to us that you have implemented and complied with the requirements in DFARS clause 252, 204, 7012. Now, little detail if that CUI falls into what are known as the defense categories of cui. Control Technical information, Defense critical infrastructure information, Naval Nuclear propulsion information, things like that. There's a handful of categories of CUI that are considered defense categories of CUI. Then according to DoD's policy, the minimum requirement is level 2 C3 PAO status. You have to hire a third party assessment organization to come in and verify that you have implemented the requirements in NIST SP 800 171. Yeah.

B

Yes, Professor Horn, yes. So you mentioned a special type of CUI that lists in defense categories. And just for the general audience, how common or how prevalent is that in the contracts that the DIB would see

A

if you're a defense contractor? Very common. Right, Very common. So. So the CUI program is a federal wide program. So any kind of unclassified information for which there is a law, a regulation, a government wide policy that says this data is sensitive and needs to be protected to some degree falls under the very broad umbrella of controlled unclassified information. Because there's some sort of control put on this unclassified information. We can't just Willy nilly, stick the unclassified information anywhere we want to. So all the agencies, all the statutes, all the regulations you can imagine there's like thousands and thousands of what we call authorities that say protect this kind of data, protect that kind of data. Student health information, information around people seeking refugee and asylum status, law enforcement investigation information, tax information, defense information. There's all kinds of different types of CUI for defense contractors. To answer your question, they don't really deal with a lot of tax data. They don't really deal with a lot of Department of Education data. Some of them might. Most defense contractors are dealing with schematics and blueprints for putting parts on missiles and satellites and warships and weapon systems, things like that. So defense categories are the ones that you want to really pay attention to.

B

So at the project management level of a contract. Right. That is where they determine whether or not the CUI that may be a part of a contract fits into one of these categories and needs these special protections. Right, Right. Has there been any studies to see how efficient they are with a appropriately marking those things, that data that comes down?

A

Yeah, we, we've recently done some episodes on CUI marking. It's not great. They actually routinely undermark the data rather than the common idea that they would overmark the data. We'll link to that episode below and you guys can check out what's going on with it. But the rule of thumb here essentially is if you don't have cui, you're going to be level one. If you do have cui, going to be level two. If that CUI that you're handling is one of the defense categories of cui, you're going to have to get a third party to verify that you have implemented your requirements. If it's any of the other kinds of cui, which is probably not most people listening to this podcast, because it's not most defense contractors, then the minimum requirement is self attested self assessment against CMMC level 2 requirements. That's the rough way of determining applicability. So if you're a manufacturer putting precision parts on fighter jets, you're probably not going to get away with self assessment because you're dealing with a defense category of CUI controlled technical information. It can vary, obviously. And the reason why so many people in phase one of the rollout have seen CMMC Level two certification requirements, even though we're not in phase two yet, is because the data is what drives your CMMC status. And, and DoD has discretion to have you go get a certification anytime they Want to. Not to mention the thing we said about the primes earlier. And they have complete and total discretion. The, the summary here is that there's no universal requirement that hits everybody at once suddenly November 10th of 2026. The requirement doesn't even hit all contracts. It hits all applicable contracts. So if you're not planning on taking award of a contract until sometime in 2027, November 2026 doesn't really matter to you if your prime is telling you that you need to have CMMC Level 2 certification by summer November 26th doesn't really matter to you. Right. There's nothing about the phased rollout or determining applicability that makes this some bright red line where a hundred thousand companies have this cliff that they're all going to fall off of.

B

Yeah. And so the way that you explain it, that makes it clear sting, Right. The way that people are interpreting the only communication from the Dow, which is basically the communication of the phase rollout and how it goes, is they're determine interpreting it at two extremes that it's applicable at the two extremes. One extreme is that it's everything's due November 2026. I have to be ready at that point in time, which is a good thing to have. The other extreme is I don't have to do anything until November of 2028.

A

Yeah, that's, that's the other idea. Right. Is that.

B

And nobody's really interpreting it right there in the middle, which is the way you're there. This is when it's going to start to trickle out. This is when they're going to start to phase roll it out. This is when the DoD intends to do that. People interpret that as direct communication. People interpret that it's the wrong timeline.

A

Yeah, that's a good point. Because in these phases of the phase rollout, they're like, well, we'll have discretion in the first year, we'll have it in every applicable contract. In the second year, we'll start to add CMMC level 33 at our discretion starting in the second year and then into the third year. And then by the time we get to year four in 2028, there won't be any more of this variability. It'll just be each level will be in each applicable contract, no questions asked. And some people read that as well. I won't have any requirements until 2028, which is also not correct. Which kind of brings us to our second point. Under this section, right. Requirements are tied to new contract awards. So not your entire business overnight through some arbitrary deadline in a regulation. Right. The regulation doesn't say that it's all tied to contract award. So you don't need CMMC Level 2 certification by November 2026 unless a specific contract requires it in November of 2026 or your prime customer has told you that that is the date. It could be September, it could be January of 2027, could be three weeks from now. Totally depends on your specific situation. So just be careful trying to reverse engineer your specific situation from very, very general high level phased rollout guidance in the regulation. Right. So it's gradual rollout, it's tied to procurement. It's not a mass compliance deadline. Very, very difficult to figure out your specific situation. We always recommend that people look at your customer specific procurement administrative lead time, the pulse window. Right. We've been talking about this for years now. You can find your customers long range acquisition forecasts from the Department of Defense specifically and you can go through and they'll say we plan on putting out this solicitation in this year and this quarter. We plan to award that contract in this year and this quarter. If you're planning on trying to win that work and you're going to wait until you see the requirement and the solicitation to get started on any of the cybersecurity requirements at all, you might be arbitrarily limiting yourself to just a couple months of implementation time or you might be one of the lucky ones and you've got 12 months of time between when they put the solicitation out and when the award is much, much easier to see what your specific timeline will be if you go to the specific award that you or your prime are planning on trying to win and then working backwards from there. Compared to the general idea of the phased rollout, much more helpful and specific.

B

Yeah. And where organizations right now are seeing pressure to get their CMMC certifications, obviously as you mentioned before. I mentioned before as well, is from the Primes. And the Primes want to be ready for when the time comes. And that contract appears after November 2026 from the Dow. Right. They have that pal time that they have to adhere to in that time window. It needs to be gathering of information from all the necessary partners and knowing that those partners have it in place. This is just proactive management of supply chain that's taking place and it's affecting in the ripple down effect based off of the timeline they have to adhere to.

A

Yeah. And we'll link below to the episodes that we've done on the lead time analysis in the Past general rule of thumb, if it's going to take your company three or four months to make a decision and sign a contract, and it's going to take your implementer three or four months to get through their backlog and kick you off. And then it's going to take you two or three months to get up and running in that environment. And then you need to go through your assessment and your palt window from your customer is only 90 days, then you necessarily need to start on your implementation before the solicitation comes out. Right. So it takes a little bit of a leap of faith. You got to strategize what's going on. We'll link below, check that out and, and then we can go from there. Okay. Next thing to consider when it comes to phase rollout and the phantom deadline here, right? We've been saying this since the final rule came out in 2024. DoD has flexibility and discretion over all phases of the phased rollout. There is discretion explicitly built into the rule, into the regulation. So the DoD can push any given CMMC status level requirement into an option period instead of into award. They can pull those requirements forward into phase one. As we've seen with many, many people so far, they don't wait. They don't have to wait until November 2026, they certainly don't have to wait until 2028, like you said. And they can, like we said, introduce level three requirements where they decide to. We've already seen this happen, even though on paper level three requirements aren't supposed to happen until after 2027. Each of these regulatory sections says at our discretion, we can push the requirement, we can pull the requirement, we can elevate the requirement, we can reduce the requirement. That's why it's so difficult for people to try to reverse their specific situation without talking to their specific customer about the specific contract award that you're going after. So the phase rollout is not some rigid thing with drop off deadlines or anything like that. Some people have already experienced their deadlines, some people won't experience their deadline for some time. It's all relative based on your specific situation.

B

Yeah. And it's relative based on risk. Right. It's the risk associated with the program that that data is attached to. And so like if we are in programs that obviously the risk is, is that not having suppliers at a CMC level three by the time we need it, when that's required, 2027, those things are going to be pushed forward. And that's why we're Seeing those requirements pop up, especially on the high priority contracts. Right?

A

Yeah. And it's, you know, some people are like, well, we don't know if the solicitation is going to require CMMC Level 2, so we're not going to do anything to get ready. First of all, if you already have DFAR7012 in your contracts and you're handling export controlled information, not naming any names here, there's a lot of people listening and that might sound pretty familiar. Just take a look in the mirror. All right. Because they're going to require you to have CMC level 2 because you're already dealing with, with the data that would trigger the requirements in DFARS 7012. So unless you're in a very unique position or you're in a very strong negotiating position and you plan to try to get that language taken out of the solicitation, which is not 99% of the people who listen to this podcast, just, you know, think about what your decision tree and your strategy is going to be here. Instead of waiting until you get the solicitation, you're staring down the barrel of a 60 day deadline to award.

B

Can you. I got a curious itch and I'm gonna ask, right? So given the recent, without getting the episode flag, right. So with that, given the recent national global things that are taking place and some of the homeland measures that are taking place in the defense industrial base, right. Do you think that some of those organizations now that are seeing an increased attention in their email inbox would be some of those ones that are probably a part that risky pro program project contract type scenario? Right. Like some of the things that they do based off of what's going on. Yeah, like that's, that's, that's, that's a personal curiosity.

A

Let's, let's just, you know, we can wrap that one up super, super quick. If U.S. government officials get onto the airwaves and they say we are absolutely decimating the defense industrial base of a force foreign country for whatever reason and you are part of the defense industrial base of the country saying that, then you got a target on your back, plain and simple. Right. So that's, you know, take for that. You know what you will. We recently did some content around wine

B

and if you're being asked to ramp up mission critical production, mission critical in my mind, seems like a risky contract, right? Like something. Oh yeah, absolutely.

A

Yeah, absolutely. Okay, so I think we've kind of covered this idea, right? The phased rollout November 2026 is not a deadline. It's not a cliff. 100,000 companies don't need a CMMC Level 2 certification by November, right? In a future episode, we'll talk about assessment capacity, so on. You know, for so far into the phase, rollout assessment capacity has not been an issue whatsoever. So There is no November 2026 cliff for 100,000 CMMC Level 2 certifications. You can read it in the regulation yourself. It's four sentences long. What actually happens is actually pretty simple. The DoD begins inserting more CMMC Level 2 certification requirements into more contracts, only where that is applicable based on the data involved in that contract. And these are all tied to specific awards, not to everybody, all at once. So for your takeaways here, your path to CMMC status, to the promised land of winning more awards is not dictated by any sort of universal DoD wide deadline. It's dictated by the data that you're going to handle under specific contracts that you may or may not decide to pursue. That all have their own timelines for solicitation and award and what your specific customer may or may not require. That can vary if you're on the other side of the prime. That can vary if the Department of Defense program Manager has different ideas of risk acceptance, risk tolerance, this and that. So instead of chasing any kind of phantom deadline, what contracts do you want to win? What are they going to require? When will the solicitation come out? When will they be awarded? That is the timeline that matters. That's how you're going to determine what matters to you. Tell you something matters to me. This episode 150, buddy. We've been doing this for years now, so I just want to take a moment, thank everybody who watches the show who has liked and subscribed. We're closing in on a hundred thousand channel subscribers, which is absolutely insane. I don't even know how many hours of content we've put out talking about everything from regulations and NIST controls and controversies and misconceptions and this and that. It's a very niche topic. Everybody's time is very valuable. There's a lot going on. There's a lot to do. So, personally, thank you for watching and commenting and sharing and all the fun memories we've made over the years. And, you know, here's to 150 more.

B

Like everything else, I couldn't have said it better myself. 150 episodes is magical. I'm glad they're not three hours long anymore. I don't know if I could make it.

A

I have met one person. I met one person at an event who said he preferred the three hour episode. So I'm gonna. I'm gonna.

B

I'm gonna take that W. That's one W. That's one W out of 77, 000, buddy. I don't know what that percentage is, but yeah. Thank you, everybody. Thanks for giving us this platform to be ourselves.

A

Awesome. Thanks, everybody. We'll see you next week.

B

See you next week, Sam.