CMMC Phase 2 Is Coming: What Small Contractors Must Do Before November 2026

Why this date matters

For many small contractors, CMMC has been discussed for years without a hard operational date. November 2026 changes that planning posture. Prime contractors, subcontractor networks, and internal compliance teams should treat this period as implementation time, not awareness time.

What should be complete before Q4 2026

1. A finalized system boundary for each enclave handling Controlled Unclassified Information.
2. A mapped control inventory tied to owners and evidence sources.
3. A standing operating cadence for policy review, patching, access review, and incident drills.
4. A realistic POA&M backlog with dates, owners, and measurable closure criteria.
5. Score tracking that can defend management claims during customer due diligence.

Most common execution mistakes

The most frequent miss is building documents disconnected from technical reality. The second is waiting for policy approvals before implementing technical controls. The third is assuming annual work is enough when many practices require recurring evidence.

A practical 120-day plan

Days 1-30

Establish scope, identify systems that process CUI, and classify inherited controls from MSPs, cloud providers, and identity providers.

Days 31-60

Run control-by-control self-assessment against your in-scope assets, capture status, and gather evidence references immediately.

Days 61-90

Close high-impact gaps first: MFA enforcement, logging, endpoint hardening, incident process, and encryption coverage.

Days 91-120

Generate executive and technical outputs: SSP baseline, POA&M tracker, family-level progress, and score trajectory.

Final recommendation

Treat CMMC readiness like a delivery program. Weekly checkpoints, evidence capture, and score tracking beat quarterly workshops every time.