CMMC Phase 2 has started — a 90-day readiness plan if you haven’t begun

The CMMC rollout is no longer theoretical. Under the CMMC Program rule (32 CFR 170), Phase 1 has been live since November 10, 2025 — contracting officers can include the self-assessment and affirmation requirements in new solicitations. Phase 2 begins November 10, 2026, when a C3PAO-assessed Level 2 certificate becomes the default condition of award for contracts involving CUI, rolling out solicitation by solicitation through 2028.

The math is unforgiving: C3PAO assessment waitlists already run 6–9 months and growing, and only a small fraction of the roughly 80,000 contractors who need Level 2 had been certified as of the February 2026 Cyber AB town hall. If CUI touches your contracts, the question is not whether you need this — it is whether you start before or after the assessor calendars fill.

Here is a 90-day plan that front-loads the work that gates everything else.

Days 1–7 — Know your real number

You cannot plan against a score you are guessing at. Run the free Muster Score self-assessment under the DoD Assessment Methodology to see exactly where you stand across all 110 NIST SP 800-171 requirements, with the weighted 5/3/1-point deductions applied. No signup, no CUI — you describe your environment, never upload its contents.

Days 8–30 — Triage every gap

Sort your gaps into two buckets: POA&M-eligible versus must-fix-first. Most 1-point items can sit on a Plan of Action & Milestones for up to 180 days; a short list of requirements never can. The full POA&M eligibility rules — the 88-point conditional minimum, the six never-eligible requirements, and the 3.13.11 exception — decide what you can defer and what you must close before an assessment.

Days 31–60 — Draft the SSP and close must-fix gaps

Requirement 3.12.4 is the gate: without a current System Security Plan, no assessment can be completed at all, and it can never sit on a POA&M. Start your System Security Plan now — it is the single longest-lead artifact — and close the must-fix gaps your triage surfaced.

Days 61–90 — Get in the queue

Book your C3PAO while there is still calendar in 2026–2027, and finalize a POA&M that closes every remaining open item inside the 180-day window. See the full Phase 2 timeline for the per-phase detail.

One honest caveat that runs through all of this: what you produce are drafts you review, approve, and attest to — not a certification, and not an attestation we make for you. The judgment stays yours. That is exactly what keeps you on the right side of the False Claims Act.