Matt Travis (Executive Director & CEO, Cyber AB) joined PreVeil and 1,000 defense contractors to share what defense contractors need to know for CMMC Phase 2. The message was simple: Phase 2 begins November 10, 2026 and for many contractors, the clock is already ticking.
1. Phase 2 has a date. Yours might be sooner.
November 10, 2026, is when C3PAO Level 2 certification becomes a mandatory condition of award for defense contracts involving CUI. But for most contractors, the real question isn’t what happens on November 10. It’s what happens on your date — and that date may be closer than you think.
Matt laid out three scenarios where Phase 2 lands on your business specifically:
- Option years: “If you have a contract that has option years starting after November, and your contract involves defense-related CUI, you should expect Level 2 C3PAO requirements. You’re going to see those requirements as a mandatory condition entered into your option year.” Many contracts have short base years and long option periods. Check yours now.
- Upcoming procurements: “When new RFPs drop, they’ll carry CMMC Level 2 C3PAO requirements. No certification, no bid.”
- Your prime: “Your prime may be already requiring you to go ahead and get Level 2 now and not wait until November.” The government’s timeline and your prime’s requirement are two separate clocks. Your primes may already be running.
In all three scenarios, the outcome is the same. As Matt Travis put it: “If you do not have your certification from a C3PAO, you will not be eligible for that award.”
2. C3PAO certification is a condition of award. By law.
C3PAO certification is not a compliance best practice or a procurement preference. It is a legal requirement, and Matt Travis was unambiguous:
“If you want to do business with the Department of Defense, you must have a certification before that contracting officer, as a matter of law, can award that contract.”
Contracting officers are not making a judgment call here. No certification means no award
3. The CMMC assessment ecosystem is working — but capacity is finite.
As of June 2026, approximately 1,600 Level 2 certifications have been issued across the entire DIB. That is a small fraction of the contractors who will eventually need one. As Matt Travis noted: “Of the 105 C3PAOs that are authorized, they’re all pretty busy. Some are booked through the end of the year.”
Matt Travis expects more to be authorized through summer and fall. But the math is stark: 100,000 contractors will need assessments over the next 3 years. The contractors who move now will have options. Those who wait will compete for whatever capacity remains.
4. Scoping is where companies fail — and it’s the first thing assessors look at.
Matt Travis was clear that scoping is where the assessment process breaks down most often: “It is the most important part of the CMMC assessment process, and it’s also the point, anecdotally, that we’re hearing companies are still struggling with the most.”
Getting your CUI boundary right — knowing what’s in scope, who needs access, and which assets touch CUI — is the foundation for everything else. Matt Travis’ framing: keep it tight. The tighter your boundary, the more manageable your assessment, the lower your cost, and the greater your chances of passing.
If you can’t clearly articulate your boundary to a C3PAO, the assessment goes sideways before it starts.
5. You already committed to this. CMMC is just the proof.
Matt Travis reminded every contractor in the room that CMMC is not a new obligation — it’s verification of one they already agreed to:
“In your existing contract, you’ve already agreed to protect and safeguard CUI and implement the NIST 800-171 standard. You’ve already committed to that. All CMMC is the validation that you’re doing it.”
You already said you would do this. The C3PAO is coming to check. As Matt Travis put it: “CMMC is here. Get it done.”
6. FedRAMP 20X doesn’t satisfy your CMMC requirement today.
Matt Travis was direct: “20X doesn’t get you there yet. It is not recognized. FedRAMP’s gone to a Rev 5, but Rev 4 is still valid.”
For cloud service providers operating in the CMMC ecosystem, that means Rev 4 or Rev 5 — either through a FedRAMP Marketplace authorization or FedRAMP moderate equivalency — is still the standard C3PAOs are checking against. 20X doesn’t satisfy that requirement today.
That’s why PreVeil maintains FedRAMP moderate equivalency, which means we meet all 325 FedRAMP Moderate controls with zero POAMs
Conclusion
Phase 2 begins November 10, 2026. Your prime may not wait that long. Your option year may not either. The question is no longer whether CMMC is real.
PreVeil is the leading solution for CMMC Level 2 compliance and is trusted by more than 3,000 small and midsize defense contractors. To date, more than 100 defense contractors and C3PAOs have used PreVeil to achieve CMMC Level 2 compliance with a perfect 110/110. Learn more about how PreVeil can help your organization achieve CMMC Level 2 compliance faster and more affordably.
