The November 2026 CMMC Deadline
What It Means for You

WHY THE DEADLINE MATTERS

The Date Shapes Your Contract Timeline

THE PRINCIPLE

The November 2026 deadline marks a contract eligibility threshold. A current Cybersecurity Maturity Model Certification (CMMC) status in the Supplier Performance Risk System (SPRS) is required to maintain award eligibility from that date.

Starting November 10, 2026, a current CMMC status in SPRS becomes a condition of award for new Department of Defense (DoD) contracts. Any recompete, any renewal, any option period exercise triggers the requirement. Existing contracts do not extend that window indefinitely. Companies that start now finish with time, budget, and options to spare.

- FROM NOTICE TO FULL ENFORCEMENT

A Four-Phase Rollout.
Already Underway

CMMC is being phased into DoD contracts on a defined schedule. Each phase expands the requirement. Phase 1 is already live. Knowing where your contracts sit in this timeline clarifies how much time remains to act.

 
 
PHASE 01
Self-Assessment as Condition of Award
Live since November 10, 2025. DoD requires Level 1 and Level 2 self-assessment status in applicable solicitations and contracts from this date.

CURRENT PHASE 

 
PHASE 02
Third-Party Certification Begins
Begins November 10, 2026. Mandatory Level 2 status assessed by a CMMC Third-Party Assessment Organization (C3PAO) starts applying to applicable solicitations. Level 1 remains self-assessed.

NEXT PHASE 

 
PHASE 03
Level 3 Assessments Introduced
Begins November 10, 2027. Level 3 assessments by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) begin applying to the most sensitive programs in the Defense Industrial Base.

EXPANDING 

 
PHASE 04
Full Implementation
Begins November 10, 2028. CMMC requirements apply across all applicable DoD contracts and option periods with no further phase-in exceptions.

FINAL 

 
WHAT TRIGGERS IT
New Contract Awards
A current CMMC status in SPRS is required at the point of award. Award eligibility depends on active SPRS status.

CONDITION 

 
WHAT TRIGGERS IT
Recompetes, Renewals, Option Periods
Every contract action that returns work to solicitation triggers the requirement, regardless of existing relationship.

CONDITION 

- WHAT IT MEANS FOR YOUR SITUATION

Four Contractor Profiles.
One Deadline

The deadline applies the same way regardless of company size, contract value, or how long your company has worked with the DoD. Starting posture and time to compliance vary by organization.

01

Prime Contractor, No Compliance Staff

You hold the DoD contract directly and you are registered in SAM.gov. Your organization falls within scope.  A self-assessment started today can close before the deadline. Most Level 1 engagements take 4 to 12 weeks from first scoping call to SPRS submission.

WHAT IS AT STAKE
  • Award eligibility after November 10, 2026
  • Contract renewal and option rights
  • Affirming official personal liability
WHAT TO DO NOW
  • Confirm which systems touch Federal Contract Information (FCI)
  • Designate an affirming official for SPRS
  • Book a scoping call
01 / Small Prime Contractor / Under 50 Employees
prime-contractor-no-compliance-staff
02/ DoD Subcontractor / Any Size
subcontractor-who-found-out-late
02

Subcontractor Who Found Out Late

Your obligation comes from your prime, not directly from the DoD. CMMC requirements flow down through the contract. Most subcontractors in logistics, staffing, facilities, and professional services confirm this through a prime contractor audit or a new solicitation requirement.

WHAT IS AT STAKE
  • Active SPRS compliance protects against prime termination exposure.
  • Supply chain position depends on SPRS status
  • Prime termination rights apply to compliance gaps
WHAT TO DO NOW
  • Review subcontract language for Defense Federal Acquisition Regulation Supplement (DFARS) clauses
  • Confirm SPRS requirements with your prime
  • Check whether your contract involves FCI or Controlled Unclassified Information (CUI)
03

Operating Across Multiple Prime Contracts

Web apps are one of the most targeted surfaces across enterprise environments. Business logic flaws, broken authorization, and API vulnerabilities give attackers access that automated scanners consistently miss.

WHAT IS AT STAKE
  • Each in-scope contract requires its own SPRS coverage.
  • Consolidated engagements cover all scopes in a single submission cycle.
  • Every contract in scope requires its own affirmation
WHAT TO DO NOW
  • List every active DoD prime and subcontract
  • Identify contracts containing FAR 52.204-21 or DFARS 252.204-7021
  • Request a consolidated scoping call
03 / Multi-Contract Organization / 3 or More Primes
operating-across-multiple-prime-contracts
04 / Company Approaching Recompete / Option Period
your-contract-is-coming-up-for-renewal
04

Your Contract Is Coming Up for Renewal

Option period exercises and recompetes are the most missed trigger. An existing contract relationship does not provide continuity at renewal. Every contract action that brings work back into competition or extends it formally triggers CMMC status as a condition of award.

WHAT IS AT STAKE
  • Renewal eligibility depends on active SPRS status
  • Enforcement begins the moment the contract action initiates
  • Recompetes require prior compliance
WHAT TO DO NOW
  • Check renewal and recompete dates on every contract
  • Confirm assessment completion fits within the timeline
  • Start the engagement at least 12 weeks out
- LEGAL EXPOSURE

Every Signatory Carries
Personal Legal Responsibility

Level 1 compliance is affirmed by name. That affirmation is a legal attestation, not an administrative checkbox.

The Attestation
THE ATTESTATION
What the affirmation says
The affirming official who submits the SPRS score affirms by name that the organization meets all 15 Level 1 requirements. A federal system of record retains that attestation permanently.
The Exposure
THE EXPOSURE
What happens when it is inaccurate
False Claims Act exposure attaches to both the organization and the affirming official personally. Federal enforcement has increased steadily, with the Department of Justice settling seven cybersecurity fraud cases in 2025 alone.
The Remedy
THE REMEDY
How to protect the person signing
DivIHN reviews every requirement against documented evidence before the affirming official signs. In a Full-Service engagement, we initiate submission only after every requirement clears review.
THE PATH TO COMPLIANCE

Steps From Scoping To SPRS Submission

The first call establishes your contract timeline, your starting posture, and which service path fits the time you have left.

engaement scoping
01
Confirm Your Deadline

Contract scope and timing vary by solicitation. The first step identifies which contracts are in scope and when the relevant contract action occurs.

02
Scope Your Environment

Identify every system, device, and location that touches FCI. Scope determines how long the engagement takes and which areas require remediation first.

03
Run the Gap Assessment

Evaluate current posture against all 15 Federal Acquisition Regulation (FAR) 52.204-21 requirements. Document each gap with remediation priority.

04
Submit Before the Trigger

Complete remediation, finalize documentation, and support the affirming official through SPRS submission before the contract action triggers the requirement.

- WHY ENGAGEMENTS STALL

Why Companies
Miss a Deadline
They Saw Coming

Most companies in scope know the deadline exists. The same set of delays appears on almost every scoping call, and every one of them is resolvable before assessment begins.

COMMON DELAY PATTERNS
The reasons most companies are still not compliant.
Organizations assuming scope applies only to large primes
Subcontractors assuming the prime covers their obligation
Absence of a designated internal compliance owner
Documentation timelines underestimated for all 15 requirements
Engagement costs assumed to exceed contract value
Engagement start deferred pending a formal solicitation requirement
HOW DIVIHN ADDRESSES EACH ONE
A structured engagement that removes every one of these blockers.
Scope confirmation in the first call establishes Level 1 applicability
Flow-down review confirms subcontractor obligation independent of the prime
DivIHN assigns a named compliance lead to every engagement from day one
Guided and Full-Service engagements close in 4 to 12 weeks
Competitive rates, with volume discounts available for multi-entity engagements
Engagements start immediately for companies with near-term deadlines
Back
to Top