CMMC Phase 2 timeline and what it means
The Cybersecurity Maturity Model Certification (CMMC) program has been in development since 2019, but the enforcement timeline is now concrete. The final rule took effect on December 16, 2024, and the three-phase rollout is underway.
Phase 1 (December 2024) introduced CMMC Level 1 self-assessments and Level 2 self-assessments for select contracts. Phase 2, starting November 2026, is the inflection point. It requires third-party assessment by a CMMC Third-Party Assessor Organization (C3PAO) for any contract involving Controlled Unclassified Information (CUI) at Level 2. Phase 3 (2028) extends requirements to Level 3, involving government-led assessments for the most sensitive programs.
0.5%
Of ~80K orgs needing Level 2 certified by late 2025
110
NIST 800-171 controls required for Level 2
Nov 2026
Phase 2 enforcement begins
~80K
Organizations needing CMMC Level 2
The readiness gap is severe. As of late 2025, only about 0.5% of the roughly 80,000 organizations that need CMMC Level 2 had achieved certification. C3PAO capacity is limited, and assessment timelines are measured in months, not weeks. Contractors who wait until mid-2026 to start the process risk missing proposal deadlines because they cannot demonstrate compliance.
The certification bottleneck
For defense contractors, the practical impact is straightforward: if your organization handles CUI and you do not have a Level 2 certification by Phase 2, you will not be eligible for award on contracts that require it. This is not a future concern. It is a present-tense planning problem for every capture manager building a pipeline for late 2026 and beyond.
How CMMC changes the proposal process
Before CMMC, cybersecurity compliance in proposals was largely a matter of assertion. Contractors stated they were compliant with NIST 800-171, referenced their System Security Plan (SSP), and moved on. Evaluators had limited tools to verify those claims during source selection.
CMMC changes this dynamic fundamentally. Compliance is now verifiable. Evaluators can check your certification status in the CMMC Enterprise Mission Assurance Support Service (eMASS) database. Your SPRS score is visible to contracting officers. Your Plan of Action and Milestones (POA&M) status is part of your compliance posture, not a footnote.
This shift means proposals need to do more than promise compliance. They need to demonstrate it with specificity. Here is what evaluators are looking for:
- CMMC certification status with certificate number and expiration date
- SSP summary describing your CUI enclave and security architecture
- POA&M status showing any open items and remediation timelines
- SPRS score confirming your self-assessed compliance level
- Subcontractor compliance verification for every team member handling CUI
- CUI handling procedures specific to the proposed work
Key Takeaway
The evaluator mindset has shifted too. Where cybersecurity used to be a pass/fail gate buried in the compliance matrix, it is increasingly a scored evaluation factor. Some solicitations already weight cybersecurity posture alongside technical approach and past performance. Contractors who treat CMMC documentation as an afterthought will lose to competitors who treat it as a differentiator.
What your proposal tools need to handle
Most proposal management tools were built for a world where cybersecurity compliance was a single section in the management volume. CMMC changes the scope of what your tools need to track, store, and produce.
DFARS clause flow-down tracking
DFARS 252.204-7012 (Safeguarding Covered Defense Information) is the foundational clause, but it does not stand alone. Your tools need to track related clauses: 252.204-7019 (NIST 800-171 Assessment), 252.204-7020 (NIST 800-171 DoD Assessment), and 252.204-7021 (CMMC Requirements). Each clause has distinct requirements and flow-down obligations to subcontractors. When your proposal tool extracts requirements from an RFP, it needs to flag these clauses and surface the specific obligations they create.
NIST 800-171 control mapping
Level 2 CMMC maps directly to 110 controls across 14 families in NIST SP 800-171 Rev 2. Your proposal needs to address how your organization satisfies these controls, particularly for the CUI enclave supporting the proposed work. Proposal tools need to maintain a mapping between solicitation requirements and the applicable NIST 800-171 control families, so writers can reference the correct controls in their narratives.
CUI handling documentation
Every proposal for CUI-generating work needs to describe how CUI will be marked, stored, transmitted, and destroyed. This is not boilerplate. Evaluators expect specifics: which systems, which encryption standards, which access controls, which incident response procedures. Your tools need a content library that stores these descriptions at a granular level so writers can assemble CUI handling narratives from verified, current components.
Team and subcontractor compliance tracking
Prime contractors are responsible for the compliance posture of their entire team. Your proposal tools need to track the CMMC certification status, SPRS scores, and POA&M status of every subcontractor on the team. When a subcontractor's certification expires or their SPRS score drops, your capture team needs to know before it becomes a proposal risk.
Proposal tool requirements for CMMC compliance
Automatic identification of DFARS 252.204-7012, -7019, -7020, and -7021 clauses in solicitations
NIST 800-171 control family mapping linked to solicitation requirements
CUI handling narrative library with version-controlled, reusable content blocks
Subcontractor compliance dashboard tracking certification status, SPRS scores, and POA&M status
Compliance matrix generation that includes cybersecurity requirements alongside technical requirements
SSP summary templates tailored to different CUI enclave architectures
Secure storage environment that meets NIST 800-171 controls for CUI-containing proposal content
The compliance documentation burden
Defense proposals were already document-intensive. CMMC adds a new layer that touches multiple volumes and requires coordination between your cybersecurity team, your proposal writers, and your subcontractors.
A typical CMMC-compliant proposal now includes: an SSP summary describing your CUI enclave architecture, a POA&M status report showing open items and remediation timelines, CMMC certificate details for the prime and each subcontractor handling CUI, SPRS score documentation, CUI handling procedures specific to the proposed work, incident response plan summaries, and personnel security procedures for CUI access.
Across a competitive defense proposal, this adds 15 to 30 pages of compliance documentation. That documentation needs to be consistent with your actual security posture, accurate against your current certification status, and coordinated across every team member on the proposal.
The coordination challenge
The manual approach to this problem is familiar: email chains requesting updated SSP summaries from subcontractors, spreadsheets tracking who has submitted their compliance documentation, Word documents with conflicting version numbers. This process breaks down under the time pressure of a typical 30-day proposal response window. By the time you have collected and verified compliance documentation from four subcontractors, you have lost a week that should have gone to writing the technical approach.
The organizations that handle this well are the ones that treat compliance documentation as a continuous process, not a proposal-time scramble. They maintain current SSP summaries, track certification dates proactively, and keep reusable compliance narratives updated in a content library. The tools they use make this possible without a full-time compliance documentation manager.
How Projectory helps defense contractors
Projectory is built for the complexity of government proposals, and defense procurement is where that complexity is highest. Here is how the platform addresses the specific challenges CMMC creates for proposal teams.
Content library with reusable compliance narratives
Projectory's content library stores version-controlled, reusable content blocks organized by topic, contract type, and compliance framework. Your cybersecurity team maintains SSP summaries, CUI handling procedures, incident response descriptions, and personnel security narratives as library entries. When a proposal writer needs a CUI handling section, they pull the current, approved version from the library instead of starting from scratch or hunting through past proposals.
Each content block tracks when it was last reviewed, who approved it, and which proposals have used it. When your security posture changes, you update the library entry once and every future proposal pulls the current version.
Requirement extraction that flags DFARS and CMMC clauses
When you import a solicitation into Projectory, the AI extraction engine identifies DFARS clauses, CMMC requirements, and NIST 800-171 references alongside the technical and management requirements. These are surfaced in the compliance matrix with their specific obligations, so your proposal team sees the full scope of cybersecurity requirements from day one of the response effort.
Compliance clause detection
Compliance matrix with cybersecurity requirements
The compliance matrix in Projectory tracks cybersecurity requirements alongside technical, management, and past performance requirements in a single view. Each requirement links to the solicitation section where it appears, the NIST 800-171 control family it maps to, and the content library entries that address it. Writers see exactly what needs to be addressed and which approved content is available to address it.
Secure deployment for CUI environments
Proposal content for defense contracts often contains CUI, and your proposal tools need to protect it accordingly. Projectory deploys in AWS GovCloud, Azure Government, or on-premise environments within your accreditation boundary. No proposal data leaves your security perimeter. The platform supports air-gapped deployment for classified programs and bring-your-own-model AI inference for organizations that cannot send data to external AI providers.
Import the solicitation
Projectory extracts all requirements, including DFARS clauses, CMMC requirements, and NIST 800-171 references, into a structured compliance matrix.
Map compliance content
The platform links extracted cybersecurity requirements to approved content blocks in your library: SSP summaries, CUI procedures, incident response plans, and subcontractor compliance documentation.
Assemble the proposal
Writers pull from the content library and write against the compliance matrix, ensuring every CMMC requirement has a documented response with current, approved content.
Verify before submission
The compliance matrix shows coverage status for every requirement. Gaps are flagged before the proposal leaves your hands, so your review team catches compliance issues during color review, not after submission.
Preparing now
November 2026 is close enough to affect proposals you are writing today. If you are pursuing contracts that will be awarded after Phase 2 takes effect, your compliance posture and your proposal documentation need to be ready. Here is what to prioritize.
Get your compliance narratives into a content library. Your SSP summary, CUI handling procedures, incident response plan, and personnel security descriptions should exist as standalone, version-controlled content blocks that any proposal writer can access. If these narratives live only in past proposals, you are one version conflict away from submitting outdated compliance information.
Build reusable SSP summaries. Most defense contractors operate one or two primary CUI enclaves. Create an SSP summary for each enclave that describes the architecture, boundaries, and security controls at a level appropriate for proposal inclusion. Update these summaries whenever your security posture changes. Your proposal writers should never have to reconstruct an SSP summary from scratch.
Track your SPRS score actively.Your SPRS score is visible to contracting officers and it factors into source selection even before CMMC certification becomes mandatory. Know your score, understand which controls are driving gaps, and have a remediation timeline for any open POA&M items. Include your score and improvement trajectory in proposals as evidence of cybersecurity commitment.
Audit your subcontractor compliance posture.Before you include a subcontractor on a proposal team, verify their CMMC certification status, SPRS score, and POA&M status. Build this into your teaming agreement process. A subcontractor who cannot demonstrate compliance is a risk to your proposal, not an asset.
Start using tools that understand defense procurement. General-purpose proposal tools do not track DFARS clauses, map NIST 800-171 controls, or deploy in CUI-compliant environments. The cost of switching tools during a live proposal response is high. Start the transition now, while you have time to migrate your content library, train your team, and validate workflows before the next must-win opportunity.
CMMC Phase 2 readiness checklist
Schedule your C3PAO assessment (lead times are 3 to 6 months and growing)
Create version-controlled SSP summaries for each CUI enclave
Build a reusable content library with approved compliance narratives
Document CUI handling procedures for your most common contract types
Verify subcontractor CMMC certification status and SPRS scores
Update your SPRS score and close open POA&M items
Evaluate proposal tools for CUI handling and DFARS compliance support
Brief your capture and proposal teams on CMMC proposal requirements
Frequently asked questions
Frequently Asked Questions
Do I need CMMC Level 2 certification before I can submit proposals?
Not yet for most contracts, but the timeline is accelerating. Phase 1 (started December 2024) allows self-assessment for Level 1. Phase 2 (November 2026) requires third-party C3PAO assessment for Level 2, which applies to any contract involving CUI. After Phase 2, proposals from contractors without a valid Level 2 certification will be ineligible for award on contracts that require it. Start the certification process now, because C3PAO availability is already constrained.
How does CMMC affect my subcontractors?
CMMC requirements flow down to subcontractors who handle CUI. Under DFARS 252.204-7012, prime contractors are responsible for ensuring subcontractor compliance. Your proposals need to document how you verify and track subcontractor CMMC status. If a subcontractor loses certification during contract performance, it creates a compliance gap you are responsible for addressing.
What is an SPRS score and why does it matter for proposals?
The Supplier Performance Risk System (SPRS) score reflects your self-assessed compliance with NIST 800-171 controls, ranging from -203 to 110. Contracting officers can check your SPRS score during source selection. A low score signals compliance risk and can disadvantage your proposal even before CMMC certification becomes mandatory. Many agencies already use SPRS scores as an evaluation factor.
Can my proposal tools store CUI?
Any tool that processes or stores CUI must operate within an environment that meets NIST 800-171 controls. Standard commercial SaaS platforms typically do not meet these requirements. You need tools deployed in FedRAMP-authorized environments, AWS GovCloud, Azure Government, or on-premise infrastructure within your accreditation boundary. Projectory supports all of these deployment models.
What proposal sections are affected by CMMC requirements?
CMMC touches multiple volumes. Your technical volume needs to describe how your solution handles CUI. Your management volume needs SSP summaries, POA&M status, and personnel security procedures. Your past performance volume should reference prior CMMC-compliant work. Your compliance matrix needs a dedicated cybersecurity section mapping to DFARS and NIST 800-171 requirements. The additional documentation typically adds 15 to 30 pages to a proposal.