Blog

Are You Watching the Wrong CMMC Clock?

Written by Will Ogle | Jul 16, 2026 1:05:12 PM

The Phase 2 pause reset one timeline while the one that matters kept running.

Your company builds parts that end up in fighter jets, patrol ships, or vehicles you will never see finished. The prime who awards you that work has already decided when it needs your Cybersecurity Maturity Model Certification (CMMC) Level 2 certificate in hand, and for a growing number of subcontractors, that date lands well before the one on the federal calendar. This month, that date disappeared from the federal calendar.

With that said, your prime's supplier notice sets the date that governs your business. On July 13, 2026, the Department of War suspended the CMMC Phase II requirement that would have made third-party certification a condition of every applicable DoW contract starting November 10, 2026. That pause leaves the deadlines individual prime contractors have already built into their own supplier notices exactly where they are, and for a growing number of subcontractors, those dates arrived months ago.

CMMC has changed shape under new leadership before and the program has been reworked more than once since it was first introduced in 2019, including a full restructuring into CMMC 2.0 in 2021. A new DoW CIO reviewing the program and adjusting the timeline fits that pattern.

Will Ogle leads Cyberleaf's CMMC practice and has spent the past year walking manufacturers through this exact math. Nearly every client arrives believing November 10 is the date to plan around but it rarely is. And right now, there's no fixed federal date to plan around at all.

 

Prime Contracts Set Your CMMC Level 2 Deadline  

The government's Phase 2 date is supposed to mark when CMMC Level 2 becomes a requirement across applicable DoW contracts industry-wide. That milestone, along with every pending and future one behind it, sits inside a sixty-day review right now, and the federal deadline most subcontractors have been planning around has no fixed place on the calendar at the moment.

The underlying requirement is a different matter. CMMC Level 2 is written into the Defense Federal Acquisition Regulation Supplement, or DFARS, the federal contracting rulebook that took years to put in place. Unwinding it would take a comparable process, on a comparable timeline. A sixty-day review changes the pace of enforcement but what the rule requires once that review concludes stays the same.

That obligation applies on its own, independent of any single prime relationship. Phase 1 self-assessment requirements remain in place, DFARS 252.204-7012 still obligates every defense contractor and subcontractor to safeguard covered defense information, and NIST SP 800-171 stays the enforced technical standard behind both, verified through self-assessment and select government-led checks while the review runs.

Individual primes set their own compliance clocks on their own authority. Under DFARS 252.204-7021, primes must confirm a subcontractor holds the required CMMC certification before subcontract award, for any subcontract involving FCI (Federal Contract Information) or CUI (Controlled Unclassified Information). A prime that hands CUI to a subcontractor carries the exposure if that subcontractor's controls fail, an exposure that holds steady even as federal timelines shift. L3Harris requires its suppliers to hold Level 2 certification by July 30, 2026, a deadline it set in April 2026 on its own authority as a customer, three months ahead of a federal milestone that has since been paused.

If anything, the suspension strengthens the case for prime-driven deadlines. The Department of War's own stated reason for pausing Phase 2 is scale: over 100,000 defense industrial base companies still needing certification against roughly 100 qualified assessors nationwide. Primes are solving that bottleneck on their own terms instead of waiting for the government to solve it on its own timeline.

The government's deadline tells you when the requirement becomes universal. It does not tell you when your prime decides you are out of the running.

— Will Ogle, CMMC Practice Lead, Cyberleaf

One caveat worth knowing: this scope has real edges.

  • Applies when a subcontract involves handling FCI or CUI, which covers most manufacturers producing parts, components, or assemblies for defense programs.
  • Excludes contracts solely for commercially available off-the-shelf items.

If you're uncertain where you stand, resolve it this month, while there's still time to act on the answer.

 

The Timeline Behind the CMMC Certification 

Cyberleaf walks clients through what certification takes before a C3PAO, a CMMC Third-Party Assessment Organization, ever gets involved: closing the gaps a governance and technology review turns up, scoping down to what's touching CUI, and validating those controls hold up under a trial run before the real assessment ever gets scheduled.

Scheduling that assessment around a prime's deadline typically means booking it months in advance, which means that preparation needs to be finished well before then.

Will puts it plainly: "the businesses that come through this cleanly are the ones who start their documentation and remediation work while they still believe they have a year to spare, before three months start to feel like an emergency."

Where CUI Hides in Plain Sight 

Most companies assume CMMC is an IT project. In manufacturing environments, CUI often shows up first in ERP and MES systems, the software running the shop floor. A work order, a part number, and a drawing reference can each look harmless on their own. Combined, they can describe exactly what a piece of equipment is and how it is built. That combination is what pulls a company into scope, and it usually has nothing to do with the firewall IT has been watching.

The Bottleneck Nobody Budgets For 

In conversations with C3PAO leaders, Will and his team have heard that a meaningful share of companies fail their assessment on the first attempt, often because they treat the deadline as an IT checklist rather than a full operational review. A failed first attempt costs more than time. Assessor capacity across the industry is limited, and a second attempt means getting back in line behind everyone else racing toward the same date.

Cyberleaf has been flagging this capacity problem with clients for the past year, the same one the Department of War pointed to as its reason for pausing Phase 2. The suspension confirms what we'd already been telling clients.

 

Get Ahead Before Your Prime Sets the Pace 

Three things separate the companies that get ahead of this from the ones still scrambling later this year.

  1. Find where your CUI lives. Look past the servers IT already watches, into the ERP fields, the shop floor systems, and the file shares where combined data becomes CUI without anyone deciding it should be.
  2. Build your timeline backward from your prime's calendar. "That's the one that actually decides whether you get the next bid," Will says.
  3. Know which clock governs you before you book an assessor. If a prime contract requires your Level 2 certification, that requirement stands regardless of the federal pause, and getting in line for a C3PAO matters now. If your only obligation right now is the federal timeline, formal certification is currently optional, but the readiness work behind it earns its keep either way. It's what a prime's next supplier notice will ask for anyway.

“The government can move its own deadline. It doesn't move your prime's. That may change, or it may not, and that's a business risk you'd be taking on. I wouldn't throw out the work you've already done. Stay the course.”

— Will Ogle, CMMC Practice Lead, Cyberleaf


The Flow-Down Deadline

Call it the flow-down deadline: whatever your prime puts in writing outranks whatever Washington puts on a calendar. Companies planning around November 10 now face a simpler reality. That date is gone, and the one that replaces it has been sitting in their own contracts all along.

Will has been fielding calls this week asking whether this is a green light to stop but the relief on the table is narrower than that question assumes. The Department of War's own review is explicitly aimed at lowering barriers for small and non-traditional businesses, and whatever breathing room comes out of it lives at the federal contracting level. A prime managing its own CUI exposure makes its own call on that risk, a call that holds steady through this suspension and will hold steady through whatever the review produces. If you supply a major prime rather than the government directly, that prime's own supplier requirements are the ones setting your clock.

Nobody hands you this date. You have to go find it in your own contracts and your prime's supplier notices, then build your plan from there.

If you want help figuring out where your real deadline sits, the conversation starts here →