CMMC Phase 2 Starts November 10. Here Is What Level 2 C3PAO Actually Requires.

The Cybersecurity Maturity Model Certification program enters Phase 2 on November 10, 2026, exactly twelve months after Phase 1 began. The first phase introduced contract-level requirements for self-assessment against the 110 practices in NIST SP 800-171 Revision 2, with affirmation submitted in the Supplier Performance Risk System. Phase 2 replaces self-affirmation with third-party certification by a CMMC Third-Party Assessment Organization (C3PAO) for any contract that touches Controlled Unclassified Information at Level 2. The Department of Defense estimates the rule reaches more than 80,000 organizations across the Defense Industrial Base. The audit conversation changes on that date, and the technical evidence that survives a C3PAO assessment is narrower than most prime contractors expect.

The Phase 1 record from the C3PAO community already names the practices that trip assessments. The Cyber AB published 2025 assessment trend data showing the same controls failing across organizations of varied size and maturity. The practices that determine pass or fail in Phase 2 are not the policy controls. They are the cryptographic, lineage, and external-flow controls that data-centric architecture handles natively.

What changes on November 10

CMMC Phase 1 ran from November 10, 2025 through November 9, 2026 as the contract-level introduction. Senior officials submitted SPRS affirmations attesting that the organization met all 110 practices in NIST SP 800-171 Rev. 2. The DoD audited a small sample for completeness, and DCMA reviewers issued findings on self-affirmations they considered unsupported. Phase 1 was a documentation phase. Phase 2 is an assessment phase.

Phase 2 requires C3PAO certification before contract award on any solicitation containing the Level 2 requirement. The C3PAO is a private assessment firm accredited by the Cyber AB under the CMMC Accreditation Body Master Service Agreement. The assessment is on-site, evidence-driven, and scored against the 110 practices using the Department's CMMC Assessment Process documents. A practice scored as NOT MET blocks certification at Level 2. A practice scored as MET requires assessor-reviewed evidence, not policy text.

The Department published the final rule under 32 CFR Part 170 and the contract clause under 48 CFR Part 204 in 2024 and 2025. The clause language is final. The assessment guides are final. The C3PAO community is operating against published criteria. The variable is which contractors will reach November 10 with the assessment-grade evidence the criteria demand.

The practices that determine the outcome

The Cyber AB and the Defense Industrial Base Cybersecurity Assessment Center published common-finding data through the Phase 1 cycle. Five practice families produced the bulk of NOT MET scores: SC.L2-3.13.11 (FIPS-validated cryptography for CUI), MP.L2-3.8.9 (cryptographic protection of CUI on backup media), AC.L2-3.1.20 (verification of external connections and use of CUI on external information systems), AU.L2-3.3.1 (audit record content and retention against assessment-relevant events), and CM.L2-3.4.5 (access restrictions for changes to information systems handling CUI).

The pattern across the five families is consistent. Each practice requires evidence that an enforcement boundary applied at the data, not at the network or identity layer surrounding the data. SC.L2-3.13.11 requires that cryptographic modules protecting CUI carry FIPS 140-2 or FIPS 140-3 validation, with the validation traceable to the cryptographic operation on the actual CUI object. MP.L2-3.8.9 requires that CUI on backup media remain encrypted under a validated module while the media is in transit, in storage, and during restoration. AC.L2-3.1.20 requires that the organization control and verify external CUI flows, which assessors operationalize as evidence that CUI leaving the boundary cannot be read without an attribute claim the receiving environment cannot impersonate.

A perimeter-centric architecture answers these practices with policy text and compensating controls. An object-level cryptographic architecture answers them with the cryptographic envelope on the object, the validated module that produced the envelope, and the audit record of every release. The second category of evidence is what C3PAOs ask for and what closes a NOT MET finding.

Where data-centric security materially reduces scope

The CMMC Level 2 scope determination is the assessment surface, and the scope determination is driven by where CUI is processed, stored, transmitted, or protected. Contractors who reduce the CUI processing footprint through enclave architectures cut the scope but accept operational friction at the enclave boundary. Contractors who tag and encrypt CUI at the object layer cut the scope a different way: any information system handling only encrypted CUI ciphertext with no decryption authority falls outside the boundary that the practice applies to.

Lattix Technologies binds policy to CUI objects through attribute-based access control at the policy enforcement point, FIPS 140-3 validated cryptographic modules, and Merkle-tree lineage in tamper-evident audit storage. Systems handling only the ciphertext of a Lattix-protected CUI object do not hold cleartext CUI and therefore do not fall under the SC.L2-3.13.11, MP.L2-3.8.9, or AC.L2-3.1.20 scope for that object. The assessor confirms the boundary through cryptographic evidence and the lineage record rather than through policy attestation.

The position is not that cryptographic enforcement eliminates the assessment. It is that the practices that fail most often become evidence problems that the architecture answers directly. The C3PAO sees a validated module performing the cryptographic operation on the object, a policy decision point releasing the key only against a matching attribute set, and a lineage record showing the release event and the principal. The MET score is supported by the evidence the practice asks for.

Audit evidence requirements C3PAOs are asking for

Three evidence types appear in every Phase 1 assessment that scored at MET against the practices above. The first is module validation traceable to the operation: a FIPS 140-2 or 140-3 certificate referencing the specific cryptographic algorithm and module performing the encryption of the CUI object. Catalog references against NIST CMVP records are routine in the assessment. The second is policy evaluation traceable to the release: a record showing the attribute set evaluated, the policy expression matched, and the principal who received the key. Logs of HTTP requests against an access control proxy do not satisfy this evidence type. The PDP decision record does. The third is lineage continuity from creation to retirement: an audit chain that the assessor can replay to verify that no decryption event occurred outside the recorded set of policy releases.

The architectures that produce these three evidence types natively are object-level cryptographic enforcement architectures. The architectures that produce them through layered logging, log aggregation, and SIEM correlation produce them with effort and produce them with gaps that the C3PAO catalogs as findings.

What contractors should do between now and November 10

Six months remains between today and Phase 2 enforcement. The work that survives that window is a scoping exercise, an architecture exercise, and an evidence-rehearsal exercise.

The scoping exercise identifies every information system that processes, stores, transmits, or protects CUI and produces a defensible boundary diagram. The architecture exercise determines whether CUI inside the boundary is protected by an object-level cryptographic envelope or by perimeter controls only, and remediates against the practices that fail under perimeter-only enforcement. The evidence-rehearsal exercise runs the C3PAO Assessment Process against the candidate evidence, identifies the practices where evidence is missing, and produces the corrective record before the assessor sees it.

Phase 2 does not introduce new practices. It introduces a new evidentiary standard for the same practices. The contractors who pass first-cycle assessments will be the ones whose evidence is generated by the enforcement layer rather than constructed for the assessor.

References

• DoD CMMC Program Overview
• 32 CFR Part 170, CMMC Program (Final Rule)
• 48 CFR Part 204, DFARS CMMC Clause
• NIST SP 800-171 Revision 2, Protecting CUI in Nonfederal Systems
• Cyber AB, CMMC Accreditation Body
• DIBCAC, Defense Industrial Base Cybersecurity Assessment Center
• NIST CMVP, Cryptographic Module Validation Program