When does CMMC Phase 2 start?

November 10, 2026. From that date, DoD solicitations may require Level 2 C3PAO third-party certification (not just self-assessment) for contracts handling Controlled Unclassified Information.

How do I verify a subcontractor's CMMC level before award?

Require the sub to produce: (a) a current SPRS submission with score and date, (b) for Level 2 certification work, a C3PAO Certificate of Assessment, (c) CAGE-code match between the assessment and the entity actually performing the work, (d) a scope statement covering the data flow, (e) senior-official affirmation. Verify the C3PAO appears in the Cyber AB Marketplace.

Can primes query SPRS for a sub's CMMC posture?

Generally no. DFARS 252.204-7020(f)(2) restricts SPRS access to "authorized representatives of the Contractor for which the assessment was conducted." DoD confirmed in the CMMC final rule preamble that there is no electronic mechanism for primes to view subcontractor SPRS data. Verification is contractor-driven: the sub must export or share its record. Contracting officers verify independently before award.

A CMMC Third-Party Assessor Organization, authorized by the Cyber AB to perform Level 2 certification assessments. Public directory at cyberab.org/Catalog.

Does CMMC apply to all DoD contracts?

No. COTS-only acquisitions are excluded under 32 CFR Part 170. Otherwise, CMMC applies to contracts where the contractor will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on non-federal systems.

What CMMC level does my sub need?

Determined by data sensitivity, not company size. FCI only → Level 1 (15 controls, annual self-assessment). CUI → Level 2 (110 NIST 800-171 controls, self or C3PAO depending on contract designation). Highest-sensitivity CUI → Level 3 (DIBCAC government assessment).

CMMC Verification for Primes | SPRS + C3PAO + Phase 2

/ 01 · THE ASYMMETRY

You flow it down. You can't look it up.

DFARS 252.204-7021 makes the prime responsible for ensuring subcontractors comply with CMMC requirements before award and during performance. Yet SPRS access is structured so each contractor sees only its own enterprise data. The prime cannot self-serve a subcontractor's CMMC certification status or NIST 800-171 score.

This is not an oversight. DFARS 252.204-7020(f)(2)explicitly limits SPRS access to "authorized representatives of the Contractor for which the assessment was conducted." And in the CMMC final rule preamble, DoD confirmed: "DoD does not have a tool that would allow sharing of subcontractor information with prime contractors electronically. However, SPRS will allow subcontractors to print or take a screenshot of their own CMMC status and affirmation information in SPRS and share with their primes."

The verification gap is the entire reason this page exists. Once Phase 2 starts on November 10, 2026, a non-compliant flow-down to a subcontractor opens False Claims Act exposure for the prime under the DoJ Civil Cyber-Fraud Initiative, plus the operational risk of contract termination. The prime is liable. The prime cannot use SPRS to look up the answer. The verification mechanism is contractor-driven: the sub produces evidence, the prime captures and retains it.

/ 02 · PHASED ROLLOUT

CMMC 2.0 timeline.

Today (April 2026) sits inside Phase 1. The hard pivot is six to seven months away: Phase 2 begins November 10, 2026. The CMMC 2.0 program rule is at 32 CFR Part 170 (Federal Register doc 2024-22905), published October 15, 2024 and effective December 16, 2024.

November 10, 2025
Phase 1 begins
Solicitations may require Level 1 or Level 2 self-assessment in SPRS. DFARS 252.204-7021 takes effect.
November 10, 2026
Phase 2, the cliff
Solicitations may require Level 2 C3PAO certification for contracts handling CUI. Prime verification stakes step up.
November 10, 2027
Phase 3
Level 3 DIBCAC government assessments enter scope for the most sensitive CUI.
November 10, 2028
Phase 4, full implementation
CMMC requirements apply across all applicable DoD contracts, including option periods.

Important nuance on Phase 2

Phase 2 does NOT eliminate Level 2 self-assessment for less-sensitive scopes. What Phase 2 adds is the ability for DoD to require C3PAO-certifiedLevel 2 in solicitations. Self-assessment Level 2 contracts can still exist for less-sensitive scopes during the phase-in. A common error in competitor content is asserting that "Level 2 self-assessment goes away" on Nov 10, 2026, that is wrong.

/ 03 · LEVELS

The three CMMC levels and what each requires you to verify.

Level 1 (FCI): 15 controls aligned to FAR 52.204-21. Annual self-assessment plus senior-official affirmation in SPRS. What the prime asks for: current SPRS submission date and the affirming official's name.
Level 2 (CUI): 110 controls from NIST SP 800-171 Rev 2. Self-assessment OR C3PAO certification depending on the contract designation. What the prime asks for: SPRS score plus, if certification required, a C3PAO Certificate of Assessment with CAGE code, scope, and date.
Level 3 (highest-sensitivity CUI): NIST SP 800-171 plus a subset of NIST SP 800-172. DIBCAC government-led assessment, not C3PAO. What the prime asks for: a DIBCAC assessment artifact.

/ 04 · SPRS VISIBILITY

How SPRS shows CMMC posture.

SPRS holds: assessment score, assessment date, CAGE code, scope statement, senior-official affirmation, and (post-Phase-2) C3PAO certificate reference for Level 2 certifications. Access is gated through PIEE registration.

The prime's view is restricted to its own enterprise hierarchy. The sub must export its record (SPRS-generated screenshot or PDF) and share it. There are no documented edge cases, no parent-sub corporate relationship enables shared SPRS view; no basic ordering agreement exception. SPRS access is strictly per-CAGE / per-entity.

Contracting officers vs primes

Contracting officers can check SPRS before award, DoD has cross-CAGE visibility internally. The prime is not the only verifier, but the prime is the one liable for the flow-down. CO verification is a backstop, not a substitute.

/ 05 · PRE-AWARD WORKFLOW

The six-step verification playbook.

Step 1, Determine the required level: Based on what data the sub will actually touch: FCI vs CUI. Map the data flow before the subcontract scope is drafted. Scoping by data sensitivity, not headcount.
Step 2, Request the sub's current SPRS submission: Score plus date plus scope. Calendar the annual re-affirmation expiration so verification doesn't go stale during performance.
Step 3, For Level 2 certification (post-Phase-2), obtain the C3PAO Certificate of Assessment: Cross-check that the C3PAO is listed in the Cyber AB Marketplace. An assessment from an unaccredited assessor is no assessment.
Step 4, Validate CAGE-code match: The CAGE code on the assessment must match the legal entity actually doing the work. Affiliate or parent assessments do not flow to differently-CAGED subsidiaries, see our CAGE code page on multi-location issues.
Step 5, Validate assessment scope: A sub assessed for a 50-seat enclave cannot legally claim coverage for a 500-seat program. Compare the scope statement to the data-flow map from step 1.
Step 6, Capture senior-official affirmation in writing: Plus an evidence file: SSP reference, POA&M status, certificate copy, screenshots. DCMA reviewers will ask. The prime's contemporaneous documentation is the evidence of due diligence under DFARS 7019/7020/7021.

/ 06 · PITFALLS

Four mistakes that will cost you a contract (or worse).

Treating self-attest L2 and C3PAO L2 as equivalent post-Phase-2.They aren't once Phase 2 lands; the contract clause specifies which is required. A self-attestation where a C3PAO certification is required is non-compliance.
Not validating scope.A valid certificate for the wrong enclave is worthless. Scope = systems covered by the assessment. If the sub will work outside that boundary on your contract, the certificate doesn't cover the work.
Missing affiliate / parent flow.A parent's certificate doesn't cover sub-CAGE legal entities. Each CAGE that touches CUI needs its own certified scope.
Letting POA&Ms drift.Open POA&Ms have closeout deadlines (180 days for conditional certifications under the rule). A lapsed POA&M means a lapsed certification, your sub's SPRS status flips and your contract is suddenly out of compliance.

Honorable mention: assuming COTS exemption applies broadly. The COTS-only carve-out at 32 CFR Part 170 is narrow. Most procurement involving any CUI flow does not qualify.

/ 07 · HONEST DISCLOSURE

Where DiligenceDesk fits, and where it doesn't.

DiligenceDesk does not ingest SPRS, there is no public read API for third parties; access is role-restricted by design. We cannot solve the prime's SPRS-visibility problem because DoD itself has not solved it.

What we do: flag CMMC verification as a gap in the due-diligence packet for any DOD-flowdown sub. We prompt the user to attach the C3PAO certificate and CAGE-matched scope, and we timestamp the affirmation for audit trail. CMMC posture sits alongside our automated entity, ownership, sanctions, and Section 889 checks rather than replacing the manual verification step.

Pair this manual verification with our automated workflows: the verdict ladder for the broader source matrix; Section 889 vendor screening for prohibited-hardware checks; Step 6 of the diligence checklist for where manual review fits.

Run a Section 889 + sanctions + responsibility audit on any DOD sub.

Free. CMMC verification still needs the contractor-driven workflow above, but the rest of the diligence stack runs automatically in seconds.

Run an audit Section 889 check

You flow it down. You can't look it up.

CMMC 2.0 timeline.

Phase 1 begins

Phase 2, the cliff

Phase 3

Phase 4, full implementation