Skip to content
Scopable logoScopable
Compliance

CMMC Phase 2 Starts in November: The MSP Action List

Scopable Team6 min read
CMMC Phase 2 Starts in November: The MSP Action List

November 10, 2026 is when CMMC Phase 2 goes live and self-attestation stops being enough. Defense contractors handling Controlled Unclassified Information (CUI) will need a Certified Third-Party Assessment Organization (C3PAO) to verify their security controls, not just a box checked in SPRS. That's 7 months away. The CMMC Level 2 certification timeline runs 6 to 18 months.

If you're reading this thinking "my clients haven't started," they're already late. Here's what to do about it.

What CMMC Phase 2 Actually Changes on November 10

Before Phase 2, defense contractors could self-attest NIST SP 800-171 compliance via their SPRS score. Write a System Security Plan, document your controls, submit the score. Audits were rare. The honor system mostly held.

That ends November 10. Any new DoD solicitation involving CUI will require a C3PAO-led assessment as the default for Level 2 contractors. An authorized third-party assessor shows up, reviews documentation, interviews staff, and technically tests controls against all 110 NIST SP 800-171 requirements. Pass, and the client is certified for three years. Fail, and they can't bid on that contract.

MSPs are in scope too, and this part consistently gets missed. If you manage IT systems or security tools inside a client's CUI environment, the C3PAO will review how you handle their data. "We don't send CUI to our MSP" doesn't hold if you manage the systems that process it. Have your documentation ready before the assessment starts.

The Math on How Far Behind Your Clients Are

The availability problem is real. Roughly 100 authorized C3PAOs exist in the US to serve an estimated 118,000 organizations that need Level 2 certification. A lot of those organizations are going to hit a scheduling wall between now and November.

Typical CMMC Level 2 certification timeline for a mid-size company starting today:

  • Initial gap assessment: 2-4 months to scope and complete
  • Remediation: 3-6 months depending on gap depth
  • Documentation (SSP, POA&M): 4-8 weeks
  • C3PAO assessment scheduling: 4-8 weeks added at the end

Best case is 6 months if clients start now and everything runs clean. For a company coasting on a stale SPRS score, plan 9-12 months. If a client has a contract renewal coming Q1 or Q2 2027, the window is already closing.

What You Find in a CMMC Gap Assessment

NIST SP 800-171 has 110 controls across 14 security families, but each control has multiple assessment objectives, totaling 320 objectives that need to be satisfied before a C3PAO issues a pass.

Common findings:

Scoping errors. Define the CUI boundary too broadly and there are more systems to secure. Define it too narrowly and the C3PAO expands scope during the assessment, invalidating months of remediation work.

Policy-reality disconnect. The client has a written Incident Response Plan. Nobody has tested it. The C3PAO asks for evidence of a tabletop exercise in the last 12 months. There isn't one. Automatic gap on control 3.6.

Access control gaps. MFA not enforced across all CUI-adjacent systems. Privileged accounts not reviewed quarterly. Shared admin credentials still in rotation.

Audit logging. Logs exist but nobody reviews them. Control 3.3.1 requires demonstrating the review process, not just having logs.

Media protection. Portable media policies written but not enforced. Employees forwarding CUI to personal email occasionally.

How to Have This Conversation Without Sounding Like a Vendor

Most MSPs frame this backwards, presenting CMMC as a compliance burden the client needs to absorb. That kills the conversation before it starts.

The honest reframe: your clients' DoD contracts represent a specific dollar amount per year. Ask them what that number is. Then ask what happens to that number if they can't bid on renewal. For a typical small DoD contractor, a full readiness engagement runs $43,000-$113,000+ total. Against a $2M annual DoD contract, that math looks very different.

The other conversation MSPs avoid: telling clients where they actually stand. If a client has an SPRS score of 42 and a System Security Plan that hasn't been touched in two years, say that directly.

Scoping and Pricing a CMMC Readiness Engagement

This should not be a loss leader.

A structured engagement for a small DoD contractor (20-50 employees, one location, moderately mature IT environment):

Phase 1: Gap Assessment and Scoping - 2-4 weeks. Map the CUI environment, define the boundary, assess all 110 controls, produce a gap scorecard and prioritized POA&M. Typical pricing: $8,000-$18,000.

Phase 2: Remediation and Implementation - 3-6 months. Technical remediation (MFA rollout, logging configuration, access control hardening), policy development, evidence collection. Budget $30,000-$80,000.

Phase 3: C3PAO Prep and Mock Assessment - 4-6 weeks. Run an internal mock assessment before the C3PAO arrives. $5,000-$15,000.

Total: $43,000 to $113,000+ for a properly scoped engagement.

Run a CMMC gap assessment through Scopable's compliance services and you get the gap scorecard, the remediation roadmap, and a project quote in one workflow. Scopable saves 8-12 hours of admin work per client engagement. If you want to package that workflow for your own team, join Scopable's early access. For a broader pricing framework, start with our MSP compliance pricing guide.

If you serve defense contractors and haven't had this conversation yet, November is closer than it looks.

Frequently Asked Questions

What is CMMC Phase 2 and when does it start? CMMC Phase 2 begins November 10, 2026. It requires defense contractors handling Controlled Unclassified Information (CUI) to obtain Level 2 certification through an authorized C3PAO, rather than self-attesting via SPRS.

How long does CMMC Level 2 certification take? Plan for 6 to 18 months from initial gap assessment to certified status. C3PAO scheduling adds 4-8 weeks at the end.

Do MSPs need to be CMMC certified themselves? MSPs that manage IT systems or security tools inside a client's CUI environment are classified as External Service Providers and will be reviewed during the client's C3PAO assessment.

What does a CMMC gap assessment cost? Gap assessments typically run $5,000 to $20,000 depending on organization size and environment complexity.

How should an MSP price a CMMC readiness engagement? Structure it in three phases: gap assessment ($8K-$18K), remediation and implementation ($30K-$80K), and C3PAO prep ($5K-$15K). Total engagement value runs $43K-$113K+ for a small contractor.

Research Sources

Ready to stop guessing?

Scopable automates quoting, roadmaps, and QBRs for MSPs. Join the alpha and help shape the platform you actually want.

Quote Your Next Project In Minutes

Get MSP insights weekly

No spam. Unsubscribe anytime.

Keep reading

🛡️ComplianceFebruary 28, 2026

HIPAA 2026 Changes: What Every MSP Needs to Know (And Sell)

The HIPAA Security Rule is getting its biggest update in 20 years. Here's what's changing, what it means for MSPs, and how to turn it into revenue.

🛡️ComplianceJanuary 30, 2026

MSP Compliance Liability Guide: Protecting Your Business When Things Go Wrong

MSP compliance services create liability exposure. Here's how to protect your business: contract language, E&O coverage, refusal waivers, and shared responsibility.

🛡️ComplianceJanuary 30, 2026

How to Price MSP Compliance Services: The Framework That Protects Your Margins

Price MSP compliance services wrong and you'll lose money on every client. Here's the framework: per-user vs. retainer, by framework, with actual numbers.