Cyberuptive
Contact Us

The CMMC 2.0 Timeline for Pacific Contractors: What You Need to Do, and When

For three years, the running joke among Pacific defense subcontractors was that CMMC was “always coming next year.” That joke is over. The DoW published the CMMC final rule on December 16, 2024, Phase 1 enforcement began November 10, 2025, and full third-party assessment requirements phase in through November 10, 2026. If your business carries Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on a current DoW contract — or wants to bid on the next one — the runway is shorter than most contractors realize.

This is what Pacific defense contractors should know about the timeline, and what to do at each phase.

The Three Dates That Matter

December 16, 2024 — Final rule published

The CMMC 2.0 final rule was officially codified in 32 CFR Part 170. This established the program structure, the three certification levels, the assessment requirements, and the role of Certified Third-Party Assessment Organizations (C3PAOs).

This date matters because it ended the “still being finalized” excuse. As of December 16, 2024, CMMC stopped being a proposed rule and started being a regulation.

November 10, 2025 — Phase 1 enforcement begins

DoW’s phased implementation plan calls for Phase 1 to begin one year after the rule’s effective date. In practice, this means:

  • Level 1 self-assessment requirements appear in new DoW solicitations for contractors handling FCI only.
  • Level 2 self-assessment requirements appear in solicitations where the contracting officer determines a self-assessment is sufficient (a smaller subset of CUI contracts).
  • The Supplier Performance Risk System (SPRS) score continues to be required, with verification ramping up.

If you bid on DoW work right now, expect to see CMMC clauses showing up in solicitations.

November 10, 2026 — Full compliance phases in

By the end of Phase 2 / start of Phase 3, the third-party C3PAO assessment requirement for Level 2 phases across all applicable DoW contracts. This is the date most subcontractors are unprepared for: it shifts CMMC from “self-attest if your prime asks” to “produce a C3PAO certificate or lose the contract.”

For a 25-person Pacific subcontractor starting from minimal NIST 800-171 maturity, the path from current-state to C3PAO-ready is typically 9–12 months. That math implies starting now, not in Q3 2026.

What Pacific Contractors Should Do Right Now

The Hawaii defense supply chain has specific characteristics that affect how CMMC engagements play out. Roughly $9.1 billion in annual DoW spending flows through Hawaii installations — JBPHH, Schofield Barracks, MCBH Kaneohe, Fort Shafter, USINDOPACOM HQ — and the subcontractor base is dense, diverse, and often deeply linked to mainland primes.

Here’s what we recommend, in order:

1. Confirm your level

Most subcontractors are Level 2. If you handle anything that could be CUI — engineering drawings, technical documents, ITAR-adjacent material, contract performance data marked with distribution restrictions — assume Level 2 until a contracting officer tells you otherwise. Level 1 is for FCI-only environments, which is rarer than people assume.

2. Define your CUI boundary

The single biggest determinant of engagement size and cost is the scope of your CUI environment. A bounded enclave — one Microsoft 365 GCC High tenant, a defined user list, a controlled set of systems — is materially cheaper to assess than a flat network where CUI could be anywhere. If your environment isn’t bounded yet, that’s your first remediation project.

3. Move to GCC High if you handle CUI in M365

Commercial Microsoft 365 will not satisfy DFARS 252.204-7012 by itself. The combination of FedRAMP Moderate baseline plus DoW-specific safeguards effectively requires GCC High (or an equivalent Government Community Cloud) for CUI handling. The migration is not trivial — licensing, mailbox cutover, SharePoint, Teams, Defender, Sentinel — and you need documented SSP language to defend the choice.

4. Stand up the controls you can’t fake

Some controls are easy to demonstrate: written policies, training records, configuration documents. Others are continuous operational disciplines that auditors will probe live: continuous monitoring (SI.L2-3.14.6), audit logging with sufficient retention (AU family), incident response (IR family), and vulnerability management (RA + SI families). These are the most common failure modes for mid-market contractors. They’re also the controls that benefit most from a managed services model.

5. Author the SSP. Live with the POA&M.

The System Security Plan (SSP) is your declaration of how each of the 110 NIST 800-171 controls is implemented in your environment. The Plan of Action & Milestones (POA&M) is your tracker for what isn’t fully implemented yet and when it will be. Both are living documents. Treating them as one-time deliverables is one of the most common reasons assessments fail.

6. Do a mock assessment

Before the C3PAO walks in, have someone outside your team conduct a mock assessment with the same questioning style. Most environments have at least one or two interview-only controls (training, awareness, incident handling) where the documented answer is fine but the operational answer falls apart in conversation. You want to find that gap before the assessor does.

Why a Pacific MSSP Matters for This

Time zones, US-persons handling, and direct experience with Pacific contracting realities are not nice-to-haves. They are the substance of a useful CMMC engagement.

  • HST hours — When your prime calls about a CUI handling question at 9 AM HST, you want your security partner open. East Coast providers are 5–6 hours ahead and often gone by then.
  • US persons by default — DFARS 252.204-7012 and the CMMC personnel handling controls require US-person access to CUI. Offshore SOC tier-1 staffing is incompatible with this. We staff dedicated US-citizen analyst pools for DoW-aligned engagements.
  • INDOPACOM-AOR awareness — The threat picture for Pacific defense contractors includes nation-state actors who specifically target supply-chain weaknesses. Awareness of that threat picture shapes how a SOC is tuned and how an IR plan is written.

The Honest Cost Conversation

Most Pacific subcontractors approaching CMMC for the first time are looking at $80K–$180K of investment across 9–12 months for full Level 2 readiness, plus ongoing managed services for the controls that have to run continuously. Larger or more complex environments are more.

That’s a lot of money. It’s also a fraction of the contract revenue at risk. A single DoW prime contract terminated for non-compliance, or a re-compete lost to a CMMC-certified competitor, recovers the investment many times over.

The contractors who treat CMMC as overhead are going to lose contracts. The ones who treat it as a competitive advantage — and start now — won’t.

Where to Start

We do free 30-minute scoping calls with Pacific subcontractors. Bring your contract types, your headcount, your top 1–2 systems, and your current M365 setup. We’ll come back with a fixed-scope plan.

Schedule a discovery call. Or call 833-92-CYBER. We’re in HST, and we answer the phone.

Related reading: CMMC 2.0 Compliance Services · Microsoft 365 & Azure Security · SOC as a Service

Frequently asked

Common questions about the CMMC 2.0 timeline for Pacific defense contractors

When does CMMC 2.0 actually become mandatory for DoD subcontractors?

CMMC 2.0 is rolling out in phases under the DoD's published implementation plan. The final rule was codified December 16, 2024 (32 CFR Part 170). Phase 1 enforcement began November 10, 2025, with self-assessment requirements appearing in new DoW solicitations for Level 1 (FCI-only) and a subset of Level 2 (CUI) contracts. By November 10, 2026 (Phase 2/3), the third-party C3PAO assessment requirement phases in across all applicable Level 2 contracts — at which point self-attestation is no longer sufficient and contractors must produce a valid C3PAO certificate to win or retain the work. For a 25-person Pacific subcontractor starting from minimal NIST 800-171 maturity, the path to C3PAO readiness is typically 9–12 months, which means the practical deadline to begin remediation has already passed for organizations that haven't started.

What's the difference between CMMC Level 1, Level 2, and Level 3?

CMMC 2.0 has three certification levels keyed to the type of information the contractor handles. Level 1 applies to organizations that handle Federal Contract Information (FCI) only — 17 basic safeguarding controls drawn from FAR 52.204-21, demonstrated via annual self-assessment with senior official affirmation. Level 2 applies to organizations that handle Controlled Unclassified Information (CUI) — all 110 controls from NIST SP 800-171 Rev 2, assessed either by self-assessment (for a narrow subset of contracts where the contracting officer permits) or by a Certified Third-Party Assessment Organization (C3PAO) on a triennial cycle. Level 3 applies to contractors handling CUI on programs with the highest-priority risk profile — Level 2 controls plus a subset of NIST SP 800-172 enhanced controls, assessed by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Most Pacific defense subcontractors are Level 2.

Does CMMC 2.0 Level 2 require GCC High for Microsoft 365?

The CMMC rule does not name GCC High specifically, but DFARS 252.204-7012 paragraph (b)(2)(ii)(D) requires cloud services that store, process, or transmit CUI to meet a FedRAMP Moderate baseline equivalent and additional DoD-specific safeguards. In practice, the combination of those requirements effectively limits CUI handling in Microsoft 365 to GCC High (or Azure Government for Azure workloads). Commercial M365 does not satisfy the requirement — even with the M365 E5 license tier and the strongest available conditional access policies. The migration from Commercial to GCC High involves new licensing (per-seat cost approximately 2-3x), mailbox cutover, SharePoint and Teams migration, Defender for Endpoint reconfiguration, and updated SSP language documenting the move. Plan 4-6 months for an environment with active CUI.

What is a C3PAO and how do I find one for my CMMC assessment?

A Certified Third-Party Assessment Organization (C3PAO) is an organization authorized by the Cyber AB (the CMMC accreditation body) to conduct CMMC Level 2 assessments. The official Marketplace of authorized C3PAOs is published at cyberab.org/marketplace. As of 2026, the C3PAO pool is small relative to the eventual assessment demand — current estimates suggest demand will exceed supply by a factor of 4-10x through the Phase 2/3 ramp, which is creating multi-month wait times and price pressure. For Pacific defense subcontractors, the practical implication is twofold: book your C3PAO assessment slot as early as possible (some C3PAOs are accepting deposits 9-12 months in advance), and complete your CMMC 2.0 compliance readiness work well before the assessment date so you're not paying assessor day-rates for remediation work that should have been done before they arrived.

How much does CMMC Level 2 compliance cost for a small defense contractor?

For a typical 25-50 person Pacific defense subcontractor starting from baseline NIST SP 800-171 maturity, the full path to CMMC 2.0 Level 2 certification typically costs $80,000-$180,000 over 9-12 months, plus ongoing managed services for the controls that must run continuously (24/7 SOC monitoring, vulnerability management, patch management, incident response retainer). Larger or more complex environments scale up; environments with already-mature NIST SP 800-171 implementations scale down. The C3PAO assessment itself is a separate line item, typically $30,000-$80,000 depending on environment scope and assessor. For context on the managed services component, see our SOC-as-a-Service, MDR, and the managed SOC cost 2026 buyer's guide.

Aloha, let's talk

Want this analysis applied to your environment?

A 30-minute scoping call gives you a real plan for your SOC, your CMMC posture, or your next audit. No commitment.

Schedule a discovery call Call 833-92-CYBER