CMMC for Manufacturers: What Phase 2 Means and How to Get Ready

The rule is final. Phase 1 is live. Phase 2 is around the corner. If you’re in the DoD supply chain, the honor system is ending.

What CMMC Is, Quickly

The Cybersecurity Maturity Model Certification is the DoD’s framework for verifying that companies in the Defense Industrial Base actually protect the sensitive government information they handle. It replaces a decade of self-attestation under DFARS 252.204-7012 with a tiered, assessed model.

There are three levels:

• Level 1 — Foundational. For contractors handling Federal Contract Information (FCI) only. 15 basic hygiene practices. Self-assessment.
• Level 2 — Advanced. For contractors handling CUI. All 110 NIST SP 800-171 controls. Self-assessment during Phase 1; C3PAO third-party assessment required starting November 10, 2026.
• Level 3 — Expert. For high-priority CUI programs. Adds NIST 800-172 controls. Assessed by DIBCAC.

Not sure if you handle CUI? If your customer sends drawings marked CUI, distribution-restricted, ITAR, or export-controlled, you’re handling CUI. If you’re machining parts for a DoD program, assume yes until proven otherwise.

If you’re a CNC shop machining components for a DoD prime, sub, or sub-of-a-sub, you’re almost certainly looking at Level 2.

Phase 2 Deadline:

This is the deadline that matters for most defense shops:

November 10, 2026. After that date, self-assessments stop counting for any contract involving Controlled Unclassified Information.

The C3PAO Bottleneck: Why the CMMC Math Doesn’t Work

The DoD estimates more than 76,000 organizations will need Level 2 C3PAO certification. As of early 2026, fewer than 1,100 had completed it. C3PAOs in aerospace and defense hubs are already booking into late 2026 and 2027. A typical readiness journey: gap analysis, remediation, documentation, pre-assessment, and the assessment itself. This runs 12 to 14 months.

If you start today, your realistic certification date is mid-to-late 2027. That’s past Phase 2.

This is what “act now” actually means: the C3PAO pipeline cannot absorb the demand about to hit it. Shops that started preparing in 2024 and 2025 are in the queue. Shops just starting now will compete for slots that are already mostly booked.

The Other Risk Nobody Talks About

CMMC Level 2 also requires a senior company executive, your “Affirming Official”, to file an annual affirmation in SPRS attesting that the organization meets all applicable security requirements. That’s a recurring legal certification submitted as a condition of contract eligibility, and if it’s false or made with reckless disregard for the truth, it carries potential False Claims Act exposure, including treble damages and per-claim penalties.

$11.25M settlement. $4.6M settlement. Treble damages. Personal liability for a named officer. That’s the DOJ’s 2025 message to defense contractors who falsely certify CMMC compliance.

Translation: CMMC isn’t just a procurement checkbox. It’s now a recurring legal attestation by a named officer of the company, and the DOJ is paying attention.

What You Should Do Now

Read your contracts.
If you see DFARS 252.204-7012 or any reference to NIST 800-171, you’re already on the Level 2 path.

Run a real gap analysis.
Not a self-quiz, a structured assessment against all 110 controls. Most shops discover the lift is bigger than they expected.

Get the obvious shop-floor stuff in order.
Shared machine logins. “ERP/ERP” as the password. Default controller passwords nobody changed. USB sticks moving G-code with no audit trail. CAM workstations with shared accounts. Programmer laptops without disk encryption. No network separation between the office and the shop floor.

These are the gaps auditors find first because they’re the most visible.

Don’t DIY the rest.
A CMMC Registered Practitioner does this work for a living, has seen what auditors actually look for, and will move you faster than a part-time internal effort. We recommend Carbide Secure — they’re who we trust for our own program.

Put your CMMC posture in your capability statement.
Prospects and primes are already asking. A clean, specific answer keeps you in the bid.

Which Contracts Get Hit First

If your customer is a DoD prime recompeting a contract in late 2026 or 2027, expect Level 2 language in the next solicitation. If you supply parts to a recompeting program, your prime will pass the requirement down to you. Any new DoD contract awarded after November 10, 2026, involving CUI defaults to third-party assessed Level 2. The shops getting blindsided in 2027 are the ones who assumed their customer would tell them in time.

Your cyber insurance carrier is also paying attention. Premiums and coverage terms are increasingly tied to CMMC posture. A defense shop without a Level 2 plan should expect its next renewal to look very different.

The G-Code Gap in Most CMMC Plans

One of the biggest unaddressed gaps in most manufacturers’ CMMC posture is G-code itself. Programs stored on USB drives, shared folders, and FTP servers, with no audit trail and no version control. That fails Level 2 on day one.

Datanomix’s G-Code Cloud + DNC closes that gap: GovCloud-hosted (Azure), encrypted at rest and in flight, SSO authentication, role-based permissions, and a complete audit trail on every change. It’s the G-code piece of your compliance plan, handled.

The Bottom Line

CMMC is no longer a question of if. It’s a question of how ready you’ll be when your next DoD contract recompetes. The shops moving now will keep their work and win new bids. The shops waiting for clarity that’s already arrived will find themselves explaining to a customer why their certification isn’t done.

Six months until Phase 2. Twelve to fourteen months for a real readiness journey.

The math doesn’t work unless you start now.

Want a deeper walkthrough?
Watch the full Carbide Secure walkthrough, which goes deeper on what auditors actually look for: How to Streamline Your CMMC 2.0 Compliance.