You’ve seen the headlines: “CMMC is live.” Phase 1 kicked off on November 10, 2025. DoD contracting officers can now require CMMC on any new contract or option period. And, with no grace period.
The 4-Phase Rollout: What Clients Must Prove—and Your Revenue Opportunity
| Phase | When | Requirements | MSP/MSSP Revenue |
|---|---|---|---|
| Phase 1 | Started Nov 10, 2025 (through Nov 9, 2026) | Level 1 self-assessment on FCI; Level 2 self-assessment on CUI contracts with SPRS submission and annual affirmation | $5k–$15k per client (setup + monitoring) |
| Phase 2 | Starts Nov 10, 2026 | Level 2 C3PAO certification on most CUI contracts; conditional certifications OK if POA&Ms close in 180 days | $25k–$50k per client + $2k–$5k/month recurring |
| Phase 3 | Starts Nov 10, 2027 | Level 2 C3PAO certification required on all applicable CUI contracts; Level 3 begins for high-risk programs | $10k–$20k ARR per client via continuous monitoring |
| Phase 4 | Starts Nov 10, 2028 | Full Levels 1–3 mandatory across all applicable contracts; triennial recertifications + annual affirmations | High-margin multi-year retainers |
Key Details Most MSPs Still Get Wrong • “We only need Level 1.” → Most contracts involving CUI will require at minimum Level 2 self-assessment now, with C3PAO certification becoming standard by late 2026/early 2027. • “Self-assessment is enough.” → Phase 2 and beyond mandate third-party C3PAO certification plus ongoing annual affirmations in SPRS. • “We have until 2028.” → Primes have been requiring CMMC compliance in RFPs since Phase 1 launched in November 2025.
The C3PAO Bottleneck Is Real As of February 2026 (~98 authorized C3PAOs per Cyber AB reports, with continued but gradual growth), authorized C3PAO organizations remain limited in the Cyber AB Marketplace. With thousands of DIB contractors needing Level 2 certification, assessment schedules are booking 6 to 12 months out as demand continues to surge. MSPs who position themselves now with automated evidence-gathering and continuous-monitoring tools will capture the market before the Phase 2 rush intensifies.
The Bottom Line for MSPs & MSSPs Phase 1 is well underway. Primes are actively verifying compliance via self-assessments and SPRS submissions. Clients who complete strong Level 2 self-attestations and build robust evidence packages this quarter will sail through 2026 and be first in line when C3PAO slots open.
With technology to automate evidence gathering for CMMC controls and track remediation for POA&Ms, you’re positioned for the busiest 24 months of your career.
SureShield’s ComplyShield automates evidence collection, remediation tracking, and template-based preparation to get clients Level 2-ready faster. This means higher recurring revenue for you.
Contact us today at sales@sureshield.ai to schedule a 30-minute demo of SureShield’s ComplyShield. Let’s lock in your 2026 pipeline before the C3PAO rush intensifies.
Sources: U.S. Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Program; Federal Register updates 2024–2025; Cyber AB C3PAO Marketplace & Town Hall updates (February–March 2026).
