CMMC 2.0 Readiness Accelerator

Phase 2 begins November 10, 2026 — requiring third-party CMMC Level 2 certification for most contractors handling CUI. Phase 1 (November 10, 2025) already requires Level 1 and Level 2 self-assessments as pre-award conditions for new contracts.

12-tab architecture (94 formulas, zero errors):

Scope & CUI Identification — FCI vs CUI distinction with contract indicator checklist. The most common early mistake: treating FCI-only contracts as requiring CMMC Level 2.

CUI Data Flow Inventory — CUI lifecycle questions with enclave strategy callout.

Level Determination & Path — 7-question decision tree with nested IF-formula producing Level 1 / L2-Self / L2-C3PAO / L3 recommendation.

NIST 800-171 Controls Tracker — all 110 practices across 14 families, each with the DoD Assessment Methodology SPRS weight (48 × 5pt, 15 × 3pt, 47 × 1pt), status dropdowns, and per-family summary formulas.

SPRS Score Calculator — auto-calculates score from the tracker using SUMPRODUCT deduction formula (starts at 110). Returns PERFECT / STRONG / BELOW POA&M THRESHOLD / DEEP DEFICIT based on score bands.

SSP Builder — 18-section System Security Plan template matching DoD format expectations.

POA&M Tracker — with "cannot POA&M" guidance (some practices cannot be deferred) and 180-day close-out requirements.

Evidence Register — 46 evidence items mapped to specific practices and families.

C3PAO Readiness — 18-point pre-assessment checklist, selection criteria, and the capacity crisis callout (C3PAO backlog is real — book early).

Flowdown Management — subcontractor registry, key DFARS clauses (252.204-7012, 7019, 7020, 7021), MSP guidance.

User Guide (28 pages, 14 sections): 2026 phased rollout reality, FCI vs CUI determination, why self-assessment is rarely safe at Level 2, CUI enclave strategy, working the 110 controls, SPRS scoring mechanics, SSP/POA&M discipline, C3PAO selection and engagement, flowdown in both directions, MSP/MSSP considerations, 12 common pitfalls, execution timeline.