The November 10 Double Deadline: CMMC Phase 2 and the BIS 50% Rule Land on the Same Day
Two rules, written by two different agencies for two unrelated reasons, are scheduled to hit the same people on the same date. For defense contractors, November 10, 2026 is the day self-attestation ends and ownership screening expands — at once.
Most compliance crunches don't arrive as a single dramatic event. They arrive as a calendar collision — two obligations coming due in the same window, landing on the same small team. For the U.S. defense industrial base, that collision now has a date: November 10, 2026.
On that day, the cybersecurity rulebook and the export-control rulebook move at the same time. The Cybersecurity Maturity Model Certification (CMMC) program enters Phase 2, and the Bureau of Industry and Security's (BIS) “Affiliates Rule” — the 50% rule for export controls — is scheduled to come back into force after a one-year suspension. They have nothing to do with each other on paper. They have everything to do with each other in practice, because they land on the same contractor, often the same person.
The short version
Starting November 10, 2026, most CUI contracts require a third-party CMMC Level 2 certification (self-attestation ends), and — on the same date — export-control restrictions are scheduled to extend automatically to companies that are 50%+ owned by listed parties. Both reward the work you do before the date, not after.
Deadline one: CMMC Phase 2 ends the self-attestation era
CMMC is how the Department of Defense verifies that contractors actually protect the government information they handle. The program is established under 32 CFR Part 170, and the contractual hook — the clause a contracting officer puts in a solicitation — is DFARS 252.204-7021. The acquisition rule that lets officers require a CMMC level took effect November 10, 2025, and the rollout is phased.
Phase 2 begins November 10, 2026. The change that matters: for most contracts involving Controlled Unclassified Information (CUI), a Level 2 assessment by an accredited third party — a Certified Third-Party Assessment Organization, or C3PAO — becomes a condition of award. The self-attestation many contractors have leaned on is no longer enough for that work.
The capacity math is the real deadline
DoD estimates roughly 80,000 contractors will ultimately need a Level 2 C3PAO certification. Yet the department's own rule projects assessment throughput ramping slowly — on the order of 135 assessments in year one, about 673 in year two, 2,252 in year three, and 4,452 in year four. A typical contractor needs 6–12 months just to become assessment-ready, and accredited assessors are finite. The queue, not the audit, is what catches people.
Here is where this stops being an IT problem. CMMC Level 2 is built on NIST SP 800-171, and one of its control families is Physical Protection (PE): escort and monitor visitors, maintain physical access logs, and control who can reach the systems and areas where CUI lives. Assessors do not accept “we have a policy.” They ask for the evidence. A spiral notebook at the front desk is one of the quiet places an otherwise-ready program loses points.
Where SecurePoint fits: our visitor platform generates the time-stamped access logs, escort records, and audit trail that support the NIST 800-171 Physical Protection and Audit & Accountability control families. That is evidence for an assessor — it is not, and we never claim it to be, a CMMC certification.
Deadline two: the BIS 50% Rule makes ownership the new screen
The second clock is export controls. In September 2025, BIS published the Affiliates Rule (an interim final rule at 90 FR 47201). It extends the restrictions that apply to a listed party — on the Entity List, the Military End-User List, or certain Specially Designated Nationals — to any foreign entity that is 50% or more owned, directly or indirectly, individually or in aggregate, by those listed parties. The affiliate is restricted even though it is not, itself, named on any list.
Important and easy to get wrong: the Affiliates Rule is not in force today. BIS stayed it for one year — November 10, 2025 through November 9, 2026 — as part of a U.S.–China understanding, and the rule's own instructions are scheduled to reimpose it effective November 10, 2026. It could be amended, delayed, or extended before then. Plan for its return; don't assume it's the law today.
When it does return, a clean name-against-the-list check stops being sufficient for an export transaction. You have to resolve ownership. BIS paired the rule with a know-your-customer red flag: if you have reason to know a foreign party has a listed owner, you have an affirmative duty to determine the ownership percentage — and if you can't, to seek a license. Because these affiliates are never individually listed, the Consolidated Screening List is expressly not an exhaustive answer.
None of this is conceptually new to anyone who screens for sanctions: OFAC's 50% rule has long blocked entities owned 50%+ by blocked persons. The BIS rule pulls export controls in the same direction — toward ownership resolution — which means one capability can serve both regimes.
Where SecurePoint fits: our screening flags potential 50%-rule ownership matches for human review and records the list version, the result, and the disposition. The determination — and the legal obligation — stays with you; the tool makes reasonable care provable.
Why one date plus one team is the actual risk
A large prime can absorb two simultaneous regulatory changes with two different departments. The mid-size and small contractors that make up most of the defense industrial base cannot. At those companies, the person chasing a C3PAO assessment slot is frequently the same person who owns vendor screening, visitor access, and the audit file. Two regulatory clocks, one understaffed function, one date.
Treated as two separate fire drills, this is a brutal fall. Treated as one posture — prove who gets access, prove who you do business with, and keep the evidence — it is a single program with two outputs. The contractors who come out ahead will be the ones who stopped seeing “physical security” and “export screening” as different problems months before November.
Two rules, side by side
- Agency
- Department of Defense (32 CFR 170 / DFARS 252.204-7021)
- What changes Nov 10, 2026
- Third-party C3PAO Level 2 certification becomes a condition of award for CUI work
- Status
- Phased rollout already underway
- Control SecurePoint supports
- NIST 800-171 Physical Protection (visitor access evidence, audit trail)
- Agency
- Bureau of Industry and Security (EAR, 90 FR 47201)
- What changes Nov 10, 2026
- Restrictions extend automatically to 50%+ owned affiliates of listed parties
- Status
- Suspended through Nov 9, 2026 — reimposition scheduled, not guaranteed
- Control SecurePoint supports
- Ownership-aware screening; flags potential 50%-rule matches for review
What to do in the next five months
Scope your CUI and start the CMMC gap assessment now — then get in a C3PAO queue. The wait is the constraint, not the assessment itself.
Make physical-access evidence audit-ready: visitor logs, escort records, and access decisions mapped to the NIST 800-171 PE controls.
Inventory suppliers and vendors and stand up ownership-resolution screening before the BIS date — don’t wait to see whether the rule sticks.
Re-screen continuously. Lists and ownership change; a one-time check is not reasonable care.
Keep timestamped records of every screen, access decision, and disposition. Reasonable care is something you prove, not something you assert.
Frequently asked questions
Primary sources
- CMMC Program — 32 CFR Part 170 (Federal Register)
- DFARS 252.204-7021 (Acquisition.gov)
- One-Year Suspension of the Affiliates Rule (Federal Register)
- BIS — Bureau of Industry and Security
- NIST SP 800-171 Rev. 3
Effective dates and rule status change. Verify the current status of any rule against the issuing agency before relying on it. This article is educational and is not legal advice.
One posture for both deadlines
Prove who gets access, prove who you do business with, and keep the evidence — in one place. See how SecurePoint USA supports visitor access controls and ownership-aware screening for defense contractors.
