What is finally at stake is simple: whether, on the day a contract is decided, your security posture is something you can show rather than something you promise. The CyberAB May 2026 Town Hall put the state of the program on the table plainly. Just shy of 1,400 Level 2 certificates have been issued to date — up fourteen percent over the prior month — with forty-seven more conditional and the assessor corps growing alongside: 104 authorized third-party assessment organizations — the C3PAOs authorized to conduct Level 2 certification assessments — nearly a thousand certified assessors, 562 of them now lead-qualified. One month is not a trend, and CyberAB was careful not to draw a straight line through it. But set even a single month's pace next to the program's own estimate of the field that will eventually need a Level 2 certification — on the order of seventy-six thousand companies — and the shape of the next eighteen months is hard to miss. The work to be done is enormous, and Phase 2 arrives on 10 November 2026, when Level 2 C3PAO status becomes a contracting gate for applicable solicitations and awards.
A milestone from the field puts the supply side in proportion. A service provider in this space recently marked its hundredth Level 2 engagement — a hundred customer companies it has guided through to certification. On its own it is one firm's account. Against the national total it is a useful signal: a single provider has had a hand in roughly seven percent of every final Level 2 certificate issued so far. The ability to prepare companies for certification sits in relatively few hands, even as the requirement widens to the whole base. (Those figures are the provider's own; we read them as a market signal, not as program data.)
Three things that experience confirms, and that the operators we work with are already feeling:
The clock, not the cost, is the binding constraint. The preparation timeline that used to run twelve to eighteen months is compressing — the first sub-six-month engagements are now being reported — but it compresses only for companies that started with their house in order. Readiness is earned before the assessor arrives, not during the assessment.
Early movers are rewarded in the only currency that matters. The pattern is consistent: companies that treated a Level 2 posture as a business decision rather than an IT project found doors opening — primes shortening their shortlists to the suppliers who can already show it. The certification did not create the capability; it made an existing capability legible to the people deciding contracts.
And certification is a starting line, not a finish line. The Town Hall spent its substance on what comes after the assessment — the annual affirmation a company files to attest its system still meets the standard, the discipline of change management, the careful scoping of outside service providers against the cloud-computing test in NIST SP 800-145, and keeping the system in the state it was certified in (the posture your score in the government's supplier system, SPRS, is supposed to reflect). This is the part that rewards operators who already run a real quality management system. Information security is not a parallel universe to your quality system; it is another discipline added to it, with NIST SP 800-171 as the standard that discipline answers to in the defense industrial base. The companies that struggle are the ones treating 10 November as a date to scramble toward. The ones that are ready treat it as the moment the work they already do becomes visible.
None of this is about a badge. It is about whether the system you certify on is the system you actually run the day after — because somewhere downstream, the warfighter is counting on it always being true.
That is the whole of it, and it is why the road to 10 November rewards the same thing the standard does: qualified capacity, demonstrated before it is asked for.
Readiness is earned in advance — and the first move is an honest read of where yours stands today. That is what the Qualified Capacity diagnostic is for: a clear picture of where your system sits against the standard, and what the work between here and November actually looks like. Start at qualifiedcapacity.com/diagnostic.