Skip to content
Learn
Get help ↗

Foundations · Topic 03

Timeline.

When CMMC requirements take effect and the four-phase rollout schedule.

Timeline

CMMC is already in DoD contracts. Phase 1 began on 10 November 2025 when the DFARS acquisition rule took effect. Phase 2 — when third-party Level 2 certification becomes the default for CUI contracts — begins on 10 November 2026.

The two foundation rules

Section titled “The two foundation rules”

32 CFR Part 170 — the CMMC Program Rule. Defines the levels, the scoring methodology, the assessment process, and the rules for affirmations and POA&Ms. Published in the Federal Register on 15 October 2024, effective 16 December 2024. The rule itself doesn’t put CMMC into contracts — it defines the program.

48 CFR (DFARS Part 204) — the Acquisition Rule. This is what flows CMMC into actual contracts via clauses DFARS 252.204-7021 (the binding CMMC certificate clause) and DFARS 252.204-7025 (notice of CMMC requirements in solicitations). Final rule published 9 September 2025, effective 10 November 2025.

The four phases

Section titled “The four phases”

The schedule is locked in 32 CFR § 170.3(e) and DFARS 204.7503. It runs over three years.

PhaseWindowWhat it changes
Phase 110 Nov 2025 — 9 Nov 2026Level 1 / Level 2 self-assessment as a condition of contract award. DoD has discretion to require Level 2 (C3PAO) on selected contracts.
Phase 210 Nov 2026 — 9 Nov 2027Level 2 (C3PAO) becomes the default for contracts requiring CUI safeguarding. DoD has discretion to require Level 3 (DIBCAC) on high-priority programs.
Phase 310 Nov 2027 — 9 Nov 2028Level 2 (C3PAO) requirement extends to option-period exercises on existing contracts. Level 3 (DIBCAC) requirements expand.
Phase 410 Nov 2028 onwardsFull implementation. CMMC requirements appear in all applicable DoD contracts (excluding solely COTS-item contracts).

What Phase 2 means in practice

Section titled “What Phase 2 means in practice”

Starting 10 November 2026, contracting officers will require third-party-certified Level 2 status by default for contracts involving CUI. An independent C3PAO must formally verify that you actually meet all 110 NIST SP 800-171 Rev 2 controls. A self-assessed score in SPRS is no longer enough.

The DoD has estimated more than 76,000 organisations need Level 2 (C3PAO) certification. As of early 2026, fewer than 1,100 had completed it. Assessment slot scarcity is real — not theoretical.

What contractors are doing now

Section titled “What contractors are doing now”

For organisations preparing through Phase 1:

  • The 110 requirements have been contractually required under DFARS 252.204-7012 since 2017 — CMMC adds the verification mechanism, not new technical requirements.
  • Companies already submitting NIST 800-171 self-assessment scores to SPRS are doing the same work CMMC measures. The difference under Phase 2 is that a C3PAO will verify it independently.
  • A self-assessed Phase 1 score remains valid for Phase 1 contract awards. It will not satisfy a Phase 2 contract requiring Level 2 (C3PAO).

The clauses to watch in your solicitations: DFARS 252.204-7021 (the binding CMMC certificate requirement) and DFARS 252.204-7025 (the notice clause that tells you which CMMC level a solicitation requires).