Is the CMMC timeline final?

The phased rollout is set by the final acquisition rule, but exactly which contracts carry a requirement during the discretionary early phases is up to the DoD program offices. The safe planning assumption: if you handle CUI, you will need CMMC Level 2 — and readiness commonly takes 12–18 months.

CMMC Timeline & Deadlines: The 2025–2028 Rollout

Q: When did CMMC become effective?

The CMMC acquisition rule (the revised DFARS clause 252.204-7021) became effective November 10, 2025, beginning a phased rollout. From that date, CMMC requirements can appear in new DoD solicitations and contracts.

Q: When is CMMC mandatory on all contracts?

Under the phased plan, by Phase 4 — beginning November 10, 2028 — CMMC is required on all applicable DoD contracts (other than those solely for commercial off-the-shelf items) that involve FCI or CUI, as a condition of award.

Q: Do I need a C3PAO yet?

Phase 1 (starting Nov 10, 2025) primarily uses Level 1 and Level 2 self-assessments at the program's discretion. Level 2 C3PAO certification requirements begin appearing in Phase 2 (starting Nov 10, 2026). Your specific contract states the level and assessment type required.

CMMC stopped being a future problem on November 10, 2025, when the revised DFARS clause 252.204-7021 became effective and CMMC requirements began appearing in DoD contracts. It doesn't all switch on at once, though — it rolls out in four phases over three years. Here's the timeline in plain English, and what it means for a small contractor right now.

The four-phase rollout

Phase	Begins	What it requires
Phase 1	Nov 10, 2025	Level 1 and Level 2 self-assessments can be required in new contracts, at the program's discretion.
Phase 2	Nov 10, 2026	Level 2 C3PAO certification (third-party assessment) starts being required in select solicitations.
Phase 3	Nov 10, 2027	Adds Level 3 (DIBCAC) assessments for the most sensitive programs, alongside Level 2 C3PAO.
Phase 4	Nov 10, 2028	Full implementation — CMMC required on all applicable contracts involving FCI or CUI as a condition of award.

The phases are cumulative: each one adds requirements on top of the last, and the DoD can include earlier-phase requirements sooner at its discretion.

How the requirement actually reaches you

You won't get a letter saying "you must be CMMC certified." Instead, the requirement shows up as the DFARS 252.204-7021 clause inside a solicitation, stating the CMMC level your contract requires. You must have the required level (self-assessed or certified, depending on phase and data) before contract award — not after. That's the deadline that matters: not a calendar date, but the next contract you want to win.

Plan backward from the contract, not forward from today. If your re-compete or next opportunity lands in 2026–2027 and involves CUI, you likely need Level 2 — and readiness commonly takes 12–18 months. The contractors who wait for a deadline lose the bid.

Which level are you?

Handle only FCI (Federal Contract Information, not CUI)? You're likely Level 1 — an annual self-assessment.
Handle CUI? You're Level 2 — most will need a C3PAO certification as Phase 2 ramps up, though a subset of lower-risk CUI contracts allow a Level 2 self-assessment.
Work on the most sensitive programs? You may be Level 3, assessed by the government (DIBCAC).

Not sure which you handle? Start with asset scoping to identify whether CUI touches your systems at all.

A note on Rev 2 vs Rev 3

Through this rollout, SPRS scoring and CMMC assessment remain based on NIST SP 800-171 Revision 2 — the Department of War has not moved scoring to Revision 3. Build toward the Rev 2 requirements your assessment will actually use.

Don't wait for the deadline — find your gaps now

Readiness takes months, not weeks. See exactly where you stand against all 110 controls in about 10 minutes, free.

Calculate your SPRS score →

What to do now

Scope your CUI. Figure out what data you handle and which systems touch it.
Self-assess. Run the free SPRS calculator to get your score and your biggest gaps.
Document. Start your System Security Plan and a POA&M — you need both whether you self-assess or hire a C3PAO.
Remediate the high-impact gaps first — see the 5-point controls to fix first.
Budget. Understand what CMMC costs so the spend isn't a surprise.

CMMC timeline — frequently asked

When did CMMC become effective?

November 10, 2025 — when the revised DFARS 252.204-7021 clause took effect and CMMC requirements began appearing in new DoD contracts.

When is CMMC mandatory on all contracts?

By Phase 4, beginning November 10, 2028, CMMC is required on all applicable contracts (except COTS-only) involving FCI or CUI, as a condition of award.

Do I need a C3PAO yet?

Phase 1 leans on self-assessments. Level 2 C3PAO certification requirements begin in Phase 2 (Nov 10, 2026). Your contract states what you need.

How long does it take to get ready?

Commonly 12–18 months for a small contractor with real gaps — which is why starting now matters more than the exact deadline.

Start where it's free

The timeline rewards early movers. Calculate your SPRS score to see your gaps, then draft your SSP — both free, both in your browser.