CMMC Implementation Timeline
Browse CMMC topics
CMMC rulemaking timeline
CMMC's path to enforcement involved two separate rulemakings:
- CMMC Program Rule (32 CFR Part 170) — published in the Federal Register on October 15, 2024, and effective December 16, 2024. This rule established the CMMC program structure, assessment requirements, and certification processes.
- DFARS Rule (48 CFR) — published on September 10, 2025, and effective November 10, 2025. This rule amended the Defense Federal Acquisition Regulation Supplement to incorporate CMMC requirements into actual DoD contracts.
The DFARS rule is what triggers enforcement. Without it, CMMC existed as a program but could not be contractually required. With the DFARS rule in effect, the DoD can now include CMMC level requirements as conditions of contract award.
The four phases
The DFARS rule implements CMMC through a phased approach that gradually expands requirements over four years.
Phase 1 — November 10, 2025 to November 9, 2026
Status: Active now
Phase 1 introduces CMMC requirements into select DoD solicitations and contracts:
- Level 1 self-assessments may be required as a condition of award for contracts involving FCI
- Level 2 self-assessments may be required as a condition of award for contracts involving CUI
- Level 2 C3PAO assessments may be required at the DoD's discretion for a limited number of contracts involving more sensitive CUI
- The DoD has discretion over which solicitations include CMMC requirements during this phase
What this means for contractors:
- If your contract is selected for CMMC requirements, you must have a valid self-assessment score in SPRS before contract award
- Begin preparing now even if your current contracts do not yet require CMMC — new solicitations and recompetes will increasingly include requirements
- Organizations that have been maintaining NIST SP 800-171 compliance and submitting SPRS scores are well positioned
Phase 2 — November 10, 2026 to November 9, 2027
Phase 2 broadens CMMC requirements:
- Level 2 C3PAO assessments become more widely required. Contracts involving CUI that was previously eligible for self-assessment may now require third-party certification.
- Level 3 DIBCAC assessments may be required at the DoD's discretion for a limited number of the most sensitive programs
- The scope of solicitations including CMMC requirements expands significantly
What this means for contractors:
- Organizations handling CUI should plan for C3PAO assessment timelines. Engaging a C3PAO early is critical — the pool of accredited assessors will be stretched.
- C3PAO assessments typically require two to six months of preparation plus the assessment itself
- Budget for assessment costs, which typically range from $50,000 to $150,000+ depending on scope
Phase 3 — November 10, 2027 to November 9, 2028
Phase 3 adds Level 3 requirements broadly:
- Level 2 C3PAO assessments continue expanding across applicable contracts
- Level 3 DIBCAC assessments become more widely required for contracts involving the most sensitive CUI and critical programs
- Most new DoD solicitations involving FCI or CUI will include CMMC requirements
What this means for contractors:
- Organizations on the most sensitive programs should already be preparing for Level 3
- Level 3 requires a valid Level 2 C3PAO certification as a prerequisite, so the certification chain must be planned well in advance
Phase 4 — November 10, 2028 onward
Phase 4 represents full implementation:
- All DoD contracts that require the processing, storage, or transmission of FCI or CUI must include the appropriate CMMC level as a condition of award
- No exceptions or discretionary application — CMMC is a universal contract requirement for covered information
- Option periods and extensions on existing contracts will also incorporate CMMC requirements
What this means for contractors:
- By Phase 4, any organization without the appropriate CMMC certification will be ineligible for DoD contract awards involving FCI or CUI
- This is the hard deadline. Organizations that have not achieved certification by this point will lose the ability to compete for affected contracts.
Key dates summary
| Date | Milestone |
|---|---|
| October 15, 2024 | CMMC Program Rule published |
| December 16, 2024 | CMMC Program Rule effective |
| September 10, 2025 | DFARS Rule published |
| November 10, 2025 | Phase 1 begins — CMMC in select contracts |
| November 10, 2026 | Phase 2 begins — C3PAO requirements expand |
| November 10, 2027 | Phase 3 begins — Level 3 requirements expand |
| November 10, 2028 | Phase 4 begins — full CMMC enforcement |
Why you should not wait
Although full enforcement is phased, several factors make early action critical:
- C3PAO availability — the number of accredited C3PAOs is limited and growing slowly. As Phase 2 approaches, demand for assessments will spike, and wait times will increase.
- Remediation takes time — closing gaps in 110 NIST SP 800-171 requirements is not a quick project. Most organizations need 6 to 18 months of sustained effort.
- Contract competitiveness — DoD agencies can add CMMC requirements to any solicitation at their discretion even during Phase 1. Organizations that are already certified will have a competitive advantage.
- Subcontract flow-down — prime contractors are increasingly requiring CMMC readiness from their subcontractors ahead of the DFARS timeline to reduce their own supply chain risk.
- False Claims Act exposure — submitting inaccurate SPRS scores has already resulted in enforcement actions under the False Claims Act. The stakes of self-attestation are real.
How episki helps
episki gives your team a real-time view of where you stand against each phase's requirements. The platform tracks your SPRS score, monitors POA&M remediation progress, and alerts you when assessment deadlines approach. As phases shift and requirements expand, episki updates your workspace to reflect the new obligations — so you are never caught off guard. Start a free trial to see your phase readiness today.
