CMMC 2.0 Timeline: Phase-by-Phase Rollout from 2025 to 2028
The CMMC 2.0 rule (48 CFR) implements a four-phase rollout over three years. Phase 1 is already live. Here is what each phase means for your compliance timeline and budget.
Live NowNovember 2025
Phase 1: Self-Assessment Requirements
- Level 1 self-assessments required in new solicitations for FCI-handling contracts
- Level 2 self-assessments required in new solicitations for CUI-handling contracts
- SPRS score submission required at time of contract award
- Level 3 self-assessment requirements begin for select programs
7 Months AwayNovember 2026
Phase 2: Mandatory C3PAO Certification
- Mandatory C3PAO assessment for Level 2 in new solicitations
- Self-assessment alone is no longer sufficient for Level 2 on new contracts
- Level 3 DIBCAC requirements begin for designated programs
- Existing contracts awarded under Phase 1 rules continue under self-assessment until recompete
If you handle CUI and plan to bid on new DoD contracts after November 2026, you need C3PAO certification. With a 6 to 12 month assessment backlog, scheduling must happen now.
2027November 2027
Phase 3: Option Exercises and Level 3
- C3PAO certification required for Level 2 option year exercises (not just new contracts)
- Full Level 3 DIBCAC requirements for all designated programs
- Subcontractors handling CUI must demonstrate Level 2 C3PAO certification
2028November 2028
Phase 4: Full Applicability
- CMMC requirements apply to all DoD contracts, including existing ones
- No exceptions for legacy contracts without CMMC clauses
- All prime contractors and subcontractors must hold appropriate CMMC certification
Preparation Timeline by Level
| Phase | Level 1 | Level 2 | Level 3 |
|---|---|---|---|
| Gap Assessment | 1 - 2 weeks | 1 - 3 months | 2 - 4 months |
| Remediation | 2 - 8 weeks | 3 - 12 months | 12 - 24 months |
| Documentation (SSP) | 1 - 2 weeks | 2 - 4 months | 3 - 6 months |
| Assessment Scheduling | N/A | 6 - 12 months | Govt scheduled |
| Assessment Duration | 1 day (self) | 1 - 4 weeks | 2 - 6 months |
| Total | 2 - 5 months | 9 - 20 months | 24 - 48 months |
Preparation Checklist
Now (0 - 3 months)
- Determine your required CMMC level from contract requirements
- Conduct a gap assessment against NIST 800-171 (Level 2) or FAR 52.204-21 (Level 1)
- Budget for remediation, tools, and assessment fees
- Begin C3PAO selection and scheduling if Level 2 is required
Months 3 - 6
- Begin remediation of critical gaps (MFA, SIEM, EDR)
- Develop or update your System Security Plan (SSP)
- Implement required policies and procedures
- Start employee security awareness training
Months 6 - 12
- Complete technical remediation
- Finalize SSP and evidence packages
- Conduct internal mock assessment
- Document POA&M items if needed
- Confirm C3PAO assessment date
Months 12 - 18
- C3PAO pre-assessment review (if offered)
- Formal C3PAO assessment
- Address any conditional findings within 180 days
- Submit SPRS score and CMMC certification status
Frequently Asked Questions
When does CMMC become mandatory?
CMMC is already partially mandatory. Phase 1 went live in November 2025, requiring Level 1 and Level 2 self-assessments in new solicitations. Phase 2 (November 2026) makes C3PAO certification mandatory for Level 2. Phase 3 (November 2027) extends requirements to contract option exercises. Phase 4 (November 2028) applies CMMC to all DoD contracts.
What if my contract does not mention CMMC yet?
CMMC requirements are being phased into new solicitations and contract modifications. Even if your current contract does not mention CMMC, future recompetes, option exercises, and new bids will require it. Starting preparation now gives you a competitive advantage. By Phase 4 (November 2028), all DoD contracts will require CMMC.
How long should I budget for CMMC preparation?
Level 1: 2 to 5 months. Level 2: 9 to 20 months (including a 6 to 12 month C3PAO scheduling backlog). Level 3: 24 to 48 months. With Phase 2 only 7 months away, organizations needing Level 2 C3PAO certification should already be deep into remediation. If you have not started, consider a Level 2 self-assessment first while working toward C3PAO readiness.