CMMC Timeline: Key Dates and Milestones

Last updated February 10, 2026

Here is your definitive CMMC timeline — highlighting the major rule-making, contract clause dates and rollout phases that contractors must track for the Cybersecurity Maturity Model Certification (CMMC) program.

On October 15th 2024, the DoD established a final ruling that began to put CMMC requirements into contracts and renewals as early as the first quarter of 2025. This is an important step towards tightening cybersecurity standards for contractors working with the DoD (Department of War). The program introduces a streamlined model with three levels of CMMC compliance, each with different requirements based on the sensitivity of information in question.

Read the full release from the DoD with everything you need to know. (link opens new website).
Read about the phased implementation of CMMC requirements from the DoW. (link opens new website)

CMMC Implementation Timeline for Contractors

DATE

CMMC Status

What this means for you

October 2024

The CMMC Final Rule was published to the Federal Register.

CMMC will validate compliance through independent assessments conducted by C3PAOs.

December 2024

The CMMC Final Rule (32 CFR) became effective.

CMMC C3PAO assessments began.

Early 2025 

Third-party assessments for CMMC Level 2 began

Mid 2025

CMMC language began appearing in contracts with the introduction of Title 48 into DFARS.

CMMC compliance and a valid assessment became a requirement on some DoD contracts.

September 2025

The DoD published the CMMC Acquisition Rule (48 CFR) in the Federal Register.

November 10, 2025

On November 10, 2025, the Department of Defense’s (DoD) final rule for the Cybersecurity Maturity Model Certification (CMMC) program officially went into effect. The 3-year phased rollout of CMMC requirements into new defense contracts and solicitations began. 

Enforcement of CMMC requirements for contractors handling FCI (Federal Contract Information which is information-related to the protection of critical infrastructure (CI)) and CUI (Controlled Unclassified Information) began in new DoD solicitations.

As of November 10, 2025, new DoD solicitations began including CMMC requirements that will phase in over the next few years.

Phase 1: November 10, 2025 – Level 1 & 2 self-assessments

  • Level 1 self-assessments were required for contracts involving Federal Contract Information (FCI).
  • Level 2 third-party certification assessments started being inserted into select contracts involving sensitive CUI.

The DoD has the discretion to require a C3PAO (third-party certification assessment) for certain Level 2 contracts even during this phase. Let our talented team of RP’s help get your organization to reach Level 1 with our CMMC LevelUp process

November 10, 2026

CMMC Phase 2 Implementation – Solicitations will require Level 2 Certification. Note, the DoD may opt to delay the Level 2 certification requirement in a contract to an option period.

Phase 2: November 10, 2026 – Level 2 third-party certifications (C3PAO) required for new contracts. 

Let our talented team of RP’s help get your organization to Level 2 with our CMMC LevelUp process

November 10, 2027

CMMC Phase 3 Implementation – Starts on November 10, 2027 – Applicable solicitations will require Level 3 Certification. The DoD may opt to delay the Level 3 certification requirement in a contract to an option period

Phase 3: November 10, 2027 – Level 3 third-party certifications will be required for all new contracts unless delayed.

Let our talented team of RP’s help get your organization to Level 3 with our CMMC LevelUp process

November 10, 2028

CMMC Phase 4 Implementation – Beginning on November 10, 2028 – All solicitations and contracts will include applicable CMMC Level requirement as a condition of contract awards.

Phase 4: November 10, 2028 – Level 4 – all new and renewing contracts will have certification requirements.

Let our talented team of RP’s help get your organization to Level 4 with our CMMC LevelUp process

**Companies will need their assessment completed by award time, which should be Q1 of 2026. In 2027, all new contracts will have CMMC requirements. And in 2028, all contracts, including renewals will have CMMC requirements.

View PDF of the CMMC Implementation Timeline for Contractors

Ready to Level Up Your
Cybersecurity Compliance?
Contact CTI Today!

CTI Logo 40 Years

webcti.com/cmmc | (800) 606-6060 | info@webcti.com

FAQ: Common Questions About the CMMC Timeline

It began in 2024

It takes an average of 6 months.

Check our CMMC LevelUp process for details.

Most contractors will need to complete Level 1 or Level 2 requirements by 2026.

What the CMMC Timeline Means for You

If your organization handles Controlled Unclassified Information (CUI), the CMMC timeline means you’ll need to complete a Level 2 self-assessment before the November 2025 phase begins. Level 3 requirements will follow for prime contractors by 2028.

In summary:

  • The CMMC timeline begins in late 2024 with rulemaking.

  • Most contractors must complete Level 1 or 2 assessments by 2025–2026.

  • By 2028, all DoD contracts are expected to include CMMC requirements.

  • Preparing early reduces risk and ensures eligibility for future defense work.

Next Steps for Your CMMC Needs

As a Registered Provider Organization (RPO), our team at CTI has CMMC certified professionals to help support all your CMMC assessment needs. We have over 20 years of combined experience supporting DoD programs in information technology, information assurance, and cybersecurity. Contact us today to discuss more about your unique situation and how we can help!

Schedule a CMMC Readiness Consultation







    What is 1 + 2 ? Refresh icon

    More about CMMC 2.0 Compliance

    Complete Guide to CMMC 2.0 Certification

    CMMC 2.0 certification ensures that organizations meet the DoD’s strict cybersecurity requirements, and the introduction of three CMMC 2.0 levels makes it easier for contractors to understand and meet these needs. 
    Cyber AB CMMC Certification Registered Practitioner Organization RPO logo

    Choosing the Right Partner for CMMC 2.0: What is an RPO?

    Achieving CMMC compliance is a critical journey for contractors in the Defense Industrial Base (DIB). As we turn this corner of new security requirements, it’s ...
    LevelUP CMMC 2.0 Help Four Step Process

    CMMC 2.0 Help: Our Approach to Guide You Through the Process

    Navigating the complexities of CMMC 2.0 compliance can be overwhelming and even confusing. At CTI, we understand the challenges that you may face when approaching ...

    Share this:

    Are You Ready for CMMC Implementation?

    Take the Quiz