CMMC Timeline: Key Dates and Milestones

Last updated October 27, 2025

Here is your definitive CMMC timeline — highlighting the major rule-making, contract clause dates and rollout phases that contractors must track for the Cybersecurity Maturity Model Certification (CMMC) program.

On October 15th 2024, the DoD established a final ruling that began to put CMMC requirements into contracts and renewals as early as the first quarter of 2025. This is an important step towards tightening cybersecurity standards for contractors working with the DoW (Department of War). The program introduces a streamlined model with three levels of CMMC compliance, each with different requirements based on the sensitivity of information in question.

Read the full release from the DoW with everything you need to know. (link opens new website).

CMMC Implementation Timeline for Contractors

DATE

CMMC Status

What this means for you

October 2024

The CMMC Final Rule was published to the Federal Register.

CMMC will validate compliance through independent assessments conducted by C3PAOs.

December 2024

The CMMC Final Rule (32 CFR) became effective.

CMMC C3PAO assessments began.

Early 2025 

Third-party assessments for CMMC Level 2 began

Mid 2025

CMMC language began appearing in contracts with the introduction of Title 48 into DFARS.

CMMC compliance and a valid assessment became a requirement on some DoW contracts.

September 2025

The DoW published the CMMC Acquisition Rule (48 CFR) in the Federal Register.

November 2025

On November 10, 2025, the Department of Defense’s (DoD) final rule for the Cybersecurity Maturity Model Certification (CMMC) program officially went into effect. The 3-year phased rollout of CMMC requirements into new defense contracts and solicitations began. 

Enforcement of CMMC requirements for contractors handling FCI (Federal Contract Information which is information-related to the protection of critical infrastructure (CI)) and CUI (Controlled Unclassified Information) began in new DoW solicitations.

As of November 10, 2025, new DoW solicitations began including CMMC requirements that will phase in over the next few years.

Phase 1: November 10, 2025 – Level 1 & 2 self-assessments

  • Level 1 self-assessments were required for contracts involving Federal Contract Information (FCI).
  • Level 2 third-party certification assessments started being inserted into select contracts involving sensitive CUI.

The DoD has the discretion to require a C3PAO (third-party certification assessment) for certain Level 2 contracts even during this phase. Let our talented team of RP’s help get your organization to reach Level 1 with our CMMC LevelUp process

**Companies will need their assessment completed by award time, which should be Q1 of 2026. In 2027, all new contracts will have CMMC requirements. And in 2028, all contracts, including renewals will have CMMC requirements.

FAQ: Common Questions About the CMMC Timeline

It began in 2024

It takes an average of 6 months.

Check our CMMC LevelUp process for details.

Most contractors will need to complete Level 1 or Level 2 requirements by 2026.

What the CMMC Timeline Means for You

If your organization handles Controlled Unclassified Information (CUI), the CMMC timeline means you’ll need to complete a Level 2 self-assessment before the November 2025 phase begins. Level 3 requirements will follow for prime contractors by 2028.

In summary:

  • The CMMC timeline begins in late 2024 with rulemaking.

  • Most contractors must complete Level 1 or 2 assessments by 2025–2026.

  • By 2028, all DoD contracts are expected to include CMMC requirements.

  • Preparing early reduces risk and ensures eligibility for future defense work.

Next Steps for Your CMMC Needs

As a Registered Provider Organization (RPO), our team at CTI has CMMC certified professionals to help support all your CMMC assessment needs. We have over 20 years of combined experience supporting DoD programs in information technology, information assurance, and cybersecurity. Contact us today to discuss more about your unique situation and how we can help!

Schedule a CMMC Readiness Consultation







    What is 1 + 5 ? Refresh icon

    More about CMMC 2.0 Compliance

    Complete Guide to CMMC 2.0 Certification

    CMMC 2.0 certification ensures that organizations meet the DoD’s strict cybersecurity requirements, and the introduction of three CMMC 2.0 levels makes it easier for contractors to understand and meet these needs. 
    Cyber AB CMMC Certification Registered Practitioner Organization RPO logo

    Choosing the Right Partner for CMMC 2.0: What is an RPO?

    Achieving CMMC compliance is a critical journey for contractors in the Defense Industrial Base (DIB). As we turn this corner of new security requirements, it’s ...
    LevelUP CMMC 2.0 Help Four Step Process

    CMMC 2.0 Help: Our Approach to Guide You Through the Process

    Navigating the complexities of CMMC 2.0 compliance can be overwhelming and even confusing. At CTI, we understand the challenges that you may face when approaching ...

    Share this: