Image of Timeline

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program is moving from planning to execution. With the Final CMMC Acquisition Rule now published, contractors across the Defense Industrial Base (DIB) must prepare for phased implementation beginning November 10, 2025. Understanding the timeline is critical for primes and subcontractors alike to avoid compliance gaps that could impact contract eligibility.

Phase 1: Initial Rollout (Nov 10, 2025 – Nov 10, 2026)

During this first year, solicitations may begin requiring CMMC Level 1 or Level 2 self-assessments. Contractors will enter their affirmation of compliance in the Supplier Performance Risk System (SPRS). At DoD’s discretion, some contracts may also require third-party assessments, even at this early stage. This is the period for companies to build compliance momentum and ensure self-assessments are accurate and defensible.

Phase 2: Expansion of Third-Party Assessments (2026 – 2027)

The second phase will see a growing reliance on third-party assessments for CMMC Level 2. Certified Third-Party Assessment Organizations (C3PAOs) will play a bigger role in verifying compliance, signaling that “trust but verify” is becoming the norm. Contractors handling Controlled Unclassified Information (CUI) should prioritize scheduling assessments early to avoid last-minute bottlenecks.

Phase 3: Advanced Assessments Begin (2027 – 2028)

By this phase, the Department of Defense will begin requiring Level 3 assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). These assessments focus on organizations supporting high-priority or sensitive missions, reflecting the government’s increased emphasis on safeguarding national security information. Certification requirements at this stage represent a significant escalation in scrutiny.

Phase 4: Full Implementation (Starting Nov 10, 2028)

At the four-year mark, CMMC reaches full implementation. All applicable DoD contracts will require compliance at the appropriate CMMC level as a condition of award. This means no contractor in the defense supply chain will be able to win new contracts without demonstrating valid certification.

Why the Timeline Matters

The phased rollout provides the DIB with time to adapt, but waiting until the last minute is risky. Companies that start early can spread costs, address gaps systematically, and avoid the assessment backlog expected in Phases 2 and 3. Most importantly, early preparation demonstrates a commitment to cybersecurity, which can serve as a competitive differentiator when pursuing DoD contracts.

Luis G. Batista C.P.M., CPSM
luis@cybercomply.us
Office: (305) 306-1800 Ext. 800
Website LinkedIn Schedule Appointment
CAGE: 9QG33 UEI: K6UZHLE1WUA7
CyberComply CMMC GRC
A Product of Armada Cyber Defense