The Cybersecurity Maturity Model Certification program follows a four-phase implementation schedule established under 32 CFR Part 170, the program rule that became effective December 16, 2024, and DFARS 252.204-7021, the contract clause finalized September 10, 2025 and effective November 10, 2025. The CMMC timeline rolls out at twelve-month intervals, with each phase adding requirements that apply to new solicitations and contracts beginning on the phase date. Understanding which phase governs a contractor's certification requirements is the prerequisite to any meaningful planning around the timeline.
The phase dates apply to new solicitations and contracts issued on or after the effective date of the phase. Existing contracts issued before a phase date are not retroactively subject to the new phase requirements unless option periods are exercised after the phase date, in which case the option period exercise can trigger the applicable phase requirements. The mechanics of how phase requirements attach to a specific contract depend on the contract type, the option structure, and the determination of the program office responsible for the procurement.
The Four Phases at a Glance
| Phase | Effective Date | Primary Addition |
|---|---|---|
| Phase 1 | November 10, 2025 | Level 1 self-assessment and Level 2 self-assessment requirements in new contracts; Level 2 third-party certification at DoD discretion |
| Phase 2 | November 10, 2026 | Level 2 third-party certification (C3PAO) becomes a standard requirement for applicable contracts |
| Phase 3 | November 10, 2027 | Level 3 third-party assessment by DIBCAC added; Level 2 certification required to exercise option periods on contracts awarded after the rule's effective date |
| Phase 4 | November 10, 2028 | Full implementation of CMMC requirements across all applicable DoD contracts |
The most consequential transition for the majority of contractors is Phase 2, which converts Level 2 third-party certification from a discretionary contract requirement into a standard one. The contractor population subject to Level 2 certification represents the largest single segment of the Defense Industrial Base, and the Phase 2 transition is the date these contractors must have C3PAO certification in hand or risk loss of contract eligibility on new awards.
Phase 1: November 10, 2025
Phase 1 became effective November 10, 2025, on the same date the DFARS 252.204-7021 contract clause became operative. Under Phase 1, the Department of Defense includes the requirement for CMMC Level 1 self-assessment or Level 2 self-assessment in applicable new solicitations and contracts as a condition of award. The Department also retains discretion under Phase 1 to include Level 2 third-party certification by a CMMC Third Party Assessment Organization (C3PAO) for select contracts, which means C3PAO certification can appear in Phase 1 solicitations even though it is not yet a default requirement.
The Phase 1 self-assessment requirement applies to contractors who handle Federal Contract Information (FCI) at Level 1 or Controlled Unclassified Information (CUI) at Level 2 self-assessment scope. Contractors must conduct the appropriate self-assessment, submit the resulting score to the Supplier Performance Risk System (SPRS), and provide an affirmation of continuous compliance from a designated affirming official. The affirmation is annual.
The discretionary inclusion of Level 2 C3PAO requirements in Phase 1 has practical consequences. Contractors whose contracts involve sensitive CUI or whose program offices determine that third-party certification is appropriate may face C3PAO requirements during Phase 1, ahead of the Phase 2 default date. A contractor who assumes C3PAO certification is not required until Phase 2 may be surprised by a Phase 1 solicitation that requires it earlier. The structural rule of CMMC compliance work is therefore not to time preparation against a single deadline, but to be prepared for the requirements that may apply at any point in the phased rollout.
Phase 2: November 10, 2026
Phase 2 becomes effective November 10, 2026, twelve months after the Phase 1 commencement. Phase 2 makes Level 2 third-party certification by a C3PAO a standard requirement for applicable solicitations and contracts. The Department continues to determine which specific contracts require Level 2 third-party assessment versus Level 2 self-assessment based on the nature of the CUI handled and the program office determination, but the Phase 2 transition makes third-party certification the default expectation for the substantial majority of Level 2 contracts.
For contractors whose business depends on contracts requiring Level 2 C3PAO certification, Phase 2 is the practical CMMC deadline by which certification must be in hand. A contractor who arrives at Phase 2 without a current Level 2 certification is ineligible to bid on or receive new awards on contracts requiring it. Existing contracts with self-assessment requirements remain subject to those requirements, but the contractor's competitive position on new awards depends on certification status.
Phase 2 is the transition that affects the largest single contractor population in the Defense Industrial Base. Department of Defense estimates suggest approximately 35 percent of contractors will be subject to Level 2 third-party certification requirements once the program is fully phased in. The Phase 2 date is the point at which those contractors must have completed the readiness work, scheduled and completed the C3PAO assessment, and received certification.
The Phase 2 transition also produces capacity pressure on the C3PAO market. The number of accredited C3PAOs is finite, and assessment capacity has tightened substantially as the Phase 2 date has approached. Contractors who attempt to schedule assessments close to or after the Phase 2 date frequently find available C3PAOs scheduling assessments out further than the contract timeline allows. The capacity dynamics are addressed in the firm's white paper at CMMC Assessment Capacity.
Phase 3: November 10, 2027
Phase 3 becomes effective November 10, 2027, twelve months after Phase 2. Phase 3 adds two requirements. First, Level 3 third-party assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) becomes a standard requirement for applicable solicitations involving the most sensitive CUI categories. Level 3 applies to a much smaller contractor population than Level 2, but the contractors subject to it face a more rigorous assessment standard incorporating selected requirements from NIST SP 800-172 in addition to the NIST SP 800-171 baseline.
Second, Phase 3 expands the conditions under which CMMC certification requirements apply to existing contracts. Contractors with contracts awarded after the rule's effective date face Level 2 certification requirements as a condition of exercising option periods on those contracts during Phase 3. This means a contractor who held a contract through Phases 1 and 2 without certification, but whose contract carried option periods extending into Phase 3, encounters certification requirements at the option exercise even though the original contract did not require certification.
For Level 2 contractors, Phase 3 effectively closes the window during which Level 2 self-assessment alone is sufficient for option period exercises on applicable contracts. The contractor's compliance posture must be at the C3PAO certification level by Phase 3 if the contractor relies on option period exercises to maintain contract continuity.
Phase 4: November 10, 2028
Phase 4 becomes effective November 10, 2028, completing the four-phase rollout three years after Phase 1 began. Phase 4 represents full implementation of CMMC requirements across all applicable DoD contracts. By this date, the certification requirements established under 32 CFR Part 170 apply uniformly across the contract universe within the program's scope, without the discretion or transitional provisions that governed earlier phases.
For contractors who have completed certification during Phases 1 through 3, Phase 4 is largely an administrative milestone. The substantive readiness work has been done, the certifications are in place, and the ongoing operational obligations of maintaining the controls and submitting annual affirmations continue under the framework already established. For contractors who have not yet completed certification by Phase 4, the date marks the point at which any contract within the framework's scope is gated on certification, with no remaining discretionary or transitional provisions to delay the requirement.
How the Timeline Affects Different Contractors
The timeline applies differently to contractors at different certification levels. The framework distinguishes between contractors handling Federal Contract Information at Level 1, contractors handling Controlled Unclassified Information at Level 2 self-assessment scope, contractors handling Controlled Unclassified Information at Level 2 third-party certification scope, and contractors handling the most sensitive CUI categories at Level 3.
| Certification Path | Phase 1 Status | Phase 2 Status | Phase 3 Status |
|---|---|---|---|
| Level 1 self-assessment | Required in applicable new contracts | Continues as Phase 1 | Continues as Phase 1 |
| Level 2 self-assessment | Required in applicable new contracts | Continues, with Phase 2 expansion of C3PAO requirements | Option period exercises require C3PAO certification |
| Level 2 C3PAO certification | At DoD discretion | Standard requirement for applicable contracts | Required for option period exercises on covered contracts |
| Level 3 DIBCAC assessment | Not yet required | Not yet required | Standard requirement for applicable contracts |
The contractor's specific path through the timeline depends on the certification level applicable to the contracts the contractor pursues. A contractor whose business is concentrated on Level 1 contracts faces a substantially less demanding timeline than a contractor whose business depends on Level 2 third-party certification. A contractor whose business spans multiple certification levels faces the timeline of the highest applicable level.
What the Timeline Means for Readiness Planning
Readiness work for CMMC certification typically requires twelve to eighteen months for a contractor starting from a baseline of NIST 800-171 implementation. Contractors starting from a lower baseline can require longer. The readiness timeline must accommodate scope reduction work, gap analysis against the 110 controls of NIST SP 800-171 Revision 2, control implementation, documentation development, and the pre-assessment review that confirms the contractor is ready for the formal C3PAO engagement. The structure of a readiness engagement is described at CMMC Consulting Services.
The C3PAO assessment itself adds additional time to the certification timeline. Available C3PAO capacity has tightened substantially as the Phase 2 date has approached, and contractors typically must schedule assessments several months in advance. Counting backward from a target certification date, the contractor needs to allow time for the assessment scheduling, the assessment itself, and any remediation work that may be required between the assessment and the certification determination.
For contractors whose business depends on Phase 2 contracts, the practical implication of the CMMC timeline is that readiness work that has not yet started by mid-2026 is unlikely to produce certification in time for Phase 2 contracts that issue close to the November 10, 2026 transition. This is not a counsel of despair, since most contractors entering Phase 1 have time for orderly preparation if the readiness work begins immediately and proceeds on a structured schedule. But the available time has compressed, and the practical effect is that the contractors who will be most successful at the Phase 2 transition are those who are already substantively underway with their readiness work.