CMMC compliance is becoming a contract requirement for Department of Defense (DoD) contractors—and the timeline is approaching faster than many organizations expect. While most DoD contracts today still require compliance with DFARS 252.204-7012 and NIST SP 800-171, upcoming awards may require formal certification under the Cybersecurity Maturity Model Certification (CMMC) framework.
With the phased CMMC implementation beginning November 10, 2025, certification requirements will be introduced through contract clauses rather than blanket enforcement. As a result, small and mid-sized defense contractors must begin planning for CMMC compliance now to avoid delays, lost opportunities, or disqualification once certification becomes a condition of award.
How Soon Will CMMC Compliance Be Required?
CMMC compliance is being phased into Department of Defense contracts rather than enforced all at once. The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s unified cybersecurity framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). While CMMC requirements do not yet appear in every contract, that is changing as new solicitations are issued under the Final Rule.
Under the current CMMC implementation timeline:
- The DoD began including CMMC requirements in select solicitations and contracts starting November 10, 2025 (Phase 1).
- Enforcement will scale over four phases across three years, reaching full implementation by November 10, 2028.
- Once a CMMC clause is included in a contract, contractors must meet the specified CMMC level and assessment type, either self-assessment or third-party assessment by a C3PAO, as a condition of award and, where applicable, contract option exercise.
CMMC policy is centrally managed at the DoD level, including oversight from OUSD(A&S) and the DoD CIO. Official requirements and timelines are defined in the CMMC Program Rule (32 CFR Part 170) and implemented through DFARS clauses 252.204-7021 and 252.204-7025.
Understanding the CMMC Compliance Rollout Timeline
Earlier projections from 2020–2021 referenced CMMC adoption based on prime acquisition targets. Those projections are now outdated. Under CMMC 2.0, rollout is governed by a formal four-phase implementation plan tied directly to the final DFARS rule, not annual acquisition quotas.
This phased approach defines when CMMC compliance requirements begin appearing in DoD solicitations and contracts, and how assessment expectations increase over time.
2025–2028 CMMC Phased Implementation Overview
| Phase | Start Date | Expected Milestone |
| Phase 1 | Nov 10, 2025 | CMMC Level 1 and Level 2 self-assessment requirements begin appearing in applicable solicitations and contracts. In limited cases, the DoD may require Level 2 C3PAO assessments. |
| Phase 2 | Nov 10, 2026 | Phase 1 requirements continue, with expanded use of Level 2 C3PAO certification as a condition of award for applicable contracts. |
| Phase 3 | Nov 10, 2027 | Phase 1 and 2 requirements continue, plus introduction of Level 3 government-led assessments and broader use of Level 2 C3PAO certification for both contract awards and option periods. |
| Phase 4 | Nov 10, 2028 | Full implementation of CMMC compliance requirements across applicable DoD solicitations and contracts, including option periods. |
While exact applicability depends on contract language and acquisition decisions, contractors should expect increasing CMMC compliance requirements beginning in 2026, with full enforcement by 2028.
Which CMMC Compliance Level Will Most Contractors Need?
Many earlier sources referenced “CMMC Maturity Level 3” as the expected requirement for most defense contractors. Under CMMC 2.0, that assumption is no longer accurate.
CMMC has been streamlined into three levels, each aligned to the type of information an organization handles and the associated risk profile:
- CMMC Level 1
Includes 17 basic safeguarding requirements derived from FAR 52.204-21.
Applies to organizations that handle Federal Contract Information (FCI) only. - CMMC Level 2
Includes 110 security requirements from NIST SP 800-171 Rev. 2, as incorporated into the CMMC Program.
Applies to organizations that process, store, or transmit Controlled Unclassified Information (CUI). - CMMC Level 3
Includes 24 selected requirements from NIST SP 800-172, in addition to all Level 2 controls.
Reserved for high-criticality programs facing elevated risk from Advanced Persistent Threats (APTs).
For most small and mid-sized defense contractors, CMMC Level 2 compliance will be required if the organization handles CUI.
Level 3 is expected to apply only to a narrow subset of contracts tied to national security priorities.
If your organization handles CUI today, or anticipates doing so in the future, CMMC Level 2 should be your planning baseline.
Timeline for Implementing CMMC Level 2 Compliance
For contractors already working toward NIST SP 800-171 compliance, achieving CMMC Level 2 compliance is typically an extension of existing efforts, not a completely new program.
CMMC Level 2 requires:
- All 110 security requirements from NIST SP 800-171 Rev. 2
- A complete and accurate System Security Plan (SSP) documenting current controls
- A Plan of Action & Milestones (POA&M) where permitted under the final rule
- Repeatable evidence showing that controls are implemented and operating as intended
Because CMMC requirements are being phased into DoD contracts, organizations that begin preparing before receiving their first CMMC-tagged solicitation will be in a significantly stronger position to meet certification requirements and avoid delays or missed opportunities.
Timeline for CMMC Assessment and Certification
While the availability of assessors has improved since 2021, assessment capacity remains limited. Understanding when and how your organization will be assessed is critical for CMMC compliance planning.
Updated CMMC assessment expectations:
- Level 2 – Third-Party Assessments (C3PAO)
- Required for prioritized acquisitions
- Performed by a Certified Third-Party Assessment Organization (C3PAO) authorized by the Cyber AB
- Certification validity: 3 years
- Level 2 – Self-Assessments
- Allowed for non-prioritized CUI contracts, as designated by the DoD
- Requires annual affirmation through the Supplier Performance Risk System (SPRS)
- Level 3 – Government Assessments
- Conducted directly by DoD assessment teams for high-criticality programs
- Conducted directly by DoD assessment teams for high-criticality programs
Because assessment demand will increase as CMMC phases into contracts, organizations that begin preparing early will avoid bottlenecks, delays, and potential disqualification from contract awards.
RSI Security’s Role in the CMMC Compliance Ecosystem
RSI Security is a recognized C3PAO by the Cyber AB, providing both advisory and assessment services structured to maintain independence and impartiality. While advisory and assessment services must remain separate, our team offers deep expertise to help contractors achieve CMMC compliance efficiently and effectively.
Our experience includes:
- Over a decade supporting NIST SP 800-171 compliance for defense contractors
- Hundreds of readiness assessments completed for small and mid-sized DoD Industrial Base (DIB) organizations
- Extensive knowledge of CMMC documentation, evidence preparation, and assessment processes
- The ability to support long-term cybersecurity governance and continuous improvement
All advisory and assessment services are delivered in full accordance with CMMC independence requirements, ensuring impartial guidance while helping your organization:
- Prepare accurate documentation
- Strengthen cybersecurity controls
- Be ready for certification before it becomes mandatory
By engaging RSI Security early, your organization positions itself to achieve CMMC compliance seamlessly and avoid delays or gaps in contract eligibility.
Download Our CMMC Checklist
