What is CMMC compliance?

CMMC compliance refers to meeting the Cybersecurity Maturity Model Certification requirements set by the Department of Defense (DoD) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

When will CMMC compliance be required for DoD contracts?

CMMC compliance requirements are being phased in starting November 10, 2025, with full implementation across applicable contracts expected by November 10, 2028.

Which CMMC level do most contractors need?

Most small and mid-sized contractors handling Controlled Unclassified Information (CUI) will need CMMC Level 2 compliance. Level 3 is reserved for high-criticality programs tied to national security priorities.

What are the main CMMC Level 2 requirements?

CMMC Level 2 requires all 110 security requirements from NIST SP 800-171 Rev. 2, a complete System Security Plan (SSP), a Plan of Action & Milestones (POA&M) if allowed, and repeatable evidence demonstrating that controls are implemented and operating effectively.

How are CMMC assessments conducted?

Level 2 assessments may be self-assessments for non-prioritized contracts or third-party assessments by a C3PAO for prioritized acquisitions. Level 3 assessments are conducted by DoD assessment teams. Assessment demand is expected to increase as CMMC phases into contracts.

How can contractors prepare for CMMC compliance?

Contractors should start early by performing readiness assessments, preparing documentation, implementing required controls, and establishing repeatable evidence practices. Engaging expert advisory services, like those from RSI Security, can help ensure compliance ahead of contract requirements.

CMMC Implementation Timeline for Small to Medium DoD Contractors

RSI Security

3 months ago

CMMC compliance is becoming a contract requirement for Department of Defense (DoD) contractors—and the timeline is approaching faster than many organizations expect. While most DoD contracts today still require compliance with DFARS 252.204-7012 and NIST SP 800-171, upcoming awards may require formal certification under the Cybersecurity Maturity Model Certification (CMMC) framework.

With the phased CMMC implementation beginning November 10, 2025, certification requirements will be introduced through contract clauses rather than blanket enforcement. As a result, small and mid-sized defense contractors must begin planning for CMMC compliance now to avoid delays, lost opportunities, or disqualification once certification becomes a condition of award.

How Soon Will CMMC Compliance Be Required?

CMMC compliance is being phased into Department of Defense contracts rather than enforced all at once. The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s unified cybersecurity framework for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). While CMMC requirements do not yet appear in every contract, that is changing as new solicitations are issued under the Final Rule.

Under the current CMMC implementation timeline:

The DoD began including CMMC requirements in select solicitations and contracts starting November 10, 2025 (Phase 1).
Enforcement will scale over four phases across three years, reaching full implementation by November 10, 2028.
Once a CMMC clause is included in a contract, contractors must meet the specified CMMC level and assessment type, either self-assessment or third-party assessment by a C3PAO, as a condition of award and, where applicable, contract option exercise.

CMMC policy is centrally managed at the DoD level, including oversight from OUSD(A&S) and the DoD CIO. Official requirements and timelines are defined in the CMMC Program Rule (32 CFR Part 170) and implemented through DFARS clauses 252.204-7021 and 252.204-7025.

Understanding the CMMC Compliance Rollout Timeline

Earlier projections from 2020–2021 referenced CMMC adoption based on prime acquisition targets. Those projections are now outdated. Under CMMC 2.0, rollout is governed by a formal four-phase implementation plan tied directly to the final DFARS rule, not annual acquisition quotas.

This phased approach defines when CMMC compliance requirements begin appearing in DoD solicitations and contracts, and how assessment expectations increase over time.

2025–2028 CMMC Phased Implementation Overview

Phase	Start Date	Expected Milestone
Phase 1	Nov 10, 2025	CMMC Level 1 and Level 2 self-assessment requirements begin appearing in applicable solicitations and contracts. In limited cases, the DoD may require Level 2 C3PAO assessments.
Phase 2	Nov 10, 2026	Phase 1 requirements continue, with expanded use of Level 2 C3PAO certification as a condition of award for applicable contracts.
Phase 3	Nov 10, 2027	Phase 1 and 2 requirements continue, plus introduction of Level 3 government-led assessments and broader use of Level 2 C3PAO certification for both contract awards and option periods.
Phase 4	Nov 10, 2028	Full implementation of CMMC compliance requirements across applicable DoD solicitations and contracts, including option periods.

While exact applicability depends on contract language and acquisition decisions, contractors should expect increasing CMMC compliance requirements beginning in 2026, with full enforcement by 2028.

Which CMMC Compliance Level Will Most Contractors Need?

Many earlier sources referenced “CMMC Maturity Level 3” as the expected requirement for most defense contractors. Under CMMC 2.0, that assumption is no longer accurate.

CMMC has been streamlined into three levels, each aligned to the type of information an organization handles and the associated risk profile:

CMMC Level 1
Includes 17 basic safeguarding requirements derived from FAR 52.204-21.
Applies to organizations that handle Federal Contract Information (FCI) only.
CMMC Level 2
Includes 110 security requirements from NIST SP 800-171 Rev. 2, as incorporated into the CMMC Program.
Applies to organizations that process, store, or transmit Controlled Unclassified Information (CUI).
CMMC Level 3
Includes 24 selected requirements from NIST SP 800-172, in addition to all Level 2 controls.
Reserved for high-criticality programs facing elevated risk from Advanced Persistent Threats (APTs).

For most small and mid-sized defense contractors, CMMC Level 2 compliance will be required if the organization handles CUI.
Level 3 is expected to apply only to a narrow subset of contracts tied to national security priorities.

If your organization handles CUI today, or anticipates doing so in the future, CMMC Level 2 should be your planning baseline.

Timeline for Implementing CMMC Level 2 Compliance

For contractors already working toward NIST SP 800-171 compliance, achieving CMMC Level 2 compliance is typically an extension of existing efforts, not a completely new program.

CMMC Level 2 requires:

All 110 security requirements from NIST SP 800-171 Rev. 2
A complete and accurate System Security Plan (SSP) documenting current controls
A Plan of Action & Milestones (POA&M) where permitted under the final rule
Repeatable evidence showing that controls are implemented and operating as intended

Because CMMC requirements are being phased into DoD contracts, organizations that begin preparing before receiving their first CMMC-tagged solicitation will be in a significantly stronger position to meet certification requirements and avoid delays or missed opportunities.

Timeline for CMMC Assessment and Certification

While the availability of assessors has improved since 2021, assessment capacity remains limited. Understanding when and how your organization will be assessed is critical for CMMC compliance planning.

Updated CMMC assessment expectations:

Level 2 – Third-Party Assessments (C3PAO)
- Required for prioritized acquisitions
- Performed by a Certified Third-Party Assessment Organization (C3PAO) authorized by the Cyber AB
- Certification validity: 3 years
Level 2 – Self-Assessments
- Allowed for non-prioritized CUI contracts, as designated by the DoD
- Requires annual affirmation through the Supplier Performance Risk System (SPRS)
Level 3 – Government Assessments
- Conducted directly by DoD assessment teams for high-criticality programs

Because assessment demand will increase as CMMC phases into contracts, organizations that begin preparing early will avoid bottlenecks, delays, and potential disqualification from contract awards.

RSI Security’s Role in the CMMC Compliance Ecosystem

RSI Security is a recognized C3PAO by the Cyber AB, providing both advisory and assessment services structured to maintain independence and impartiality. While advisory and assessment services must remain separate, our team offers deep expertise to help contractors achieve CMMC compliance efficiently and effectively.

Our experience includes:

Over a decade supporting NIST SP 800-171 compliance for defense contractors
Hundreds of readiness assessments completed for small and mid-sized DoD Industrial Base (DIB) organizations
Extensive knowledge of CMMC documentation, evidence preparation, and assessment processes
The ability to support long-term cybersecurity governance and continuous improvement

All advisory and assessment services are delivered in full accordance with CMMC independence requirements, ensuring impartial guidance while helping your organization:

Prepare accurate documentation
Strengthen cybersecurity controls
Be ready for certification before it becomes mandatory

By engaging RSI Security early, your organization positions itself to achieve CMMC compliance seamlessly and avoid delays or gaps in contract eligibility.