When does CMMC become mandatory?

CMMC is already in effect. The CMMC acquisition rule (48 CFR) took effect November 10, 2025, and the Department of War began including CMMC requirements in selected new contracts at that point. Requirements expand through a four-phase rollout that reaches full implementation on November 10, 2028.

What is the CMMC phased rollout timeline?

Phase 1 (from November 10, 2025): DoW may require Level 1 or Level 2 self-assessment on selected contracts. Phase 2 (from November 10, 2026): DoW may require Level 2 C3PAO certification. Phase 3 (from November 10, 2027): adds Level 2 C3PAO and Level 3 (DIBCAC) requirements. Phase 4 (from November 10, 2028): full implementation across applicable solicitations and contracts.

When do I need a C3PAO certification instead of a self-assessment?

Beginning in Phase 2 (November 10, 2026), the Department of War may require a passed Level 2 C3PAO certification assessment as a condition of award on applicable contracts involving CUI. During Phase 1, many Level 2 requirements can still be met by self-assessment, but contracts can specify certification at the contracting officer’s discretion.

How long does it take to get CMMC ready?

For most small and mid-sized contractors, reaching certification readiness takes several months to over a year — scoping, implementing controls, building the SSP and POA&M, and closing gaps — before scheduling a C3PAO assessment, which has limited capacity. Because lead time is long and assessor slots are constrained, contractors are advised to start well before a contract names the requirement.

CMMC DeadlineCMMC TimelinePhased Rollout

CMMC Deadlines 2026: When Does Your Contract Actually Require It?

By Glenn Ballard·CMMC Registered Practitioner·June 19, 2026·8 min read

The waiting is over: CMMC is no longer “coming.” The acquisition rule that puts CMMC into contracts — the 48 CFR rule — took effect on November 10, 2025, and the Department of War has been folding CMMC requirements into selected new contracts ever since. The real question is no longer whether it applies to you, but whenthe specific requirement — self-assessment, or a passed C3PAO certification — lands on a contract you want to win. Here is the phased timeline, and why the smart move is to be ready before your name is on the line.

The Four-Phase Rollout, Plainly

CMMC is being phased in over three years from the rule's effective date. Each phase widens what the Department of War can require as a condition of award:

Phase 1From Nov 10, 2025 (now)

DoW may require Level 1 or Level 2 self-assessment on selected new contracts and option exercises. Compliance is largely self-attested, but contracting officers can specify certification at their discretion.

Phase 2From Nov 10, 2026

DoW may require a passed Level 2 C3PAO certification— a third-party assessment — as a condition of award on applicable CUI contracts. This is the step most contractors underestimate.

Phase 3From Nov 10, 2027

Adds Level 2 C3PAO and Level 3 (DIBCAC-assessed) requirements for the most sensitive programs.

Phase 4From Nov 10, 2028

Full implementation— CMMC requirements apply across all applicable DoW solicitations and contracts.

Where That Leaves You in Mid-2026

As of this writing, we're in Phase 1 — and Phase 2 begins November 10, 2026, only months away. That date matters: it's when a passed certification (not just a self-assessment) can be required to win Level 2 work involving CUI. If your pipeline includes CUI contracts, the certification clock is effectively already running.

The trap is treating Phase 2 as a 2026 problem you can address in 2026. You can't. Certification readiness — scoping, implementing controls, building your SSP and POA&M, closing gaps — takes months to well over a year for most small and mid-sized contractors. Then you have to schedule a C3PAO assessment, and assessor capacity is limited. Starting when the solicitation drops is starting too late.

Why “Wait and See” Is the Expensive Option

Three forces make early readiness the rational choice, not the cautious one:

Lead time is long. The work to reach a defensible posture is measured in quarters, not weeks.
Assessor capacity is finite. A limited number of C3PAOs serve the entire Defense Industrial Base; the closer to a deadline, the longer the queue.
Enforcement is already active. Even during the phase-in, misrepresenting your posture carries real risk under the DOJ Civil Cyber-Fraud Initiative — see our guide on CMMC and the False Claims Act.

Contractors who start now turn CMMC from a threat into an advantage: when a CUI contract names certification, they're ready to bid while competitors are still scoping.

Start the Clock in Your Favor

You can't plan a timeline you haven't measured. The fastest way to know how far you are from Phase 2 readiness is an honest assessment against all 110 NIST SP 800-171 requirements — which is what the Dragonfli Group CMMC Accelerator delivers: an estimated SPRS score, a draft SSP and POA&M, and a prioritized gap plan, each reviewed by a CMMC Registered Practitioner. You'll know exactly what stands between you and certification — and how long it will take to close.

BEAT THE PHASE 2 RUSH

See how far you are from ready.

The free Pulse Check takes about 15 minutes and shows where you stand on your highest-risk CMMC requirements — no credit card, no sales call.

Start Free Pulse Check →

RELATED GUIDES

The Complete CMMC 2.0 Guide

Requirements, levels, and how to prepare →

How Much Does CMMC Cost?

Assessment, remediation, and C3PAO fees →