CMMC Compliance Deadline: Phased Rollout Timeline and What to Expect
Understand the CMMC compliance deadline, phased rollout schedule, and 48 CFR rulemaking timeline. Learn why starting preparation now is critical for defense contractors.
The most common question we hear from defense contractors about CMMC is not about controls or documentation — it is about timing. When exactly do I need to be certified? The answer is more nuanced than a single date, and understanding the phased rollout is critical to planning your compliance investment.
CMMC does not have a single deadline that applies to every defense contractor simultaneously. Instead, the Department of Defense designed a phased implementation strategy that gradually increases requirements over several years. This approach is intended to give the defense industrial base time to prepare while building the C3PAO assessment ecosystem needed to evaluate tens of thousands of organizations.
However, the phased rollout creates a false sense of comfort for many contractors. The preparation timeline for CMMC Level 2 certification — typically 12 to 18 months — means that by the time CMMC requirements appear in your specific contract, it may be too late to start. This article explains the phased timeline, the regulatory mechanics driving it, and the practical urgency that defense contractors need to understand.
The CMMC Phased Rollout
The CMMC implementation follows a phased approach defined in the final rule (32 CFR Part 170), with each phase building on the previous one and triggered approximately one year after the preceding phase begins.
Phase 1: Self-Assessment Foundation
Phase 1 introduces the foundational CMMC requirements into DoD contracts:
- CMMC Level 1 self-assessments — Contractors handling only Federal Contract Information (FCI) must complete and affirm a Level 1 self-assessment (17 basic practices)
- CMMC Level 2 self-assessments — Contractors handling CUI on contracts designated for self-assessment (rather than C3PAO assessment) must complete and affirm a Level 2 self-assessment against all 110 NIST 800-171 controls
- SPRS score submission — Contractors must submit their assessment results through the Supplier Performance Risk System
Phase 1 represents a formalization of existing self-attestation requirements. For organizations already self-assessing against NIST 800-171 and submitting SPRS scores, the operational impact is manageable. The key change is the formal affirmation requirement and the explicit linkage to contract eligibility.
Phase 2: Third-Party Assessment
Phase 2 is the phase that fundamentally changes the compliance landscape. Triggered approximately one year after Phase 1:
- CMMC Level 2 C3PAO assessments required — Contracts involving CUI that require third-party certification (the majority of CUI-handling contracts) will require C3PAO assessment
- Certification as a contract condition — Organizations must hold valid CMMC Level 2 certification to be eligible for contract award
- Assessment results in SPRS — C3PAO assessment results are submitted to SPRS and factor into source selection
This is the phase where the self-attestation model gives way to independent verification. Organizations that have been self-reporting compliance without genuine implementation will face a reckoning.
Phase 3: Expert Level and Full Implementation
Phase 3 introduces the most demanding requirements, triggered approximately one year after Phase 2:
- CMMC Level 3 requirements — Contracts protecting the most sensitive CUI and critical programs require Level 3 certification with government-led (DIBCAC) assessment
- Full CMMC implementation — All three levels are active across the defense contracting ecosystem
- Mature assessment ecosystem — C3PAO capacity has scaled to support the broader assessment demand
Level 3 applies to a relatively small number of contractors (estimated at approximately 500 organizations) working on the most sensitive defense programs.
Phase 4: Full Incorporation
Phase 4 represents full CMMC integration into the defense acquisition process:
- All applicable DoD contracts include CMMC requirements — No new CUI-handling contracts are awarded without appropriate CMMC certification
- Option periods and renewals — Existing contracts incorporate CMMC requirements at option exercise or renewal
- Subcontractor flow-down — Full enforcement of CMMC requirements throughout the supply chain
The 48 CFR Rulemaking: The Real Trigger
Understanding the CMMC timeline requires understanding the distinction between two separate rulemakings:
32 CFR Part 170: The Program Rule
The 32 CFR rule, published as a final rule in October 2024, defines the CMMC program itself:
- The three certification levels and their requirements
- Assessment processes and methodologies
- C3PAO accreditation standards
- POA&M policies
- Affirmation requirements
This rule establishes what CMMC is and how it works. It does not, by itself, place CMMC requirements into contracts.
48 CFR: The Acquisition Rule
The 48 CFR rulemaking is the acquisition regulation that actually inserts CMMC requirements into DoD solicitations and contracts. This rule creates the contractual mechanism — the DFARS clause — that makes CMMC certification a condition of contract award.
The 48 CFR rule is critical because CMMC does not appear in contracts until this rule is finalized and implemented. The phased timeline described above is triggered by the 48 CFR implementation, not the 32 CFR program rule.
Timeline Implications
The practical effect is that the CMMC implementation timeline depends on two regulatory actions:
| Rulemaking | Status | Effect |
|---|---|---|
| 32 CFR Part 170 | Final rule published October 2024 | Defines CMMC program, levels, and assessment requirements |
| 48 CFR (DFARS) | Rulemaking in progress | Places CMMC requirements into solicitations and contracts |
| Phase 1 Start | Triggered by 48 CFR implementation | Self-assessment requirements in contracts |
| Phase 2 Start | ~1 year after Phase 1 | C3PAO assessment requirements in contracts |
| Phase 3 Start | ~1 year after Phase 2 | Level 3 requirements in contracts |
Organizations should monitor the 48 CFR rulemaking progress closely, as it determines the actual date when CMMC requirements begin appearing in solicitations.
Why the Phased Timeline Creates a False Sense of Security
In our experience advising defense contractors, the phased rollout has an unintended consequence: it encourages procrastination. Organizations see a multi-year timeline and assume they have years to prepare. This is a dangerous miscalculation for several reasons.
Assessment Readiness Takes 12-18 Months
The time required to prepare for a CMMC Level 2 assessment is substantial:
| Preparation Phase | Typical Duration |
|---|---|
| CUI environment scoping | 2-4 weeks |
| Gap assessment | 4-8 weeks |
| Remediation planning | 2-4 weeks |
| Technical remediation | 3-9 months |
| Documentation development | 2-4 months (concurrent with remediation) |
| Readiness review | 2-4 weeks |
| C3PAO scheduling and assessment | 2-4 months |
| Total | 12-18 months |
Organizations with significant security gaps or complex environments may need even longer. The technical remediation phase alone can extend to a year or more if it requires major infrastructure changes, network re-architecture, or the deployment of new security platforms.
C3PAO Capacity Is Limited
The number of accredited C3PAOs is growing but still limited relative to the estimated 80,000+ organizations that will need Level 2 assessment. As CMMC requirements appear in contracts, demand for C3PAO services will spike. Organizations that wait until the last moment may face:
- Extended scheduling lead times (3-6 months or more)
- Higher assessment fees driven by supply-demand dynamics
- Reduced flexibility in assessor selection
Contract Timelines Are Unpredictable
CMMC requirements will be incorporated into contracts on a rolling basis, not all at once. You may not know exactly when your specific contract will require CMMC certification until the solicitation is published. If you are not already certified or in the assessment pipeline at that point, you are at a competitive disadvantage against organizations that prepared earlier.
The Competitive Advantage of Early Certification
Organizations that achieve CMMC certification ahead of mandatory deadlines gain a significant competitive advantage:
- Contract eligibility — You can bid on CMMC-requiring contracts immediately
- Prime contractor preference — Primes building compliant supply chains prefer certified subcontractors
- Negotiating leverage — Certified organizations demonstrate reliability and reduce prime contractor risk
- Market differentiation — In a field of organizations scrambling to certify, early movers stand out
What This Means for Your Organization
If You Are Already NIST 800-171 Compliant
If your organization has genuinely implemented the 110 NIST 800-171 controls (not just self-reported a score), you are in a strong position. Your preparation focus should be on:
- Validating your implementation against CMMC assessment standards — not just self-assessment criteria
- Strengthening documentation, particularly your SSP and evidence artifacts
- Engaging a C3PAO to schedule your assessment early while availability is better
- Addressing any controls that are on POA&M, as CMMC has stricter POA&M requirements than self-assessment
If You Have Gaps in Your NIST 800-171 Implementation
If your SPRS score reflects known gaps, the urgency is even greater. Every month of delay in starting remediation is a month less available before CMMC requirements hit your contracts. We recommend:
- Conducting an honest gap assessment immediately — do not wait for a contract requirement
- Prioritizing remediation of controls that cannot be placed on POA&M under CMMC
- Developing a realistic remediation timeline with milestones and accountability
- Engaging advisory support if your internal team lacks CMMC-specific expertise
For a structured approach to preparation, see our CMMC compliance checklist.
If You Have Not Started
If your organization has not yet begun NIST 800-171 implementation or CMMC preparation, the single most important step is to start. The complexity and cost of preparation only increase as deadlines approach. Begin with scoping your CUI environment and conducting a gap assessment to understand the full scope of work ahead.
For a comprehensive overview of what CMMC requires, start with our CMMC requirements guide.
Monitoring the Timeline
Stay informed about CMMC timeline developments through these channels:
- Federal Register — Monitor for 48 CFR rulemaking notices and updates
- Cyber AB website — Official updates on C3PAO accreditation, assessment guidance, and marketplace
- DoD CIO announcements — Policy guidance and implementation updates
- NIST publications — Updates to SP 800-171 that will affect future CMMC requirements
- Industry associations — Organizations like NDIA and AIA track CMMC developments and provide member guidance
The CMMC timeline will continue to evolve as the regulatory process unfolds. What will not change is the fundamental direction: the DoD is moving from self-attestation to verified compliance, and every organization in the defense supply chain needs to be prepared.
The Bottom Line
There is no single CMMC compliance deadline — but there is a practical one. If your organization handles CUI and depends on DoD contracts, the time to prepare is now. The phased rollout provides a structured timeline, but the 12-to-18-month preparation window means that waiting for Phase 2 to start before beginning your preparation is a strategy for missing contract opportunities. Early movers will capture competitive advantage while late movers scramble for limited C3PAO capacity and risk contract eligibility gaps.
Frequently Asked Questions
Agency Team
Agency Insights
Expert guidance on cybersecurity compliance from Agency's advisory team.
LinkedIn
