CMMC became legally effective on November 10, 2025. That date matters, but it does not mean every defense contractor needs a C3PAO certification by the end of the year. The program rolls out in four phases over three years, and understanding the timeline is essential to building a CMMC program that aligns with your actual contract cycle.
This article breaks down each phase, what happens during it, and what actions contractors should take relative to each milestone.
On November 10, 2025, DFARS 252.204-7021 (the CMMC Requirements clause) took effect as part of the final rule published in 32 CFR Part 170. This date marks the beginning of CMMC as a legally enforceable requirement in Department of Defense (redesignated the Department of War by executive order, September 2025) (DoD) contracts.
From this date forward, contracting officers have the authority to include CMMC requirements in new solicitations. The phased implementation plan governs how and when those requirements appear.
Phase 1 is the self-assessment phase. During this period, contracting officers will include CMMC requirements in new solicitations and contract awards. The primary mode of compliance verification for Level 2 during Phase 1 is self-assessment with senior official affirmation.
This means organizations can demonstrate Level 2 compliance by conducting their own assessment against the 110 NIST SP 800-171 Rev 2 requirements, calculating a weighted score, submitting it to SPRS, and having a senior official legally affirm its accuracy.
C3PAO third-party assessments during Phase 1 are at the contracting officer's discretion. A contracting officer can require a C3PAO assessment during Phase 1, but only if market research confirms that enough certified organizations exist to support meaningful competition for the contract. In most cases, Phase 1 will mean self-assessments.
Level 1 organizations follow their standard annual self-assessment cycle throughout all phases.
Phase 1 is not a grace period. Organizations that do not have an active, accurate SPRS submission during Phase 1 can be excluded from contract awards. The SPRS submission requirement has been in effect under DFARS 252.204-7012 since November 2020, meaning most CUI-handling contractors should already have a score on file.
Phase 1 is also the window to build your CMMC program. Organizations that use Phase 1 to conduct a professional gap assessment, close their most significant gaps, build their SSP, and get their SPRS score to an accurate and defensible position will be well-positioned when Phase 2 C3PAO requirements begin.
Phase 2 is when mandatory C3PAO third-party assessments begin appearing in new solicitations. During this phase, contracting officers will include CMMC Level 2 C3PAO requirements in applicable new contracts. Organizations seeking these contracts must have either achieved, or be actively pursuing, a C3PAO certification.
Level 3 requirements also begin to appear in Phase 2. Organizations pursuing Level 3 must first achieve a full Level 2 C3PAO certification before DIBCAC can conduct the Level 3 assessment.
Phase 2 is the inflection point where self-assessment is no longer sufficient for many Level 2 contracts. If a solicitation released in late 2026 specifies CMMC Level 2 C3PAO as an award requirement, you need to already have your certification or be in the assessment process.
C3PAO assessments take time to schedule, prepare for, and complete. Most organizations require a minimum of 30 to 90 days of intensive preparation between completing gap remediation and beginning a C3PAO assessment. Adding a 180-day Conditional window (if needed for POA&M items) extends the timeline further.
If you start your readiness program in October 2026 because a Phase 2 solicitation landed on your desk, you will almost certainly miss the award.
Phase 3 extends C3PAO requirements more broadly across the applicable DoD contract base. More contract vehicles, task orders, and indefinite delivery contracts will carry CMMC Level 2 C3PAO requirements during this phase.
By Phase 3, C3PAO certification for Level 2 CUI contracts will be standard rather than exceptional. Organizations without current certifications will be competing against a growing pool of certified organizations for the same contracts.
There is also a capacity constraint to consider. The number of accredited C3PAOs relative to the number of organizations that will need assessments creates a scheduling bottleneck. As demand for C3PAO assessments surges in Phase 2 and Phase 3, wait times for assessment slots will increase. Organizations that wait until Phase 3 to start their certification process will find limited availability and potentially longer lead times.
Phase 4 represents full CMMC implementation. By this point, all contracts with applicable CMMC requirements are expected to have full enforcement in place. Self-assessment is no longer an option for Level 2 contracts that specify C3PAO assessment.
CMMC certifications are not permanent. Here is the ongoing compliance cycle after initial certification:
Annual affirmations of CMMC status are also required throughout the certification period, not just at assessment time.
For organizations with existing NIST 800-171 investments and a mature IT environment, this timeline is achievable. For organizations starting from scratch with a large scope, the timeline is tight and execution must start immediately.
There is a structural capacity constraint in the CMMC ecosystem: there are not enough accredited C3PAOs to assess every organization that will need Level 2 C3PAO certification by Phase 2. The Cyber AB has been expanding the assessor pipeline, but the ratio of organizations needing certifications to available assessment capacity is a known constraint.
Early movers who prepare and engage C3PAOs now can schedule in the current lower-demand window. Organizations that wait until Phase 2 solicitations force the issue will be competing for limited assessment slots while under contract pressure.
For the complete picture of CMMC requirements, levels, and assessment processes, read the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Related articles in this series:
Building a CMMC program against the Phase 2 timeline? NR Labs has direct experience moving organizations from gap assessment to C3PAO-ready within compressed timelines. Contact us to discuss your specific situation.
