CMMC Timeline: Key Dates Every Defense Contractor Needs to Know

The Cybersecurity Maturity Model Certification program is no longer theoretical. The final rule took effect on December 16, 2024, and the Department of Defense is now rolling CMMC requirements into contracts on a phased schedule. If you hold or pursue DoD contracts involving Controlled Unclassified Information, these dates determine your eligibility to bid.

This is not a summary of the regulation. This is the operational timeline you need to plan around.

Phase 1: December 2024 through Mid-2025

Phase 1 began when 32 CFR Part 170 took effect. During this phase, the DoD can include CMMC Level 1 (self-assessment) and CMMC Level 2 (self-assessment) requirements in new contracts and contract renewals. This means any solicitation issued after December 16, 2024 may require you to demonstrate compliance before award.

Level 1 applies to contractors handling Federal Contract Information only. It covers 15 practices drawn from FAR 52.204-21. Self-assessment means you attest in the Supplier Performance Risk System (SPRS) that you meet all 15. There is no third-party audit at Level 1, but false attestation carries False Claims Act liability.

Level 2 self-assessment applies to a subset of contractors handling CUI where the DoD determines third-party certification is not yet required. You assess yourself against all 110 NIST SP 800-171 Rev 2 controls and submit your score to SPRS. Again, this is a legal attestation.

Phase 2: Mid-2025 through Mid-2026

Phase 2 introduces Level 2 certification assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs). This is where the program gets teeth. Contractors handling CUI on contracts designated as requiring certification must pass a third-party assessment.

The assessment is performed against all 110 NIST 800-171 controls. You must score at least 88 out of 110 to receive conditional certification with a Plan of Action and Milestones (POA&M). A score of 110 earns full certification. Below 88, you fail.

POA&M items must be closed within 180 days of your conditional certification. If you do not close them within that window, your certification is revoked. There are no extensions in the current rule.

Phase 3: Mid-2026 through Mid-2027

Phase 3 adds Level 3 requirements for contractors handling CUI on the most sensitive programs. Level 3 builds on Level 2 by adding 24 controls from NIST SP 800-172. These are assessed by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by C3PAOs.

Level 3 is a government-led assessment. The timeline for scheduling DIBCAC assessments is less predictable than C3PAO assessments, so if you anticipate needing Level 3, begin conversations with DIBCAC early.

Phase 4: Mid-2027 Onward

By Phase 4, CMMC requirements become a standard inclusion in all applicable DoD contracts. The phase-in is complete. If you do not hold the required certification level, you cannot win new contracts and may lose recompete opportunities on existing work.

C3PAO Booking: The Hidden Bottleneck

There are a limited number of authorized C3PAOs. As of early 2025, fewer than 50 organizations hold C3PAO authorization from the CMMC Accreditation Body (the Cyber AB). Each C3PAO can handle a finite number of assessments per quarter.

Assessment lead times are already stretching to 4 to 6 months from initial engagement to final report. By mid-2025, when Phase 2 ramps up demand, expect that window to grow. Contractors who wait until a solicitation drops to begin their assessment process will likely miss the deadline.

Book your C3PAO engagement at least 6 months before you need the certification in hand. If you are planning to bid on contracts in Q3 2025 that require Level 2 certification, you should already be in discussions with a C3PAO.

SPRS Score Submission

Regardless of your target level, you must have a current SPRS score on file. For Level 1, this is your self-assessment against the 15 FAR practices. For Level 2, this is your self-assessment against the 110 NIST 800-171 controls.

Your SPRS score is visible to contracting officers. A score of -203 (the default if you have done nothing) signals that you are not prepared. A score below 88 signals that you have gaps. Contracting officers are already using SPRS scores as a factor in source selection, even before CMMC requirements appear in the solicitation.

What to Do Right Now

If you have not started, here is the priority sequence:

1. Scope your CUI. Identify every system, application, and data flow that touches Controlled Unclassified Information. You cannot protect what you have not mapped.
2. Complete a gap assessment. Measure yourself against all 110 NIST 800-171 controls. Be honest. Your SPRS score must reflect reality.
3. Build your System Security Plan and POA&M. The SSP documents your current state. The POA&M documents your plan to close gaps. Both are required artifacts for any assessment.
4. Submit your SPRS score. Get on the board. Update it as you close gaps.
5. Engage a C3PAO. If you need Level 2 certification, start the conversation now. Assessment slots are filling.

The timeline is fixed. The DoD has shown no indication of delaying the phased rollout. Contractors who treat this as a future problem will find themselves ineligible for contracts they previously held.

If you need to assess your current readiness against CMMC requirements, AEGIS offers an AI-powered compliance analysis platform that maps your existing controls to NIST 800-171 and identifies gaps automatically. Start your assessment at compliance.aegisos.ai.