The Cybersecurity Maturity Model Certification (CMMC) rollout has moved from calendar risk to contract risk, which means Department of Defense (DoD) contractors can’t treat November 2028 as the only date that matters.
Phase 1 already gives contracting officers a path to incorporate CMMC requirements into new work, so prime contractors are pressuring subcontractors before every clause lands.
Teams still have to confirm whether they process Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), define scope, collect proof, and keep leadership affirmations current.
That shift turns CMMC compliance management into a planning problem rather than a paperwork cleanup.
This guide walks through the official DoD four-phase implementation timeline from November 2025 through November 2028, explains what each CMMC phase changes, and shows how contractors and consultants should plan backward from contract awards.
CMMC became real in two steps: Title 32 of the Code of Federal Regulations (CFR), Part 170 established the CMMC program, while the 48 CFR acquisition rule made it a contract gate through the Defense Federal Acquisition Regulation Supplement (DFARS) rule.
The order matters, since the first rule built the CMMC framework and the second gave buyers a way to require it before award.
The key dates are simple, but the operational effect is not:
This matters because CMMC is no longer only a readiness project. It can now affect award eligibility, existing contracts when an option is exercised, and flow-down decisions across contractors and subcontractors.
The four phases don’t create a free runway until 2028, since they decide which CMMC status can appear in applicable solicitations and when a certification requirement becomes harder to avoid. The first pressure point is already here.
Phase 1 is the initial implementation year, during which applicable solicitations may require CMMC Level 1 or Level 2 self-assessment results as a condition of contract award.
DoD may still require a Level 2 Certified Third-Party Assessment Organization (C3PAO) assessment for certain contracts, so contractors working with FCI should expect Level 1 pressure first.
Organizations with CUI should not assume every Level 2 path starts as a self-assessment, because program offices can set the assessment requirement higher.
The gap is where teams lose time. Confirm your CMMC level, define your CMMC assessment scope, and make sure any self-assessment is posted with an annual affirmation in the Supplier Performance Risk System (SPRS).
If Level 2 certification is likely, start C3PAO outreach before the solicitation forces the issue.
Phase 2 begins one year after the launch of Phase 1. Alongside the requirements already established in Phase 1, the DoD plans to require applicable contracts to meet CMMC Level 2 C3PAO standards as a prerequisite for award, although certain requirements may be postponed until an option period.
This is where the timeline gets less forgiving, because Level 2 is not just a larger checklist: NIST 800-171 controls, evidence collection, documentation, and assessor scheduling have to line up before the bid clock runs out.
That makes assessor capacity a planning constraint, so use an authorized assessor marketplace early and don’t wait until new DoD solicitations name the DFARS clause.
For many Level 2 teams, booking the assessment becomes part of implementation rather than the final administrative step.
Phase 3 raises the floor for higher-sensitivity work, since DoD intends to require Level 2 C3PAO status for all relevant solicitations and option periods on contracts awarded after the effective date, and it plans to add Level 3 certification for applicable work.
Level 3 brings the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) into the picture, which fits a smaller slice of the Defense Industrial Base (DIB) but demands more rigorous security work because it builds on a final Level 2 baseline.
The trade-off is clarity versus pressure: by Phase 3, contractors know the direction of travel, but the easy scheduling window has passed. Level 3-bound organizations should already have their Level 2 CMMC certification in place and a plan for the added NIST 800-172 work.
Phase 4 represents full implementation, during which the DoD will apply the appropriate CMMC level requirements to all relevant solicitations and contracts, including option periods for contracts that were awarded prior to Phase 4.
This is the end of the on-ramp rather than the start of the obligation, so contractors that waited may face contract-eligibility gaps, and prime contractors may have less room to carry suppliers that can’t prove current CMMC status.
The practical impact reaches beyond one bid. A final CMMC status becomes part of how contracting officers judge readiness, how primes manage supplier risk, and how small businesses compete for defense work without last-minute remediation.
Continuous compliance becomes the operating model because affirmations and status currency don’t stop after the assessment day.
Individual CMMC implementation usually takes two to four months for Level 1, six to 18 months for Level 2, and longer for Level 3. The official rollout tells you when requirements can appear, while your internal timeline tells you whether you’ll be ready when they do.
Level 1 usually takes two to four months when the organization has a modest environment and only transmits FCI, since the work centers on the 15 safeguards in the Federal Acquisition Regulation (FAR) clause, a final self-assessment, and a yearly affirmation in SPRS.
The FAR clause baseline doesn’t make Level 1 casual, because it still requires proof that practices work rather than statements that someone intends to follow them.
A missed owner, a weak file-handling process, or a stale artifact can delay the annual self-assessment.
Level 2 often takes 6–18 months, depending on starting posture, system boundary, and whether the contract asks for a self-assessment or C3PAO certification.
The full lifecycle can stretch 8–24 months when C3PAO scheduling enters the plan, and a conditional CMMC status can help only when allowed Plan of Action and Milestones (POA&M) items close within the 180-day window.
This is why Level 2 teams should finish gap analysis early, then build the System Security Plan (SSP) and POA&M around evidence the assessor can trace.
MotherBear’s Documentation Builder can help teams keep those files tied to the control work instead of scattered across folders.
Level 3 takes longer because the organization needs final Level 2 status first, and from there, DIBCAC assessment work and the added NIST 800-172 security requirements create a deeper preparation cycle.
Most contractors won’t need Level 3, but the ones that do should treat it as a program track rather than an extension of Level 2.
The better move is to build Level 2 evidence in a way that supports the next assessment, including traceable owners, asset decisions, and cleanly documented out-of-scope assets.
Phase 1 is already underway, so waiting for a perfect contract signal is risky. Contracting officers may set the required CMMC status in new defense contracts, and primes can push cybersecurity requirements down the supply chain before a small supplier expects it.
Instead of treating the deadline as a single 2028 event, work backward from the first likely solicitation or option period.
Your to-do checklist should look like this:
That is the payoff of treating CMMC as a contract calendar. The teams that start early gain a competitive edge because they can bid with a cleaner status, clearer proof, and lower False Claims Act risk related to overstated compliance.
Knowing the CMMC implementation timeline is only useful if it changes what your team does next.
Phase 1, Phase 2, and full implementation all create different pressure points, but the work still comes down to scope decisions, evidence, documentation, ownership, and current affirmations.
MotherBear gives defense contractors and CMMC consultants one workspace to turn rollout pressure into a working plan, so teams can map requirements, assign remediation work, store evidence, and keep documentation tied to the status they need for contract awards.
Don’t let the next phase arrive while the work still lives across spreadsheets and folders. Book a demo and see how MotherBear can turn your CMMC timeline into an execution plan.
CMMC became contractually active on November 10, 2025, when Phase 1 began. Full implementation starts on November 10, 2028, but applicable contracts can require CMMC status before then.
CMMC readiness can take two to four months for Level 1 and six to 18 months for Level 2. Level 3 takes longer because it requires a final Level 2 status before the government assessment.