Request a QuoteContact Us
CMMC Final Rule — 48 CFR

CMMC 2025–2028
Transition Timeline

The acquisition rule became effective November 10, 2025, triggering a 3-year phased rollout. Here's what changes—and when—for DoD contractors handling FCI and CUI.

Nov 10, 2025 Rule Effective Date
|
4 Phases Staged Rollout
|
Nov 2028 Full Enforcement
|
3 Levels Self-Assess → C3PAO → DIBCAC

Current Status — You Are in Phase 1

The CMMC final acquisition rule (48 CFR) was published Sept 10, 2025 and became effective Nov 10, 2025. Phase 1 runs through Nov 9, 2026. CMMC clauses are appearing in solicitations now — Level 1 and Level 2 self-assessments are currently permitted, but contractors must enter results in SPRS and attest compliance.

Phase Breakdown

The 4-Phase Enforcement Roadmap

Phase 1
Phase 2
Phase 3
Phase 4
▼ You Are Here
P1
Nov 10, 2025
Rule Effective
P2
Nov 10, 2026
C3PAO Required
P3
Nov 10, 2027
Level 3 Begins
P4
Nov 10, 2028
Full Enforcement
END
Nov 2028+
Mandatory
Current

2025–2026 — Self-Assessment Window

  • CMMC clauses begin appearing in new solicitations
  • Level 1 & Level 2 self-assessments permitted
  • Results must be entered in SPRS
  • Some contracts may require C3PAO certification early
  • Contractors can win work via attestation — no cert required yet
Major Shift

2026–2027 — C3PAO Certification Required

  • Level 2 certification now mandatory for applicable contracts
  • C3PAO third-party assessments required (no more self-assess for L2)
  • DoD may begin requiring Level 3 (DIBCAC) for specific programs
  • Analysts project nearly all new contracts require CMMC by Oct 31, 2026
Enforcement Expands

2027–2028 — Level 3 & Existing Contracts

  • Level 3 certification required for applicable contracts
  • Level 2 certification expands to existing contracts
  • Option years and renewals may require certification
  • DoD can require cert before exercising contract options
Full Enforcement

2028+ — Mandatory Across All Applicable Contracts

  • CMMC required on all applicable DoD contracts
  • Cannot win or renew contracts without certification
  • Applies to primes and subs handling FCI or CUI
  • Exception: pure COTS item contracts only
Requirements by Level

What Each Level Requires, By Phase

CMMC Level Phase 1
2025–2026		 Phase 2
2026–2027		 Phase 3
2027–2028		 Phase 4
2028+
Level 1
FCI / Basic Safeguarding		 Self-Assessment Self-Assessment Self-Assessment Self-Assessment
Level 2
CUI / NIST 800-171		 Mostly Self-Assess C3PAO Required C3PAO Required C3PAO Required
Level 3
High CUI / NIST 800-172		 Rare / Pilot Begins in Specific Programs DIBCAC Required DIBCAC Required
For MSPs & Consultants

What the Market Demands, Year by Year

2026
Foundational Work — Pipeline is Strong
CMMC gap assessments
SPRS attestation support
Enclave builds (StormCloud Gov)
Level 2 readiness prep
Policy & SSP development
2027
Peak Demand — C3PAO Bottleneck
Peak C3PAO assessment scheduling
Technical remediation sprints
Readiness & pre-assessment support
POAM management and closure
Existing contract expansion work
2028
Full Enforcement — Continuous Compliance
Enforcement response & audit support
Continuous compliance monitoring
Level 3 / DIBCAC program support
Recertification cycles begin
Sub-contractor cascade management
💡

Industry Reality: Market Pressure Is Ahead of the Rule

Many prime contractors are requiring Level 2 certification earlier than the rule mandates in order to reduce supplier chain risk. This means the actual deadline for your clients is often determined by their prime's contractual requirements — not the federal phase schedule. Treat the official timeline as a floor, not a ceiling.

CMMC Final Acquisition Rule — 48 CFR  |  Rule Published: Sept 10, 2025  |  Effective: Nov 10, 2025  |  Full Enforcement: Nov 2028
CMMCReady — A Simpatico Systems, Security Centric & Vaultes Partnership