When does CMMC Phase 2 start?

CMMC Phase 2 is expected to begin in November 2026, when Department of Defense solicitations will begin requiring C3PAO third-party assessments for contracts involving CMMC Level 2 certification. This deadline applies to new solicitations; contractors on existing contracts should confirm requirements with their contracting officer.

What is the CMMC 2.0 Phase 1 deadline?

CMMC Phase 1 began when the 32 CFR Part 170 final rule became effective on December 16, 2024. During Phase 1, DoD may include CMMC requirements in solicitations immediately upon rule effectiveness, with Level 1 and select Level 2 contracts allowing self-assessment via the Supplier Performance Risk System (SPRS).

How long does CMMC certification take?

The full CMMC Level 2 certification process typically takes 12-24 months for organizations starting from scratch. This includes gap assessment (1-2 months), remediation (6-18 months), C3PAO scheduling (6-9 months lead time as of 2026), and the assessment itself (2-4 weeks). Organizations should begin preparation immediately if targeting Phase 2 compliance.

What happens if I miss the CMMC deadline?

Contractors who cannot meet CMMC requirements by the applicable contract deadline will be ineligible to bid on or perform work under affected DoD contracts. CMMC certification is a go/no-go requirement — there are no waivers for Level 2 third-party assessment once Phase 2 requirements appear in a solicitation.

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 applies to contractors handling Federal Contract Information (FCI) and requires annual self-assessment against 17 basic safeguarding practices. Level 2 applies to contractors handling Controlled Unclassified Information (CUI) and requires implementing all 110 practices from NIST SP 800-171. Level 2 requires either annual self-assessment (for select programs) or triennial C3PAO third-party assessment.

How do I find a C3PAO assessor?

Authorized C3PAO organizations are listed in the Cyber AB Marketplace at marketplace.cyberab.org. As of early 2026, C3PAOs are booking 6-9 months in advance due to high demand from 220,000+ defense contractors. Request proposals from multiple C3PAOs and book early.

CMMC 2.0 Regulatory Timeline

Where We Are and
What's Coming

The 32 CFR Part 170 final rule is in effect. Phase 2 C3PAO assessments begin appearing in solicitations starting November 2026. 220,000+ contractors. A shrinking runway. Here's every date that matters.

12-month remediation

—

Start remediation by this date to finish before Phase 2

6-month C3PAO booking

—

Book your C3PAO engagement by this date (6-9 mo lead time)

Gap assessment window

—

Complete your gap assessment and SPRS baseline by this date

Dec 2024 — Final Rule Effective Phase 1 active 2027 — Full enforcement

View Full Timeline Where Do I Stand? Build My Timeline

Regulatory milestones

Every Date That Matters

From DFARS 2017 through full CMMC enforcement — every milestone with its source. Cyan = completed. Purple = active or imminent. Dim = upcoming.

September 2017

DFARS 252.204-7012 Effective

DoD made DFARS clause 252.204-7012 mandatory for all contracts involving Controlled Unclassified Information. Contractors were required to implement NIST SP 800-171 and report cyber incidents to DoD within 72 hours.

Completed

Source: DFARS 252.204-7012 (48 CFR)

January 2020

CMMC 1.0 Published

DoD released CMMC 1.0 — a 5-level maturity model with 171 practices. All contractors handling CUI required third-party assessment, regardless of contract size. This version was later withdrawn in favor of the simplified 2.0 framework.

Completed

[UNVERIFIED — date approximate; DoD archived CMMC 1.0 documentation]

November 2021

CMMC 2.0 Announced

DoD announced a comprehensive review and simplification: CMMC 2.0 reduced from 5 levels to 3, eliminated unique practices not found in NIST SP 800-171, and aligned Level 2 directly to all 110 NIST 800-171 practices. Third-party assessment became required only for prioritized acquisitions.

Completed

[UNVERIFIED — based on DoD press release Nov 2021; verify at defense.gov]

December 2023

CMMC 2.0 Proposed Rule Published (48 CFR)

DoD published the proposed rule in the Federal Register to embed CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS). Opened a public comment period. This preceded the final 32 CFR rulemaking.

Completed

[UNVERIFIED — based on public reporting; verify at federalregister.gov]

October 15, 2024

32 CFR Part 170 Final Rule Published

The DoD Cybersecurity Maturity Model Certification (CMMC) Program final rule was published in the Federal Register. Established the three-level framework, assessment requirements, POA&M constraints, and the phased implementation schedule codified in 32 CFR 170.3.

Completed

Source: Federal Register Vol. 89, No. 200 (Oct 15, 2024); 32 CFR Part 170

December 16, 2024

Final Rule Effective — CMMC Is Law

32 CFR Part 170 became effective. CMMC requirements are now codified in federal regulation. DoD may immediately begin including CMMC Level 1 and Level 2 (self-assessment) requirements in new solicitations. Phase 1 begins.

Completed

Source: 32 CFR Part 170 — effective date specified in final rule preamble

2025 — Phase 1 (Active Now)

Self-Assessment Contracts Begin

DoD contracts may require CMMC Level 1 (annual self-assessment) or Level 2 self-assessment for select, lower-risk programs. Contractors must submit SPRS scores via PIEE. POA&M items allowed with 180-day remediation window. No C3PAO assessment required yet.

Active You Are Here

Source: 32 CFR 170.3 — phased implementation schedule

Mid-2025

First C3PAOs Authorized by Cyber AB

Cyber AB (formerly CMMC Accreditation Body) began authorizing C3PAO organizations to conduct official CMMC Level 2 assessments. Assessor pipelines are ramping up but remain severely constrained relative to contractor demand.

Underway

[UNVERIFIED — based on Cyber AB public statements; verify at cyberab.org]

November 2026 — Phase 2

C3PAO Assessments Required in Solicitations

DoD solicitations begin requiring CMMC Level 2 third-party C3PAO certification for contracts involving CUI. This is the hard deadline most defense contractors face. Contractors without valid certification on file cannot win covered work.

Upcoming Hard Deadline

Source: DoD phased implementation plan per 32 CFR 170.3 [exact date [UNVERIFIED] — monitor acquisition.gov]

2027 — Phase 3

Full CMMC Requirements in All Applicable Contracts

CMMC requirements appear in all applicable DoD contracts and task orders, including existing contract modifications. Level 3 (DIBCAC-assessed) requirements may also begin appearing for the highest-sensitivity CUI programs.

Upcoming

[UNVERIFIED — based on phased rollout language in 32 CFR 170.3; DoD has not published an exact 2027 date]

2028–2029

NIST SP 800-171 Rev 3 Transition Expected

CMMC Level 2 is currently locked to NIST SP 800-171 Revision 2 via 32 CFR 170.2. NIST published Rev 3 (SP 800-171r3) in 2024 with structural changes including Organization-Defined Parameters. DoD has not announced a transition date; industry estimates suggest 2028–2029 enforcement alignment.

Future

[UNVERIFIED — CMMC-to-Rev3 transition date not yet published; see 32 CFR 170.2 and nist.gov/publications/SP-800-171r3]

Implementation phases

Phase-by-Phase Requirements

Each phase expands CMMC scope. Know what's required in your current phase — and what's coming next.

Phase 1 — Active

Self-Assessment Permitted

Dec 16, 2024 → Nov 2026

What's required

Level 1: Annual self-assessment, affirm in SPRS. Level 2 (select): Self-assessment with senior official affirmation. No C3PAO required yet.

Who's affected

All DoD prime and subcontractors handling FCI (Level 1) or CUI in contracts where DoD explicitly includes CMMC requirements.

Assessment type

Self-assessment against NIST 800-171 (Level 2) or 17 basic safeguards (Level 1). Score entered in SPRS.

Not yet required

C3PAO third-party assessments are not yet mandated during Phase 1 (except where individual contracts specify them).

POA&M Rules POA&M items are allowed for non-critical deficiencies with a 180-day maximum remediation window. "Critical" findings (per 32 CFR 170.21) cannot remain open when submitting an assessment. Contractors with open critical findings cannot achieve a passing score.

Source: 32 CFR 170.21 [verify at ecfr.gov]

Phase 2 — Nov 2026

C3PAO Assessments Required

November 2026 → 2027

What's required

Level 2 (prioritized): C3PAO third-party assessment required. Must achieve passing score before contract award. Level 2 (non-prioritized) may still allow self-assessment.

Who's affected

DoD contractors handling CUI in any new solicitation that includes CMMC Level 2 requirements. Existing contracts may not be affected until option periods or modifications.

Assessment type

Triennial C3PAO assessment (every 3 years). Annual affirmation of continued compliance required in intervening years.

Lead time

C3PAOs booking 6-9 months in advance as of early 2026. Factor in remediation time before assessment. Total runway: 12-24 months from scratch.

POA&M Rules Same 180-day remediation cap applies. No critical findings can remain open at the time of C3PAO assessment. POA&M items closed after assessment still require ongoing monitoring and annual affirmation. [Verify against 32 CFR 170.21 and CMMC assessment guides at dodcio.defense.gov]

Phase 3 — 2027+

Full Contract Coverage

2027 onward [UNVERIFIED]

What's required

CMMC requirements appear in all applicable DoD contracts and task orders, including modifications to existing contracts. Level 3 (DIBCAC-assessed) requirements expected for highest-sensitivity programs.

Who's affected

The full DoD industrial base. No exceptions for existing contract vehicles — CMMC will be flowed down through option exercise periods.

Assessment type

Level 2: C3PAO triennial. Level 3: DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment required for classified-adjacent programs.

Rev 3 transition

NIST 800-171 Rev 3 may begin appearing in CMMC requirements toward the end of Phase 3 / 2028-2029 window. [UNVERIFIED]

Note Phase 3 exact dates have not been officially published as of April 2026. Monitor acquisition.gov and dodcio.defense.gov for updates. The 32 CFR 170.3 phased schedule is the authoritative source.

Personalized assessment

Where Do I Stand?

Select your current compliance state to see whether you're on track for the Phase 2 deadline.

Critical Risk — Start Immediately

With Phase 2 deadline in November 2026 and typical remediation taking 12-18 months, you are already in the danger zone. Most C3PAOs are booking 6-9 months out, which means you need to begin gap assessment, SPRS baseline, and remediation planning now — and contact C3PAOs for scheduling simultaneously.

If your gap assessment reveals a low SPRS score (many organizations start at -203 to +50), you likely cannot achieve passing readiness by Phase 2 without significant investment and acceleration. Consider whether your affected contracts can be protected via an accelerated POA&M, or whether you need to step back from CUI-handling work until certified. [UNVERIFIED — SPRS score range per NIST 800-171 DoD scoring methodology]

Build My Timeline Check My SPRS Score 2-Min Readiness Quiz

Caution — Self-Assessment Is Not Certification

Submitting an SPRS score is a Phase 1 requirement, not a Phase 2 finish line. Your self-assessment is valuable baseline data — but the C3PAO assessment will be more rigorous, and findings they identify that you missed in self-assessment will require remediation before you can pass.

Priority actions: (1) Review your self-assessment gaps, (2) Build a remediation roadmap for anything scored as deficient, (3) Contact C3PAOs now to get on their schedule — 6-9 month lead time is the norm. (4) Confirm your SPRS score is current and signed by a senior official per 32 CFR 170.22. [verify against current CMMC assessment guide at dodcio.defense.gov]

Build My C3PAO Timeline Review SPRS Score

On Track — But Watch the Clock

Active remediation is the right posture. The critical question is velocity: are you closing deficiencies fast enough to be C3PAO-ready before you need to book? Most contractors need 6-12 months of remediation plus 6-9 months of C3PAO lead time.

Use the backwards-planning calculator above to verify your runway. If your remediation target date + 9 months puts you past November 2026, you need to either accelerate remediation or begin C3PAO outreach now even if you're not fully ready. Many C3PAOs can conduct pre-assessment review to identify critical gaps before the formal assessment. [UNVERIFIED]

Check My Runway Track SPRS Progress

Good Position — Book Your C3PAO Now

If you're genuinely ready for C3PAO assessment, your next step is getting on the calendar. C3PAO scheduling is the primary bottleneck in the ecosystem right now. Contact multiple authorized C3PAOs via the Cyber AB Marketplace and request proposals in parallel — don't wait for one response before contacting the next.

Also confirm: all POA&M items are within the 180-day window, no critical findings are open, and your SPRS score reflects your current actual state. Gaps discovered during C3PAO assessment count against you even if your self-assessment showed green.

Find C3PAOs Assessment Timeline

Certified — Maintain and Monitor

Excellent. CMMC Level 2 certification is valid for three years with annual affirmation of continued compliance in intervening years. Your obligations now are:

(1) Submit annual affirmation via SPRS each year the certification is valid.
(2) Track scope changes — adding CUI-handling systems or personnel may require updating your assessment boundary and potentially re-assessment.
(3) Monitor for NIST 800-171 Rev 3 transition — expected 2028-2029 [UNVERIFIED].
(4) Ensure subcontractors flowing CUI are also achieving required CMMC levels.

Monitor SPRS Score Annual Readiness Check

Assessment bottleneck

The C3PAO Capacity Problem

The math is brutal: a limited pool of authorized assessors, 220,000+ contractors needing assessment, and a hard deadline. Booking early is not optional.

220k+

Contractors in the DIB Defense Industrial Base companies potentially subject to CMMC requirements. [UNVERIFIED — estimate based on DoD DIB sector statistics]

6–9mo

C3PAO booking lead time (early 2026) [UNVERIFIED — based on industry reports; individual C3PAO availability varies significantly. Verify with Cyber AB Marketplace.]

3 yr

Certification validity period A passed C3PAO assessment is valid for 3 years with annual affirmation. Source: 32 CFR 170.16

180d

Maximum POA&M remediation window Open POA&M items must be resolved within 180 days. Critical findings block assessment passage. Source: 32 CFR 170.21

How to Find and Book a C3PAO

1

Visit the Cyber AB Marketplace (marketplace.cyberab.org) to browse authorized C3PAO organizations. Only organizations listed here can conduct official CMMC assessments.
2

Request proposals from 3-5 C3PAOs simultaneously. Lead times vary; don't wait for one response. Include your estimated scope (CUI assets, employee count, cloud vs on-prem, etc.).
3

Some C3PAOs offer a pre-assessment or readiness review — valuable for identifying critical gaps before the formal assessment clock starts.
4

Once booked, your C3PAO will issue an Assessment Plan. You'll need to be ready to provide evidence for all 110 NIST 800-171 Rev 2 practices within your scope.
5

After assessment, your C3PAO submits results to the CMMC eMASS system. Once accepted, your certification appears in SPRS and is valid for 3 years.

Do not assume availability. As Phase 2 approaches, C3PAO schedules will compress further. Contractors who wait until Q1 2026 to engage C3PAOs may find November 2026 slots already filled. [UNVERIFIED — based on industry capacity projections; verify current availability at marketplace.cyberab.org]

Free tools

Take the Next Step

Every tool is free, no account required. Built for defense contractors navigating CMMC.

📅

CMMC Timeline Calculator

Input your contract deadline and current state. Get a personalized backwards-planning schedule with C3PAO booking windows.

Build your timeline →

📊

SPRS Score Simulator

Estimate your current SPRS score against NIST 800-171. Identify which practice gaps are costing you the most points.

Check your score →

✅

2-Minute Readiness Quiz

Answer 12 questions and get an instant read on your CMMC readiness posture and the top three gaps to close first.

Start the quiz →

🔍

Control Explorer

Browse all 110 NIST 800-171 Rev 2 practices. See automated check mappings, implementation guidance, and evidence templates.

Explore controls →

Get milestone reminders as key dates approach — no spam, unsubscribe anytime.

We'll email you 90, 60, and 30 days before each major milestone. No account created.

We recommend this tool to help improve and optimize your compliance posture. Continuously enhance your security. Strengthen defenses and improve readiness. We recommend this approach to optimize outcomes and find every opportunity to enhance your posture. Our approach is designed to enhance security outcomes and strengthen your organization against evolving threats.

Where We Are and What's Coming

Every Date That Matters

Phase-by-Phase Requirements

Where Do I Stand?

The C3PAO Capacity Problem

How to Find and Book a C3PAO

Take the Next Step

Where We Are and
What's Coming