The actual rollout of CMMC requirements is divided into four phases and tied to the publication of the complementary 48 CFR Part 204 CMMC Acquisition rule, which will amend the Defense Federal Acquisition Regulation Supplement (DFARS) and establish how CMMC requirements will be contractually implemented through DoD solicitations and contracts.
The Department estimates that full implementation across all defense contractors will take approximately seven years, given the volume of DoD solicitations and contract awards processed annually. That said, contractors don’t need to wait for the phased rollout to begin. They can voluntarily seek certification as soon as the 32 CFR Rule becomes effective.
CMMC Timeline
The Most Important CMMC Dates Include:
- January – December 2028 – CMMC phase 4 rollout concludes, with CMMC requirements now included in all DoD solicitations and contracts.
- January – December 2027 – CMMC phase 3 begins, requiring Level 2 C3PAO certification for the renewal or extension of existing contracts.
- January – December 2026 – CMMC phase 2 rollout begins, requiring third-party (certification) assessment requirements introduced at Level 2.
- January – December 2025 – CMMC phase 1 rollout begins, only requiring self-assessment and attestation for all new contracts. 48 CFR final rule expected early to mid-2025.
- January – December 2024 – DoD review and analysis of public comments on CMMC 2.0 32 CFR and 48 CFR proposed final rule. 32 CFR final rule becomes effective on December 16, 2024.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
- December 2023 – 32 CFR CMMC 2.0 DFARS rule released for public comment, along with supporting documentation including CMMC 2.0 assessment and scoping guidelines.
- January 2022 – December 2023 – Rulemaking underway while DIB contractors prepare for CMMC 2.0 requirements.
- December 2021 – CMMC v2.0 model documentation and assessment guides released.
- November 2021 – The DoD review of the CMMC program is concluded, CMMC v1.0 is effectively terminated and replaced by CMMC 2.0.
- April 2021 – The first C3PAO’s begin to be assessed against CMMC Level 2 (previously CMMC 1.0 Level 3) by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). C3PAO’s must pass their own Level 2 assessment before being able to conduct assessments themselves.
- January 2020 – The introduction of CMMC Version 1.0.
The phased rollout of CMMC is crucial for enhancing cybersecurity across the Defense Industrial Base. To learn more about how OSIbeyond can support your organization’s CMMC compliance needs, download our DoD Contractor’s Guide to CMMC 2.0 Compliance. For further assistance, schedule a meeting with one of our CMMC Registered Practitioners to address any questions you may have.