CMMC Final Rule Phase Tracker — Methodical Security

Current State

Last reviewed: 2026-05. Verify current state against the DoD CIO CMMC Program Office before making contract decisions; the rollout schedule has been adjusted multiple times since the Final Rule was published.

The CMMC Final Rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024 (89 FR 83214) and became effective on December 16, 2024. The acquisition-side rule (DFARS Case 2019-D041, updating DFARS 252.204-7021) was published as a final rule on September 10, 2025, with phased applicability to solicitations beginning November 10, 2025.

The rollout is structured in four phases over a three-year period. Each phase progressively expands which contracts must include CMMC certification requirements and at what level. Throughout the rollout, contracting officers retain discretion to require CMMC earlier than the phased schedule would otherwise require.

Phase status changes. The PMO has published guidance, schedule adjustments, and class deviations as the program has matured. Always confirm the current state against the PMO's published guidance before making procurement decisions or planning compliance investments.

Phase 1 — Self-Assessment Required

Phase 1 · Began November 10, 2025

CMMC Level 1 and Level 2 (Self-Assessment) requirements appear in solicitations In effect

In Phase 1, contracting officers begin requiring CMMC Level 1 (Self) and CMMC Level 2 (Self) certifications in new contracts and option exercises. Level 2 (C3PAO) and Level 3 are not yet broadly required in Phase 1 except by contracting officer discretion.

What this means for contractors

If your contract is awarded during Phase 1 and the contract includes DFARS 252.204-7021 specifying Level 1 or Level 2 (Self), you must have a current self-assessment posted in SPRS at the appropriate level
The senior official affirmation in SPRS becomes a contractual representation
Existing DFARS 7012, 7019, and 7020 obligations continue to apply unchanged
Contracts not yet including 7021 continue under the prior framework (DFARS 7012 + SPRS posting under 7019)

Phase 2 — Level 2 C3PAO Certification Required

Phase 2 · Begins November 10, 2026

CMMC Level 2 (C3PAO) certification appears in new contracts Upcoming

Beginning November 10, 2026, contracting officers in applicable solicitations begin requiring CMMC Level 2 (C3PAO) certification at award. This affects the population of contractors that handle CUI under DoD contracts — DoD estimates approximately 80,000 contractors will ultimately need Level 2 third-party certification. Contracts already in performance under earlier-phase terms continue under those terms; Phase 2 affects new awards and option exercises that include the updated 7021 clause.

What this means for contractors

If your contract is awarded during Phase 2 and the contract specifies Level 2 (C3PAO), you must hold a current C3PAO-issued certification before contract award
C3PAO assessment must be planned and executed in advance of bidding on Phase 2 contracts — typical lead time is 12–18 months from initial preparation through certification
Contracts already in place under earlier framework continue under the terms of those contracts; Phase 2 affects new awards and option exercises that include 7021
The C3PAO ecosystem capacity is expected to be a constraint during early Phase 2; engaging a C3PAO early matters

Phase 3 — Level 3 Required

Phase 3 · Begins November 10, 2027

CMMC Level 3 certification appears in new contracts Future

Phase 3 introduces the Level 3 requirement for contracts handling the most sensitive CUI. Level 3 layers the 24 NIST SP 800-172 enhanced requirements on top of the Level 2 base, and assessments are conducted by DIBCAC rather than C3PAOs.

What this means for contractors

Affects a narrow population — primes and Tier 1 subs on the highest-sensitivity programs
Contractors targeted for Level 3 typically know it well in advance; Level 3 contracts are negotiated with the security requirement clearly understood
Level 3 implementation requires the Level 2 foundation plus the additional 800-172 controls — typically a 12–24 month preparation timeline beyond Level 2
DIBCAC assessment scheduling is a constraint distinct from the C3PAO ecosystem

Phase 4 — Full Implementation

Phase 4 · Begins November 10, 2028

CMMC requirements appear in all applicable contracts Future

Phase 4 represents full implementation: any contract that involves FCI or CUI includes appropriate CMMC certification requirements. The phased rollout effectively completes; thereafter, CMMC is the standing baseline.

What this means for contractors

By Phase 4, every contractor performing on FCI or CUI contracts should be certified at the appropriate level
The contractor population that has not yet certified by Phase 4 will face a sharp constraint on contract opportunities
The C3PAO ecosystem is expected to have significantly more capacity by Phase 4 than during early Phase 2
Recertifications from Phase 1/2/3 begin to come due during Phase 4 — the recertification volume layers on top of new certifications

The Phased Timeline at a Glance

Phase	Approximate window	What's required in new contracts
Phase 1	Nov 10, 2025	Level 1 (Self) and Level 2 (Self) certification appear in new contracts
Phase 2	Nov 10, 2026	Level 2 (C3PAO) certification appears in new contracts
Phase 3	Nov 10, 2027	Level 3 certification appears in new contracts; Level 2 (C3PAO) becomes required for option exercises on covered contracts
Phase 4	Nov 10, 2028	Full implementation — CMMC at the appropriate level required for any applicable FCI/CUI-handling contract (no exceptions beyond pure COTS procurements)

The dates above reflect the schedule established by the DFARS Final Rule (DFARS Case 2019-D041, published September 10, 2025). The DoD has historically adjusted CMMC schedules through guidance and class deviations; verify current applicability against the PMO's published schedule before procurement planning.

Throughout all phases, contracting officers may include CMMC requirements in contracts earlier than the phased schedule would otherwise require — particularly for contracts involving sensitive CUI or for follow-on work to existing CMMC-required contracts. There is no period during the rollout when CMMC requirements are guaranteed not to appear in your contracts.

Reading Your Contracts to Know What Applies

The phase that applies to a specific contract is determined by the clauses in that contract, not by your interpretation of the rollout schedule. To know what applies to a contract you hold or are pursuing:

Look for DFARS 252.204-7021. If the clause appears, the contract has a CMMC certification requirement. The clause specifies the required CMMC level (1, 2, or 3) and the assessment type (Self or C3PAO).
Look for DFARS 252.204-7012. If 7012 appears (with or without 7021), the contract involves CDI and triggers all the safeguarding obligations.
Look for DFARS 252.204-7019 and 7020. These typically appear alongside 7012 and require SPRS posting and DoD assessment access.
Look for FAR 52.204-21. If only this clause appears (no DFARS 7012 or 7021), you have a Level 1 (FCI-only) obligation.

The contract is the authority. The phased schedule tells you what to expect in upcoming solicitations; your existing contracts continue to operate under the clauses they incorporate.

For the full discussion of how to read DFARS clauses to determine your level, see Choosing Your CMMC Level.

Planning Implications

The phased rollout creates predictable planning windows. Use them.

If you handle only FCI: Level 1 (Self) is required from Phase 1 onward. Annual self-assessment and SPRS affirmation. Modest investment compared to higher levels.
If you handle CUI and your contract specifies Level 2 (Self): Annual self-assessment with the senior official's affirmation. The implementation burden of all 110 controls applies even though no third party assesses you.
If you handle CUI and Level 2 (C3PAO) is in your future: Begin certification preparation now. The 12–18 month typical preparation timeline plus the C3PAO scheduling lead time means starting Phase 2 work in Phase 1 is sensible. Waiting until your first Phase 2 contract opportunity to begin preparation usually means missing the opportunity.
If you are targeted for Level 3: You almost certainly already know. Plan for the Level 2 foundation first, then layer the 800-172 enhancements. Total preparation timeline is typically 24–36 months from initial Level 2 preparation to Level 3 certification.
If you have a multi-year contract that may extend beyond your current certification: Recertification planning matters. Begin engaging your C3PAO 6 months before your certification expires; an expired certification can affect contract performance even if the underlying security posture is strong. See Maintaining Your Certification.

Authoritative Sources

DoD CIO CMMC Program Office

Authoritative source for current phase status, schedule changes, and interpretive guidance — check before any procurement decision

CMMC Final Rule (32 CFR Part 170)

The DoD-side rule that established the CMMC program — the foundational regulatory basis for the phased rollout

DFARS 252.204-7021

The acquisition-side clause that triggers contract-level CMMC requirements in solicitations and contracts

The Cyber AB

CMMC Accreditation Body — current C3PAO ecosystem capacity, assessment process documentation, and accreditation status changes

DFARS / DPC

Defense Pricing and Contracting — issues class deviations and contracting guidance that affect how the rollout is implemented

SPRS

Where the self-assessment scores and senior official affirmations live throughout all phases

Related resources: See Choosing Your CMMC Level for the contract-reading methodology, and NIST 800-171 Rev 2 → Rev 3 for the underlying control standard's evolution that may eventually feed into CMMC.