The Department of Defense is rolling out the Cybersecurity Maturity Model Certification (CMMC) through a structured, four-phase plan that spans three years—from November 2025 through November 2028. This gradual approach gives assessors time to train, contractors time to prepare, and the DoD the ability to ramp up enforcement without disrupting acquisitions.
As of January 2026, the rollout is already in motion. Phase 1 is officially underway, and CMMC requirements are now appearing in select DoD solicitations and contracts.
Phase 1: The Foundation for CMMC Readiness
November 10, 2025 – November 9, 2026
Phase 1 is a valuable window for strengthening foundational defenses and aligning CMMC requirements with broader security goals, especially when backed by comprehensive cybersecurity support services to help identify and remediate gaps before assessment.
How Phase 1 Affects Your CMMC Strategy
- Self-assessments are allowed: Contracts may require Level 1 or Level 2 self-assessments, which contractors can complete internally.
- Limited third-party assessments: For certain high-priority or higher-risk contracts, the DoD may require a Level 2 assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). These are selective, not universal.
- Contractor choice: Organizations can decide whether to rely on a self-assessment or pursue C3PAO certification, depending on contract requirements.
- Focus stays on Levels 1 and 2: Advanced Level 3 requirements are not part of Phase 1, keeping the scope manageable.
Contractor Responsibilities During Phase 1
Even with added flexibility, contractors must meet several non-negotiable requirements:
- Assessment completed before award: A valid CMMC Level 1 or Level 2 assessment must be in place before a contracting officer can award the contract.
- Results submitted to SPRS: All assessment outcomes must be uploaded to the Supplier Performance Risk System.
- Ongoing compliance: Level 1 self-assessments require annual affirmations, and contractors must maintain compliance throughout the life of the contract
Why Phase 1 Is a Critical Preparation Window
Phase 1 effectively serves as a runway before enforcement tightens. While self-assessments are still accepted for most Level 2 contracts, that flexibility won’t last. In Phase 2, third-party assessments become mandatory for Level 2, and self-assessments will no longer meet requirements in most cases.
This shift is expected to create a significant bottleneck as demand for C3PAO assessments increases.
Strategic Takeaways for Contractors
- Self-assessments are faster and less complex than third-party certifications.
- Contractors have more control over assessment timing during Phase 1.
- Early C3PAO certification can create a competitive edge—even when it’s not yet required.
- Organizations that act now can avoid delays, scheduling backlogs, and lost opportunities later.
Forward-thinking contractors are using Phase 1 to get ahead of the curve, securing C3PAO certification early and positioning themselves for long-term success as CMMC enforcement ramps up.
Phase 2: CMMC Level 2 Certification Requirements Begin
November 10, 2026 – November 9, 2027
Phase 2 marks a major shift in how CMMC Level 2 compliance is enforced. At this stage, the flexibility contractors had during Phase 1 largely disappears, and third-party validation becomes the standard.
Why Phase 2 Changes the Compliance Landscape
For most Level 2 contracts, self-assessments are no longer sufficient. Instead, contractors must obtain certification through an independent Certified Third-Party Assessment Organization (C3PAO). This requirement applies before a contract can be awarded, making certification a gate—not a formality.
As assessment timelines compress and enforcement tightens, organizations with mature security operations—often supported through managed IT services—are better positioned to maintain compliance while continuing day-to-day operations.
Level 1 requirements remain unchanged, with self-assessments still accepted for lower-risk contracts. However, the overall number of solicitations requiring CMMC increases as the DoD expands mandatory coverage across acquisitions.
At the same time, the DoD tightens oversight. Assessment documentation, evidence, and certification status receive closer review, leaving less room for interpretation or informal remediation.
Phase 2 Requirements at a Glance
- C3PAO certification required for Level 2: Third-party assessments are now the default and expected path to compliance.
- Level 1 remains self-assessed: Basic contracts can continue using annual self-attestations.
- Broader contract inclusion: More solicitations include CMMC requirements as enforcement scales.
- Stricter validation: Certifications and supporting documentation are reviewed more rigorously.
Why Phase 2 Creates a Bottleneck
This phase is where many contractors feel the pressure. Demand for Level 2 certifications far exceeds current assessment capacity. Tens of thousands of contractors require Level 2 certification, while only a small fraction have completed third-party assessments so far.
C3PAO availability remains limited, which drives wait times of several months—or longer. As demand increases, assessment fees also rise. Failing an assessment becomes especially costly, since remediation and re-assessment require additional time and expense.
Unlike Phase 1, contractors no longer have discretion. A valid C3PAO certification must be in place before a Level 2 contract can be awarded.
Critical Timing Considerations
To remain eligible for new Level 2 contracts awarded after November 10, 2026, organizations must complete C3PAO certification before that date. Given that certification commonly takes 12 to 18 months from preparation through assessment, organizations that waited until early 2026 are already facing a compressed timeline.
Phase 2 rewards early action and penalizes delay. Contractors that plan ahead avoid scheduling backlogs, inflated costs, and missed opportunities—while those who wait risk being sidelined during active procurements.
Phase 3: CMMC Enforcement Expands and Level 3 Launches
November 10, 2027 – November 9, 2028
Phase 3 represents the point where CMMC moves from gradual adoption to full enforcement. During this phase, the Department of Defense introduces Level 3 requirements for the most sensitive contracts while significantly increasing oversight across all certification levels.
What Tightened Enforcement Looks Like in Practice
By Phase 3, compliance is no longer limited to contract award decisions. Certification status directly impacts contract continuation, option periods, and extensions. At the same time, the DoD begins applying Level 3 assessments to contracts involving high-risk or mission-critical information, raising the bar for cybersecurity maturity across the defense supply chain.
Phase 3 Requirements
- Level 2 certification required for contract options: Contractors must maintain an active Level 2 C3PAO certification to exercise option years or extend performance. Lapsed certifications can halt contract progression.
- Level 3 assessments introduced: The DoD begins requiring Level 3 evaluations for select, highly sensitive contracts. These assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not third-party assessors.
- Stronger supply chain accountability: Prime contractors are responsible for confirming that subcontractors meet the appropriate CMMC level before work begins.
- Minimal flexibility: Grace periods largely disappear. Contractors without current certifications risk losing the ability to extend or continue contracts.
What Makes Level 3 Different
Level 3 certification follows a fundamentally different assessment model. Unlike Levels 1 and 2, which rely on contractor-led or third-party assessments, Level 3 evaluations are conducted directly by the federal government.
These assessments apply to contracts that involve advanced threat exposure, highly sensitive controlled unclassified information, or programs critical to national defense. To qualify, organizations must first achieve a final Level 2 certification before pursuing Level 3.
Once awarded, Level 3 certification remains valid for three years, after which recertification is required—mirroring the renewal cycle of Level 2.
Strategic Implications of Phase 3
Phase 3 is where compliance gaps become business risks. Organizations without current certifications lose eligibility for new work and may be unable to continue existing contracts. As enforcement solidifies, the competitive landscape narrows, with non-compliant contractors existing in the market altogether.
Contractors that moved early have already secured preferred vendor status, while late adopters often find themselves competing primarily on price rather than capability or trust. At this stage, certification is no longer a one-time effort, it becomes an ongoing operational requirement. Planning for recurring three-year assessments is essential to maintaining eligibility and long-term growth within the defense industrial base.
Phase 4: CMMC Compliance Required for All DoD Contracts
November 10, 2028, and Beyond
Phase 4 marks the end of the CMMC transition period. At this point, CMMC is no longer phased, flexible, or selectively applied—it becomes a firm requirement across the Department of Defense contracting ecosystem.
Operating Under Mandatory CMMC Compliance
CMMC requirements apply to all applicable DoD contracts without exception. Discretion, grace periods, and informal workarounds are eliminated. If a contract involves Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), a valid CMMC certification is required to compete, win, and perform.
Phase 4 Requirements
- CMMC required for all applicable contracts: Every DoD solicitation involving FCI or CUI includes a required CMMC level—whether Level 1, Level 2, or Level 3.
- Certification tied to contract continuity: Contractors must maintain current certification to exercise option years or extend contract performance.
- Limited exemptions: Only contracts that exclusively involve commercial off-the-shelf (COTS) products are excluded.
- End-to-end supply chain enforcement: Prime contractors are responsible for verifying that all subcontractors maintain the appropriate CMMC status.
- Zero-tolerance enforcement: Contractors without valid certification are ineligible for award, with no waivers or exceptions.
Strategic Implications of Phase 4
By Phase 4, CMMC compliance becomes a baseline cost of doing business with the DoD. Organizations without an active certification are effectively locked out of the defense market, both for new opportunities and ongoing work.
Award decisions become straightforward: if a contractor’s CMMC status is not current and visible in SPRS, the contract does not move forward. There is no appeal process built into this stage.
Compliance also shifts from a milestone to an operational discipline. Organizations must maintain continuous alignment through ongoing monitoring, internal controls, and scheduled recertification. Missing a three-year renewal window doesn’t just create risk—it can directly result in lost contracts and stalled programs.
Key Phase Transitions and Compliance Deadlines
As the CMMC rollout progresses, the transition points between phases create hard deadlines that directly affect contract eligibility. Missing these milestones can delay certification, block contract awards, or prevent contract extensions.
Phase 1 to Phase 2 Transition — November 10, 2026
What shifts at this point
CMMC Level 2 self-assessments are phased out for most contracts. Third-party certification through a C3PAO becomes a requirement rather than an option.
Why it matters
Organizations must complete a Level 2 C3PAO assessment before November 10, 2026 to remain eligible for new Level 2 contracts awarded after that date.
Planning window
From January 2026 through November 2026, organizations have a narrow 10-month window to complete certification. Given that Level 2 certification typically takes 12–18 months from preparation to final approval, organizations that delay risk missing this cutoff entirely.
Phase 2 to Phase 3 Transition — November 10, 2027
What shifts at this point
Level 3 requirements begin appearing in contracts involving highly sensitive information. At the same time, Level 2 certification becomes mandatory not just for new awards, but for exercising option years and extending existing contracts.
Why it matters
Contractors must maintain an active Level 2 certification to continue performance beyond the base contract period. Lapsed certification can prevent option execution, even on previously awarded work.
Phase 3 to Phase 4 Transition — November 10, 2028
What shifts at this point
CMMC moves into full enforcement across all applicable DoD contracts. Discretion, flexibility, and phased adoption end.
Why it matters
Every applicable contract requires an active CMMC certification. Organizations without current status are no longer eligible to compete, win, or say on DoD work—no waivers, no exceptions.
Why the DoD Rolled Out CMMC in Phases
Rather than enforcing CMMC all at once, the Department of Defense intentionally designed a phased rollout to balance readiness, risk, and capacity across the defense industrial base. This approach allows cybersecurity standards to rise without disrupting ongoing programs or overwhelming the assessment ecosystem.
The phased structure serves several critical goals:
- Scaling the assessor ecosystem
The rollout gives the Cyber AB time to train, certify, and authorize enough C3PAOs to meet nationwide demand. - Giving contractors time to prepare
Gradual implementation allows organizations to understand CMMC requirements, close security gaps, and build sustainable compliance programs. - Avoiding assessment backlogs
Staggered enforcement prevents limited C3PAO capacity from becoming a single point of failure across DoD acquisitions. - Supporting strategic compliance planning
Contractors can evaluate risk, prioritize remediation, and schedule assessments based on business needs rather than last-minute deadlines. - Focusing first on higher-risk programs
Early phases establish baseline controls, while later phases expand enforcement to contracts involving more sensitive data and missions.
Strategic Reality Check: Compliance Timelines Are Shrinking
While the phased rollout creates flexibility early on, those windows are closing quickly. Each phase introduces stricter requirements, fewer options, and higher consequences for delay.
Phase 1: The Current Opportunity Window
Right now, organizations still have room to maneuver, especially at Level 2.
- Level 2 self-assessments are still accepted for applicable contracts
- C3PAO availability is higher than it will be in later phases
- Assessment costs remain lower before demand peaks
- Early certification can create competitive separation
- Organizations control certification timing rather than reacting to contract deadlines
Time remaining: Approximately 9 months before Phase 2 begins on November 10, 2026.
Phase 2: The Compliance Crunch Begins (Starting November 2026)
Once Phase 2 starts, flexibility largely disappears.
- Level 2 self-assessments are no longer sufficient
- C3PAO certification becomes mandatory for contract award
- Assessment capacity tightens, with multi-month wait times common
- Pricing increases as demand outpaces availability
- Certification must be completed before award—no discretion
At this stage, organizations compete not just for contracts, but for limited assessment slots.
Phases 3 and 4: Enforcement Becomes the Standard (2027–2028)
In the final phases, CMMC transitions from a readiness initiative to a permanent operating requirement.
- Full enforcement is active with no grace periods
- Prime contractors must verify subcontractor compliance
- Recertification cycles become an ongoing business obligation
- The market consolidates as non-compliant contractors exit
By this point, CMMC compliance is no longer a differentiator, it’s the baseline for participating in DoD work.
Final Takeaway: CMMC Readiness Is a Business Decision
CMMC is no longer a future consideration—it’s an active, phased requirement that directly impacts contract eligibility, renewal options, and long-term competitiveness in the defense market. Organizations that treat compliance as a strategic initiative, rather than a last-minute checkbox, are far better positioned to manage costs, avoid assessment delays, and protect revenue as enforcement tightens.
The window for flexibility is closing fast, and the decisions made today will determine whether your organization can continue competing for DoD work tomorrow. If you want guidance on preparing for CMMC, navigating certification timelines, or building a sustainable compliance program, contact Intech Hawaii to start a conversation about your next steps.
