CMMC Program History: From 2020 to Today
CMMC 2.0 represents a significant evolution in defense contractor compliance requirements. The timeline from 2020 through 2026 shows how the Department of Defense transformed cybersecurity expectations for the industrial base. Understanding this history helps contractors contextualize current requirements and anticipate future changes.
Program Evolution
CMMC shifted from a capability maturity model to a more practical, measurable compliance framework aligned with NIST standards.
| Year | Key Event | Impact |
|---|---|---|
| 2020 | CMMC 1.0 announced by DoD | Initial framework with 5 maturity levels based on 43 security practices |
| 2021 | CMMC 2.0 proposed; 1.0 rollout begins | DoD recognizes 1.0 complexity; proposes simplified 3-level model |
| 2023 | CMMC 2.0 final rule released (January) | Streamlined framework with 110 NIST 800-171 practices across 3 levels |
| 2024 | Phase 1 rollout begins (June) | Contracts with ACOs start including CMMC clause; Phase 1 assessments open |
| 2025 | Phase 2 & 3 rollout (ongoing) | More contracts affected; contractor deadline awareness increases |
| 2026 | Phase 4 begins; enforcement ramps up | Contractors face real compliance deadlines; non-compliance consequences begin |
Current CMMC Implementation Phases (2024-2028)
The DoD phased CMMC 2.0 rollout across four phases to give contractors time to prepare. Each phase introduces the compliance requirement to different contract types and contractor sizes. Your phase depends on your primary contract type and when your contracts are re-competed or renewed.
Phase 1: Advanced Contracts (June 2024 - Present)
Contracts for advanced weapons systems, hypersonic vehicles, drone technology, and systems designed to counter near-peer competitors. Contractors: ~100 major defense primes and top-tier subs.
Phase 2: Critical Capabilities (Expected Fall 2024)
Contracts supporting critical military capabilities: missile systems, cyber weapons, command & control, nuclear modernization, space systems. Contractors: ~500 major and mid-tier primes.
Phase 3: Broad Defense Industrial Base (Expected 2025)
Contracts for aerospace, maritime, ground systems, munitions, and other core defense platforms. Contractors: ~2,000-3,000 small to large companies.
Phase 4: Full Industrial Base (Expected 2026-2027)
All DoD prime contracts and subcontracts meeting threshold. Contractors: ~10,000+ small businesses, mid-tier, and large companies.
2026-2028 Phased Rollout Schedule & Requirements Table
This table shows what contractors must do at each phase and typical dates. Requirements accumulate — Phase 2 contractors must meet Phase 1 standards, and so on.
| Phase | Timeline | CMMC Levels Required | Contractor Type | Key Requirement |
|---|---|---|---|---|
| Phase 1 | June 2024 - Q4 2026 | Level 2 or Level 3 | Major defense primes, advanced weapons | First assessed contract must have valid CMMC certification by contract award date |
| Phase 2 | Fall 2024 - 2027 | Level 2 | Critical capability contractors | Level 2 certification required; Level 3 optional for advanced systems |
| Phase 3 | 2025 - 2027 | Level 1 or Level 2 | Broad industrial base | Level 1 minimum for basic defense support; Level 2 for controlled technical info |
| Phase 4 | 2026 - 2028 | Level 1 | All government contractors | Level 1 certification required for all DoD contracts above threshold |
Not sure which phase applies to you?
Identify your phase by checking your primary contract type, your customer's contracting office, and when your contract was last competed. Still unsure? Review your recent DoD solicitation or contact your contracting officer.
Learn Your CMMC Level RequirementsCritical Deadlines for 2026-2028
These are the hard deadlines contractors must meet. Missing these dates can result in contract delays, bid ineligibility, or contract termination.
- Q2 2026: Phase 1 contractors must have valid C3PAO assessment for any new or re-competed contracts
- Q3 2026: Phase 2 contractors' first affected contracts begin requiring CMMC clause in solicitations
- Q4 2026: Phase 1 contractors' initial assessment deadline; first non-compliant contractors may face contract consequences
- Q1 2027: Phase 2 contractors must have initial assessment completed; Phase 3 rollout accelerates
- Q2 2027: Phase 3 contractors' first affected contracts; widespread compliance checking begins
- 2027-2028: Phase 4 affects all DoD contracts; smallest contractors begin certification push
When CMMC Appears in Your Contracts: DFARS 7021
CMMC compliance requirements are written into contracts through DFARS 252.204-7021, the clause that mandates CMMC certification. Your contract officer will include this clause when your contract falls into an active CMMC phase.
What triggers DFARS 7021 inclusion:
- Your solicitation is issued after your phase's effective date
- Your contract involves federal contract information (FCI) or controlled technical information (CTI)
- Your contract value meets the minimum threshold (typically $100,000 or higher)
- Your contract is with a DoD contracting office actively enforcing CMMC
Once the CMMC clause is in your contract, you have a specific deadline (usually 30-90 days from award) to demonstrate that you either have or will obtain CMMC certification at the required level.
Contractor Preparation Timeline: How Long Each Step Takes
Preparing for CMMC certification is not instantaneous. Most contractors need 6-18 months depending on their current posture. This timeline breaks down each step and typical duration.
| Step | Typical Duration | Key Activities |
|---|---|---|
| Assessment & Planning | 2-4 weeks | Gap analysis, identify controls to implement, scope definition |
| Control Implementation | 3-6 months | Deploy tools, configure systems, build processes, train staff |
| Evidence Preparation | 4-8 weeks | Document compliance, collect policy evidence, prepare for audit trail |
| C3PAO Assessment | 2-4 weeks | Third-party auditor validates controls, may require remediation |
| Remediation & Re-assessment | 4-12 weeks | Fix identified gaps, re-test controls, document compliance |
| Certification | 1-2 weeks | C3PAO issues CMMC certificate; register in CMMC portal |
6-Month Preparation Roadmap
If your compliance deadline is 6 months away, this accelerated roadmap is the minimum viable path. You'll need to move quickly and accept higher risk.
Months 1-2: Foundation
Week 1-2: Conduct gap analysis. Identify which controls you lack. Week 3-4: Procure tools (EDR, MFA, encryption, backup solutions). Budget: $15K-40K depending on size.
Months 3-4: Implementation Sprint
- Deploy security tools across all systems
- Configure multi-factor authentication, encryption, audit logging
- Build security policies and procedures
- Train all staff on new processes
- Create compliance documentation templates
Months 5-6: Assessment & Certification
- Engage a C3PAO (certified assessor); book assessment date early
- Prepare evidence: policy docs, system screenshots, access lists, audit logs
- Conduct internal pre-assessment to identify remaining gaps
- Remediate critical findings before C3PAO assessment
- Complete official assessment and receive certificate
12-Month Preparation Roadmap
A 12-month timeline allows for more thorough implementation, staff training, and confidence-building before your official assessment.
Months 1-3: Assessment & Design
- Deep-dive self-assessment of all 110 controls
- Engage a CMMC consultant for 2-3 weeks to design your roadmap
- Identify which tools/vendors you'll use
- Create detailed implementation plan with timelines and owners
- Budget planning and vendor selection
Months 4-9: Implementation & Hardening
- Deploy all required controls systematically
- Conduct monthly internal audits to verify implementation
- Refine policies based on lessons learned
- Run simulated incident response exercises
- Train and re-train staff continuously
Months 10-12: Assessment & Certification
- Formal third-party pre-assessment (mock audit by C3PAO)
- Remediate any pre-assessment findings
- Schedule official C3PAO assessment at month 11
- Complete assessment, receive certificate by month 12
18-Month Preparation Roadmap
An 18-month timeline is ideal for mature implementation, organizational change management, and building a sustainable compliance program.
Months 1-4: Assessment, Training, and Governance
- Establish CMMC Steering Committee with executive oversight
- Conduct full CMMC readiness assessment
- Develop detailed business case for tooling and staffing investment
- Train IT and security teams on NIST 800-171 and CMMC
- Create security governance structure and policies
Months 5-12: Implementation & Optimization
- Phase 1 (months 5-8): Deploy foundational controls (access, encryption, backup)
- Phase 2 (months 9-12): Deploy advanced controls (monitoring, incident response, risk management)
- Conduct monthly compliance audits
- Optimize workflows based on audit findings
- Test disaster recovery and incident response procedures
Months 13-18: Maturity & Assessment
- Run full pre-assessment with external consultant
- Remediate findings; document evidence of compliance
- Conduct C3PAO readiness review
- Schedule and execute official C3PAO assessment (month 16-17)
- Receive certificate and register in CMMC portal by month 18
What Happens If You're Not Ready by Your Deadline
If your contract includes the CMMC clause and your deadline passes without certification, the consequences escalate:
- Days 1-30 past deadline: Contracting officer issues cure notice; you have time to remediate
- Days 30-60: If not cured, contract may be suspended pending compliance; payment holds may begin
- Days 60+: Contract can be terminated for default; you're ineligible for future bids from that customer
- System-wide: Non-compliance is flagged in federal systems; may impact other contract vehicles
- Reputation: Prime contractors blacklist non-compliant subs; word spreads through the defense industry
Non-compliance also makes you an acquisition target: competitors will use your compliance status against you in bids, and your customer will actively seek alternative suppliers.
CMMC Rule Updates & Amendments Tracker
CMMC 2.0 is relatively stable, but the DoD continues to issue guidance, FAQs, and minor rule clarifications. Key updates since the 2023 final rule:
- January 2024: DoD releases Phase 1 C3PAO list and assessment pricing guidance ($3,000-$50,000 depending on scope)
- March 2024: CMMC Academy opens for public training; DoD releases NIST 800-171 guidance updates
- June 2024: Phase 1 officially begins; first contracts include CMMC clause
- Q3 2024: DFARS 7021 updated with Phase 2 implementation details
- Q4 2024-Q1 2025: DoD releases additional C3PAO guidance and assessment playbooks
- Ongoing: CMMC portal improvements, assessment tools, and clarification FAQs
Check the official CMMC program page for the latest updates, or subscribe to DoD procurement notices.
Industry Impact Timeline: How Many Contractors Are Affected
CMMC will eventually touch the entire defense industrial base. Here's the projected contractor impact by year:
| Year | Estimated Contractors Affected | Primary Impact |
|---|---|---|
| 2024 | ~150-200 contractors (Phase 1) | Advanced weapons primes; significant investment and planning |
| 2025 | ~750-1,000 contractors (Phases 1-2) | Critical capability contractors; certification market grows |
| 2026 | ~3,000-4,000 contractors (Phases 1-3) | Broad industrial base; widespread compliance efforts; tool costs spike |
| 2027 | ~6,000-8,000 contractors (Phases 1-4) | Small business push; mid-market consolidation; consultant shortage |
| 2028+ | ~10,000+ contractors (Full industrial base) | Mature compliance market; CMMC becomes table stakes for all contractors |
Preparing Your Supply Chain: Sub-Contractor Timeline
If you're a prime contractor, your subs will face CMMC requirements through you. The pressure cascades downward: primes ask subs about CMMC status, subs scramble, and the smallest suppliers get squeezed hardest.
Plan now to support your supply chain: communicate CMMC requirements 6-12 months in advance, offer guidance and resources, and consider helping smaller subs with funding or expertise.
Build your CMMC timeline today
Don't wait for your deadline notice. Use our readiness assessment to identify your current posture, benchmark against contractors in your phase, and get a personalized implementation timeline.
Start Your Readiness AssessmentKey Takeaways
- CMMC 2.0 rolled out in phases from June 2024 through 2028; your phase depends on your contract type
- Phase 1 (advanced weapons) is active now; Phases 2-4 roll out through 2028, eventually covering all defense contractors
- Most contractors need 6-18 months to achieve certification; starting now gives you breathing room
- Deadlines are hard: missing your compliance date can result in contract suspension or termination
- Plan for certification costs ($20K-$100K+ depending on size), consultant fees, and staff training
- Register your C3PAO assessment early; certified assessors book 3-6 months in advance
Frequently Asked Questions
When do I have to be CMMC certified?
Your deadline depends on your phase. If you're in Phase 1, you need certification before your contract award date. If you're in Phase 2-4, your deadline is determined when your contract is re-competed or a new contract is awarded with the CMMC clause. Check your solicitation for the specific deadline.
Can I self-certify my CMMC compliance?
No. CMMC 2.0 requires a third-party C3PAO (Certified CMMC Professional Organization) to conduct your assessment. Self-assessments don't count for contract compliance. You must hire an approved C3PAO to perform the official audit.
How much does a CMMC assessment cost?
C3PAO assessment pricing ranges from $3,000-$50,000 depending on your organization size, scope, and level. A small company (50-100 employees) pursuing Level 1 typically pays $8K-15K. A mid-size company (200-500 employees) pursuing Level 2 pays $20K-40K. Larger enterprises pay $40K+.
Do CMMC certificates expire?
Yes. CMMC 2.0 certificates are valid for 3 years. After 3 years, you must undergo re-assessment with a C3PAO to maintain compliance. Plan your re-assessment schedule to ensure continuous certification.
Can a C3PAO conduct assessments of companies they've consulted?
No. CMMC rules require separation of church and state: if a consultant helped you implement controls, a different C3PAO must perform your assessment. This prevents conflicts of interest and ensures objective evaluation.
What if I fail my CMMC assessment?
If you fail, the C3PAO will identify specific controls that need remediation. You then have time to fix those issues and schedule a re-assessment. There's no penalty for failing initially — most contractors find gaps during assessment that they remedy and re-assess within 30-60 days.