Think about all the important data that defense contractors handle – plans, communications, project details. The Department of Defense (DoD) wants to make sure that this information is well-protected from cyber threats.

The DoD is rolling out the Cybersecurity Maturity Model Certification (CMMC) program to ensure that companies working with them have sufficient cybersecurity measures in place to protect sensitive information.

But when exactly will this program be enforced? Let’s go over the timeline below.

CMMC 2.0 Timeline: A Complete Overview

The development of CMMC has been a step-by-step process. We’ll break down the major steps below to help you understand how this program has evolved over time and where it stands today. 

May 2016: FAR 52.204-21 released

In response to increases in cyber threats aimed at the Defense Industrial Base (DIB), the DoD, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) released the FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. 

This contract clause requires contractors and subcontractors to implement 15 basic safeguarding requirements and procedures to protect federal contract information (FCI) being processed, stored, or transmitted on contractor information systems. 

The FAR clause did not provide for DoD verification of a contractor's implementation of the 15 basic safeguarding requirements.

October 2016: DFARS 252.204-7012 released

DFARS clause 252.204-7012 was released in October 2016, requiring defense contractors and subcontractors to provide “adequate security” for all covered defense information. Less than a year later, a memorandum stated that, to provide adequate security, the contractor must implement all 110 NIST 800-171 Revision 2 requirements prior to contract award.  The deadline to implement NIST-171 requirements was December 31, 2017.

By signing a defense contract, vendors were essentially self-attesting that they meet all of the security requirements outlined in DFARS, even if those requirements were not explicitly spelled out within the contract itself. Like FAR clause 52.204-21, DFARS clause 252.204-7012 did not require DoD to verify a contractor's implementation of those security requirements, prior to contract award. But if the government found out they weren’t meeting those requirements or a whistleblower reported non-compliance, they could get sued for making false claims. So this "self-attestation" model of security wasn't just having a negative effect on federal security, it was also introducing legal risk to companies within the DIB.

Years after the release of the FAR and DFARS clauses, many contractors and subcontractors were still not consistently implementing mandated system security requirements for safeguarding FCI or CUI. So the DoD decided they needed to move away from this self-attestation model of security and take steps to assess a contractor's ability to protect this information.

September 2020: The CMMC interim rule released

Starting in 2019, the DoD started working on a framework to make sure contractors and subcontractors were implementing the DoD’s cybersecurity requirements and capable of protecting unclassified information. This framework, CMMC 1.0, built on existing requirements from DFARS 252.204-7012 and added a way to verify compliance through third–party certification. CMMC 1.0 was introduced under an interim rule in September 2020. 

This interim rule was a temporary set of guidelines issued by the DoD to begin implementing CMMC requirements while the final rule-making process was still ongoing. It provided initial guidance and requirements for defense contractors to start preparing for CMMC compliance.

Based on DFARS Clause 252.204-7012, the CMMC interim rule established a five year phased approach for CMMC implementation, during which CMMC compliance is only required in select pilot contracts approved by the office of the Under Secretary of Defense of Acquisition and Sustainment (OUSD(A&S)). 

November 2021: CMMC 2.0 announced

More than a year after the interim rule was released, the DoD officially suspended the CMMC 1.0 pilot efforts and released CMMC 2.0. CMMC 2.0 introduced significant changes to the CMMC program to simplify the certification process, align more closely with existing cybersecurity standards, and reduce the compliance burden on small businesses.

Here’s an overview of the key changes in CMMC 2.0:

• Reduced levels – CMMC 2.0 simplifies the framework from five levels to three: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
• Stronger alignment with NIST – Compliance requirements now closely follow NIST SP 800-171, Revision 2 (for CMMC Level 2) and NIST SP 800-172 (for CMMC Level 3), making adherence easier for organizations already using these frameworks.
• Self-assessments for certain levels – Level 1 and some Level 2 contracts allow for annual self-assessments instead of third-party audits, reducing compliance costs.
• More focused requirements – Removed some unique CMMC requirements that did not align with existing standards and focused more precisely on protecting Controlled Unclassified Information (CUI).
• Greater accountability and transparency – Self-assessments require affirmation by a senior company official, reinforcing accountability and compliance integrity.

October 2024: The CMMC Final Rule (32 CFR) published

CMMC 2.0 is the foundation for the final rule, also known as the 32 Code of Federal Regulations (CFR) CMMC Program rule. First published as a proposed rule on December 26, 2023, the DoD published it as a final rule in the Federal Register on October 15, 2024 and it went into effect on December 16, 2024. 

This rule is basically the set of guidelines and requirements the DoD put in place to get everyone on the same page.

It introduced a framework with three levels of cybersecurity practices. Each level builds on the previous one, getting more advanced:

• Level 1: Foundational - Basic practices that everyone should be doing, like updating antivirus software and managing passwords.
• Level 2: Advanced - More comprehensive practices, aligned with NIST SP 800-171 Rev. 2, like encryption and incident response plans.
• Level 3: Expert - For the most sensitive information, with advanced measures like continuous monitoring and proactive threat hunting.

Why three levels? Because not every contractor handles the same type of information. Some might just handle basic contract details, while others might handle detailed plans or sensitive communications. The three levels let companies match their security efforts to the type of information they’re dealing with and allow DoD officials and contract owners the assurance that the organizations they’re working with are protecting their data according to a specific standard.

If you’re a contractor or subcontractor working with the DoD, you’ll need to get certified at one of these levels. The specific level you need depends on the type of contracts you’re bidding on and the sensitivity of the information involved.

For Levels 2 and 3, you’ll need to undergo an assessment by a third-party organization (C3PAO) or the DoD, respectively, to make sure you’re actually following the required practices. Level 1 can often be self-assessed, but it still requires you to demonstrate compliance with the basic practices.

July 23, 2025: Enforcement timeline announced

On July 23, 2025, the DoD submitted the 48 CFR Acquisition rule to the Office of Management and Budget (OMB), setting the countdown in motion.

The submission includes clause 204.7503, which makes CMMC certification a requirement for most DoD contracts starting October 1, 2025.

Here’s what 204.7503(b) says:

“On or after October 1, 2025, [the clause at 252.204-7021 shall be used] in all solicitations and contracts or task orders or delivery orders… except for solicitations and contracts or orders solely for the acquisition of commercially available off-the-shelf (COTS) items.”

In plain terms: If the 48 CFR rule is finalized as planned, you’ll need to be CMMC compliant to win new DoD business starting this fall.

The CMMC phased rollout: What happens next?

The 48 CFR rule is now undergoing OMB and Congressional review. Once finalized, it will trigger a four-phase rollout of CMMC enforcement:

• Phase 1 (2025): Requires CMMC Level 1 or Level 2 self-assessments for certain contracts. The DoD does have discretion to include Level 2 certification assessment requirements into contracts at this time. Starts on the effective date of the 48 CFR rule.
• Phase 2 (2026): Requires official CMMC Level 2 certification assessments. Begins one year after Phase 1 starts. 
• Phase 3 (2027): Includes CMMC Level 3 assessments. Begins one year after Phase 2 starts. 
• Phase 4 (2028): Full implementation for all relevant contracts. Begins one year after Phase 3 starts. 

The phased rollout does not mean that organizations can delay CMMC implementation until 2028. CMMC will likely appear in most new DoD contracts starting October 1, 2025, which means if your organizations wants to bid on new contracts — or continue subcontracting under primes who are — your organization must be ready this year.

If you handle FCI, you’ll likely need CMMC Level 1, which includes:

• 15 controls from FAR 52.204-21
• An annual self-assessment with senior official affirmation
• Documented practices and evidence of implementation

If you handle CUI or SPD, you’ll need at least CMMC Level 2, which includes:

• Full implementation of all 110 NIST SP 800-171 controls and 320 assessment objectives
• A System Security Plan (SSP), POA&M, and SPRS score of at least 110
• A third-party certification from a C3PAO (for most contracts)

The DoD has made it official: October 1, 2025 is the beginning of widespread enforcement. If you plan to work with the DoD, either directly or indirectly, CMMC compliance is no longer optional.

Organizations should treat this deadline as the real start of CMMC and prepare accordingly. That means identifying your scope, implementing the required controls, generating your SSP and POA&M, and engaging with a C3PAO if you need a Level 2 certification.