Think about all the important data that defense contractors handle – plans, communications, project details. The Department of Defense (DoD) wants to make sure that this information is well-protected from cyber threats.

The DoD is rolling out the Cybersecurity Maturity Model Certification (CMMC) program to ensure that companies working with them have sufficient cybersecurity measures in place to protect sensitive information.

This program is officially going to be enforced starting on November 10, 2025—approximately four years after the first iteration (CMMC 1.0) was introduced. What took so long?

Let’s go over the timeline below to answer this question.

CMMC 2.0 Timeline: A Complete Overview

The development of CMMC has been a step-by-step process. We’ll break down the major steps below to help you understand how this program has evolved over time and where it stands today. 

May 2016: FAR 52.204-21 released

In response to increases in cyber threats aimed at the Defense Industrial Base (DIB), the DoD, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) released the FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. 

This contract clause requires contractors and subcontractors to implement 15 basic safeguarding requirements and procedures to protect federal contract information (FCI) being processed, stored, or transmitted on contractor information systems. 

The FAR clause did not provide for DoD verification of a contractor's implementation of the 15 basic safeguarding requirements.

October 2016: DFARS 252.204-7012 released

DFARS clause 252.204-7012 was released in October 2016, requiring defense contractors and subcontractors to provide “adequate security” for all covered defense information. Less than a year later, a memorandum stated that, to provide adequate security, the contractor must implement all 110 NIST 800-171 Revision 2 requirements prior to contract award.  The deadline to implement NIST-171 requirements was December 31, 2017.

By signing a defense contract, vendors were essentially self-attesting that they meet all of the security requirements outlined in DFARS, even if those requirements were not explicitly spelled out within the contract itself. Like FAR clause 52.204-21, DFARS clause 252.204-7012 did not require DoD to verify a contractor's implementation of those security requirements, prior to contract award. But if the government found out they weren’t meeting those requirements or a whistleblower reported non-compliance, they could get sued for making false claims. So this "self-attestation" model of security wasn't just having a negative effect on federal security, it was also introducing legal risk to companies within the DIB.

Years after the release of the FAR and DFARS clauses, many contractors and subcontractors were still not consistently implementing mandated system security requirements for safeguarding FCI or CUI. So the DoD decided they needed to move away from this self-attestation model of security and take steps to assess a contractor's ability to protect this information.

September 2020: The CMMC interim rule released

Starting in 2019, the DoD started working on a framework to make sure contractors and subcontractors were implementing the DoD’s cybersecurity requirements and capable of protecting unclassified information. This framework, CMMC 1.0, built on existing requirements from DFARS 252.204-7012 and added a way to verify compliance through third–party certification. CMMC 1.0 was introduced under an interim rule in September 2020. 

This interim rule was a temporary set of guidelines issued by the DoD to begin implementing CMMC requirements while the final rule-making process was still ongoing. It provided initial guidance and requirements for defense contractors to start preparing for CMMC compliance.

Based on DFARS Clause 252.204-7012, the CMMC interim rule established a five year phased approach for CMMC implementation, during which CMMC compliance is only required in select pilot contracts approved by the office of the Under Secretary of Defense of Acquisition and Sustainment (OUSD(A&S)). 

November 2021: CMMC 2.0 announced

More than a year after the interim rule was released, the DoD officially suspended the CMMC 1.0 pilot efforts and released CMMC 2.0. CMMC 2.0 introduced significant changes to the CMMC program to simplify the certification process, align more closely with existing cybersecurity standards, and reduce the compliance burden on small businesses.

Here’s an overview of the key changes in CMMC 2.0:

• Reduced levels – CMMC 2.0 simplifies the framework from five levels to three: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
• Stronger alignment with NIST – Compliance requirements now closely follow NIST SP 800-171, Revision 2 (for CMMC Level 2) and NIST SP 800-172 (for CMMC Level 3), making adherence easier for organizations already using these frameworks.
• Self-assessments for certain levels – Level 1 and some Level 2 contracts allow for annual self-assessments instead of third-party audits, reducing compliance costs.
• More focused requirements – Removed some unique CMMC requirements that did not align with existing standards and focused more precisely on protecting Controlled Unclassified Information (CUI).
• Greater accountability and transparency – Self-assessments require affirmation by a senior company official, reinforcing accountability and compliance integrity.

December 16, 2024: The 32 CFR CMMC Program Rule in effect

CMMC 2.0 is the foundation for the final rule, also known as the 32 Code of Federal Regulations (CFR) CMMC Program rule. First published as a proposed rule on December 26, 2023, the DoD published it as a final rule in the Federal Register on October 15, 2024 and it went into effect on December 16, 2024. 

This rule is basically the set of guidelines and requirements the DoD put in place to get everyone on the same page.

It introduced a framework with three levels of cybersecurity practices. Each level builds on the previous one, getting more advanced:

• Level 1: Foundational - Basic practices that everyone should be doing, like updating antivirus software and managing passwords.
• Level 2: Advanced - More comprehensive practices, aligned with NIST SP 800-171 Rev. 2, like encryption and incident response plans.
• Level 3: Expert - For the most sensitive information, with advanced measures like continuous monitoring and proactive threat hunting.

Why three levels? Because not every contractor handles the same type of information. Some might just handle basic contract details, while others might handle detailed plans or sensitive communications. The three levels let companies match their security efforts to the type of information they’re dealing with and allow DoD officials and contract owners the assurance that the organizations they’re working with are protecting their data according to a specific standard.

If you’re a contractor or subcontractor working with the DoD, you’ll need to get certified at one of these levels. The specific level you need depends on the type of contracts you’re bidding on and the sensitivity of the information involved.

For Levels 2 and 3, you’ll need to undergo an assessment by a third-party organization (C3PAO) or the DoD, respectively, to make sure you’re actually following the required practices. Level 1 can often be self-assessed, but it still requires you to demonstrate compliance with the basic practices.

While rulemaking under Title 32 CFR, which was required to formally establish the DoD's CMMC Program in regulation, concluded in December 2024, a separate rulemaking process was still underway. This rulemaking process was for Title 48 CFR, which was required to update contractual requirements in the DFARS to actually implement the CMMC program. The next important milestone in this process took place over six months after the 32 CFR rule went into effect.

July 22, 2025: 48 CFR CMMC Acquisition rule sent to OIRA for review, indicating enforcement is imminent

On July 22, 2025, the DoD submitted the 48 CFR CMMC Acquisition rule to the Office of Information and Regulatory Affairs (OIRA), a part of the Office of Management and Budget (OMB), for review.

Originally, the submission included clause 204.7503, which stated CMMC certification would be a requirement for most DoD contracts starting October 1, 2025. However, that was an old reference from CMMC 1.0 and has officially been removed.

While the exact date was still pending at this time, the CyberAB’s August Town Hall did say CMMC was expected to become enforceable before the end of 2025—and they were right.

The 48 CFR rule cleared regulatory review approximately six weeks later, on August 25, 2025. It was then published as final in the Federal Register on September 10, 2025

November 10, 2025: 48 CFR Rule in effect, kicking off CMMC phased rollout

The CMMC Program implementation date is 60 days after the publication of the 48 CFR rule—meaning, Phase 1 of the CMMC rollout will begin on November 10, 2025. On this day, the DoD will begin rolling out CMMC self-assessment requirements in most new contracts. These requirements will likely apply to 65% of the DIB, according to DoD estimates in the 32 CFR rule. During Phase 1, the DoD also has the discretion to require third-party Level 2 assessments for select high-priority acquisitions.

Bottom line: Most contracts will require at least CMMC Level 1 or Level 2 (self) certification at the time of award starting in November of this year.

In plain terms: The majority of the DIB will need to be CMMC compliant, at Level 1 and 2 at least, to win new DoD business starting within weeks.

The CMMC phased rollout: What happens next?

The 48 CFR rule has officially been reviewed by the OIRA and published as final in the Federal Register. On November 10, 2025, 60 days after its publication in the Federal Register, it will trigger a four-phase rollout of CMMC enforcement:

• Phase 1 (November 10, 2025): Requires CMMC Level 1 or Level 2 self-assessments for certain contracts. The DoD does have discretion to include Level 2 certification assessment requirements into contracts at this time. Starts on the effective date of the 48 CFR rule.
• Phase 2 (November 10, 2026): Requires official CMMC Level 2 certification assessments. Begins one year after Phase 1 starts. 
• Phase 3 (November 10, 2027): Includes CMMC Level 3 assessments. Begins one year after Phase 2 starts. 
• Phase 4 (November 10, 2028): Full implementation for all relevant contracts. Begins one year after Phase 3 starts. 

The phased rollout does not mean that organizations can delay CMMC implementation until 2028. CMMC will appear in most new DoD contracts starting this year, which means if your organizations wants to bid on new contracts — or continue subcontracting under primes who are — your organization must be ready this year.

If you handle FCI, you’ll likely need CMMC Level 1, which includes:

• 15 controls from FAR 52.204-21
• An annual self-assessment with senior official affirmation
• Documented practices and evidence of implementation

If you handle CUI or SPD, you’ll need at least CMMC Level 2, which includes:

• Full implementation of all 110 NIST SP 800-171 controls and 320 assessment objectives
• A System Security Plan (SSP), POA&M, and SPRS score of at least 110
• A third-party certification from a C3PAO (for most contracts)

Bottom line: If you plan to work with the DoD, either directly or indirectly, CMMC compliance is no longer optional and you must prepare accordingly. That means identifying your scope, implementing the required controls, generating your SSP and POA&M, and engaging with a C3PAO if you need a Level 2 certification.

This post was originally published in September 2024 and has been updated on September 10, 2025 for accuracy and comprehensiveness based on recent updates across the CMMC ecosystem.