Think about all the important data that defense contractors handle – plans, communications, project details. The Department of Defense (DoD) wants to make sure that this information is well-protected from cyber threats.

The DoD is rolling out the Cybersecurity Maturity Model Certification (CMMC) program to ensure that companies working with them have sufficient cybersecurity measures in place to protect sensitive information.

But when exactly is this program in effect? Let’s go over the timeline below.

CMMC 2.0 Timeline: A Complete Overview

The development of CMMC has been a step-by-step process. We’ll break down the major steps below to help you understand how this program has evolved over time. 

May 2016: FAR 52.204-21 released

In response to increases in cyber threats aimed at the Defense Industrial Base (DIB), the DoD, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) released the FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. 

This contract clause requires contractors and subcontractors to implement 15 basic safeguarding requirements and procedures to protect federal contract information (FCI) being processed, stored, or transmitted on contractor information systems. 

The FAR clause did not provide for DoD verification of a contractor's implementation of the 15 basic safeguarding requirements.

October 2016: DFARS 252.204-7012 released

DFARS clause 252.204-7012 was released in October 2016, requiring defense contractors and subcontractors to provide “adequate security” for all covered defense information. Less than a year later, a memorandum stated that, to provide adequate security, the contractor must implement all 110 NIST 800-171 Revision 2 requirements prior to contract award.  The deadline to implement NIST-171 requirements was December 31, 2017.

By signing a defense contract, vendors were essentially self-attesting that they meet all of the security requirements outlined in DFARS, even if those requirements were not explicitly spelled out within the contract itself. Like FAR clause 52.204-21, DFARS clause 252.204-7012 did not require DoD to verify a contractor's implementation of those security requirements, prior to contract award. But if the government found out they weren’t meeting those requirements or a whistleblower reported non-compliance, they could get sued for making false claims. So this "self-attestation" model of security wasn't just having a negative effect on federal security, it was also introducing legal risk to companies within the DIB.

Years after the release of the FAR and DFARS clauses, many contractors and subcontractors were still not consistently implementing mandated system security requirements for safeguarding FCI or CUI. So the DoD decided they needed to move away from this self-attestation model of security and take steps to assess a contractor's ability to protect this information.

September 2020: The CMMC interim rule released

Starting in 2019, the DoD started working on a framework to make sure contractors and subcontractors were implementing the DoD’s cybersecurity requirements and capable of protecting unclassified information. This framework, CMMC 1.0, built on existing requirements from DFARS 252.204-7012 and added a way to verify compliance through third–party certification. CMMC 1.0 was introduced under an interim rule in September 2020. 

This interim rule was a temporary set of guidelines issued by the DoD to begin implementing CMMC requirements while the final rule-making process was still ongoing. It provided initial guidance and requirements for defense contractors to start preparing for CMMC compliance.

Based on DFARS Clause 252.204-7012, the CMMC interim rule established a five year phased approach for CMMC implementation, during which CMMC compliance is only required in select pilot contracts approved by the office of the Under Secretary of Defense of Acquisition and Sustainment (OUSD(A&S)). 

November 2021: CMMC 2.0 release date

More than a year after the interim rule was released, the DoD officially suspended the CMMC 1.0 pilot efforts and released CMMC 2.0. CMMC 2.0 introduced significant changes to the CMMC program to simplify the certification process, align more closely with existing cybersecurity standards, and reduce the compliance burden on small businesses.

Here’s an overview of the key changes in CMMC 2.0:

• Reduced levels – CMMC 2.0 simplifies the framework from five levels to three: Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
• Stronger alignment with NIST – Compliance requirements now closely follow NIST SP 800-171, Revision 2 (for CMMC Level 2) and NIST SP 800-172 (for CMMC Level 3), making adherence easier for organizations already using these frameworks.
• Self-assessments for certain levels – Level 1 and some Level 2 contracts allow for annual self-assessments instead of third-party audits, reducing compliance costs.
• More focused requirements – Removed some unique CMMC requirements that did not align with existing standards and focused more precisely on protecting Controlled Unclassified Information (CUI).
• Greater accountability and transparency – Self-assessments require affirmation by a senior company official, reinforcing accountability and compliance integrity.

October 2024: The CMMC Final Rule published

CMMC 2.0 is the foundation for the final rule, also known as the 32 Code of Federal Regulations (CFR) CMMC Program rule. First published as a proposed rule on December 26, 2023, the DoD published it as a final rule in the Federal Register on October 15, 2024 and it went into effect on December 16, 2024. 

This rule is basically the set of guidelines and requirements the DoD put in place to get everyone on the same page.

It introduced a framework with three levels of cybersecurity practices. Each level builds on the previous one, getting more advanced:

• Level 1: Foundational - Basic practices that everyone should be doing, like updating antivirus software and managing passwords.
• Level 2: Advanced - More comprehensive practices, aligned with NIST SP 800-171 Rev. 2, like encryption and incident response plans.
• Level 3: Expert - For the most sensitive information, with advanced measures like continuous monitoring and proactive threat hunting.

Why three levels? Because not every contractor handles the same type of information. Some might just handle basic contract details, while others might handle detailed plans or sensitive communications. The three levels let companies match their security efforts to the type of information they’re dealing with and allow DoD officials and contract owners the assurance that the organizations they’re working with are protecting their data according to a specific standard.

If you’re a contractor or subcontractor working with the DoD, you’ll need to get certified at one of these levels. The specific level you need depends on the type of contracts you’re bidding on and the sensitivity of the information involved.

For Levels 2 and 3, you’ll need to undergo an assessment by a third-party organization (C3PAO) or the DoD, respectively, to make sure you’re actually following the required practices. Level 1 can often be self-assessed, but it still requires you to demonstrate compliance with the basic practices.

December 2024: CMMC 2.0 effective date

The DoD published the final rule in the Federal Register on October 15, 2024 and it went into effect on December 16, 2024. At this point, the CMMC 2.0 program officially went live and assessments became available. 

However, even though CMMC 2.0 is now in effect, it’s not a requirement in DoD contracts yet. Let’s take a closer look at its implementation timeline below.

Likely Q2 2025: CMMC 2.0 implementation date

While the final rule went into effect in 2024, the date for implementing CMMC 2.0 is still subject to change. 

That's because there are two rules that fully implement CMMC 2.0. There is the 32 CFR rule and the 48 CFR rule, which implements CMMC policies in DoD contracts and describes the language that will be used in CMMC contracts. So while the program went live in December, it won’t actually be a requirement in DoD contracts until the 48 CFR rule is final.

The 48 CFR rule is expected to be final in Q2 2025. At that time, the CMMC phased rollout will begin.

Once the 48 CFR rule is final: CMMC phased rollout begins

The CMMC rules will be rolled out in stages, eventually making certification a requirement for winning federal contracts. This is expected to happen by 2028, if the 48 CFR rule is final in Q2. Here’s the rollout plan:

• Phase 1: Requires CMMC Level 1 or Level 2 self-assessments for certain contracts. The DoD does have discretion to include Level 2 certification assessment requirements into contracts at this time. Starts on the effective date of the 48 CFR rule.
• Phase 2: Requires official CMMC Level 2 certification assessments. Begins one year after Phase 1 starts. 
• Phase 3: Includes CMMC Level 3 assessments. Begins one year after Phase 2 starts. 
• Phase 4: Full implementation for all relevant contracts. Begins one year after Phase 3 starts. 

CMMC deadline 2025: When should you start getting ready?

The phased rollout does not mean that organizations can delay CMMC implementation until 2028. They must be fully ready for each of the deadlines represented by these phases — and that means the time to start getting ready is now, if they haven't already.

This is particularly urgent for organizations that need Level 1 and Level 2 compliance, since the DoD plans to include CMMC requirements for Levels 1 and 2 in all new contracts as soon as March 2025. This is also particularly urgent for subcontractors, whose prime contracts will likely begin pressuring them to implement CMMC 2.0 before any of these phased deadlines.

That said, there are some dependencies that must be met before these phases can begin rolling out. Namely, the 48 CFR rule still needs to go before Congress so that it can be finalized.

Previously, the rule was expected to go before Congress by mid-October 2024 so that it could be finalized before the end of December 2024. This needed to happen because the congressional disapproval period can’t cross from one Congress to the next. Because 2024 was an election year, a new Congress was instituted in early January so CMMC 2.0 will not become final until sometime in 2025.