DBITDefenseCMMC Level 2 · Readiness
(561) 887-5470Free DashboardSign in ↗
Program · Rollout · March 20, 2026

CMMC phased rollout: Phase 1 through Phase 4.

DoD has published a four-phase rollout schedule for CMMC, beginning when the DFARS implementation rule becomes effective and ramping over three years. The phase descriptions below are summarized from DoD CIO program materials.

Published March 20, 2026South Florida · Palm Beach · Broward · Miami-Dade
(561) 887-5470
Tag
Program
Citations
3
Type
Plain summary
Original
no control interpretation
No. 01

Summary and dates.

The four phases

Phase 1 — 10 Nov 2025
DoD begins requiring Level 1 and Level 2 self-assessments in applicable contracts. Kicked off by the effective date of DFARS 252.204-7021.
DoD CIO CMMC About page
Phase 2 — 10 Nov 2026
DoD begins requiring Level 2 certification assessments conducted by authorized C3PAOs in applicable contracts.
DoD CIO CMMC About page
Phase 3 — 10 Nov 2027
DoD begins requiring Level 3 certification assessments where applicable. Level 3 assessments are government-led.
DoD CIO CMMC About page
Phase 4 — 10 Nov 2028
Full implementation: CMMC level requirements appear in all applicable DoD contracts and solicitations.
DoD CIO CMMC About page

Practical reading

Phase numbering is keyed off the 10 November 2025 effective date of the implementing DFARS amendment (DFARS 252.204-7021). Each subsequent phase begins one year after the prior, with full implementation arriving on 10 November 2028.

Specific contract requirements vary by program office and prime-contractor flowdown. Contractors should not assume that absence of CMMC language in a current solicitation means absence in the next one.

No. 02

Sources and citations.

Primary references

DBIT Defense does not interpret control intent or republish substantive control text. All claims above link to primary sources for verification.

No. 03

Related insights.

01
Timeline · Regulation · March 14, 2026

CMMC 2.0 Final Rule: timeline and structure

The CMMC 2.0 Program rule (32 CFR Part 170) was published in the Federal Register in October 2024 and took effect in December 2024. The dates and document struc…

02
Ecosystem · Assessors · April 2, 2026

The C3PAO ecosystem: who they are, where they are

Authorized CMMC Third Party Assessment Organizations (C3PAOs) conduct Level 2 certification assessments. The Cyber-AB maintains the authoritative marketplace li…

03
Standards · NIST · April 18, 2026

NIST SP 800-171: Rev. 2 vs Rev. 3

NIST published Revision 3 of SP 800-171 in May 2024. The CMMC Program rule (32 CFR Part 170) currently references Revision 2 as the underlying control catalog. …

04
Regulation · DFARS · May 2, 2026

DFARS 252.204-7012: history and current applicability

DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — has been in DoD contracts since 2015 and remains the underlying a…

Know where you stand
before the requirement
reaches the contract.

Start with a focused CMMC readiness assessment. We will send a written scoping summary within two business days, or a candid recommendation if it is not the right fit.

Or call directly (561) 887-5470Mon–Fri · 9am – 6pm ET · South Florida

Request a readiness assessment