What is the CMMC implementation timeline?

CMMC rolls out in four phases. Phase 1 began November 10, 2025 with self-assessments required. Phase 2 begins November 2026 with mandatory C3PAO certification. Phase 3 begins November 2027 adding option exercise requirements and Level 3. Phase 4 begins November 2028 with full implementation across all DoD contracts.

When does CMMC Phase 2 start?

CMMC Phase 2 begins November 2026. It requires mandatory C3PAO third-party certification assessment at contract award. Contractors handling Controlled Unclassified Information (CUI) must hold a valid CMMC Level 2 certification to win new DoD contracts.

What is DFARS 252.204-7021?

DFARS 252.204-7021 is the contract clause that flows CMMC requirements into DoD solicitations and contracts. It became effective November 10, 2025, replacing the previously deleted DFARS 252.204-7019 and renumbered 7020. All CMMC assessment obligations now flow through this single clause.

CMMC Timeline, News & Regulatory Updates 2026

Where CMMC Stands Today

CMMC Phase 1 is active now. Since November 2025, DFARS 252.204-7021 has appeared in DoD solicitations. Self-assessments required. C3PAO assessments at contracting officer discretion. Phase 2 begins November 2026. Mandatory C3PAO certification at award. ~80 C3PAOs serve 16,000+ organizations.

This page tracks every CMMC milestone from inception through 2028. Bookmark and check back quarterly. Quzara delivers CMMC services: advisory, Cybertorch MDR (cybertorch.com), and NISTCompliance.ai (nistcompliance.ai).

The Complete CMMC Regulatory Timeline

**Every major CMMC milestone from inception to full implementation**

2020 — CMMC 1.0 Published
- DoD published CMMC 1.0 with five maturity levels
- Third-party assessments required above Level 1
- CMMC-AB (now The Cyber AB) established
2021 — CMMC 2.0 Announced
- Streamlined from five levels to three
- Level 1: 15 controls, self-assessment
- Level 2: 110 NIST 800-171 controls, C3PAO assessment
- Level 3: NIST 800-172, DoD-led assessment
2023 — Proposed Rule Published
- Proposed rule 32 CFR Part 170 published
- Over 2,000 public comments received
- C3PAO authorizations began
- CMMC ecosystem training launched
2024 — Final Rule Published
- Final rule published December 16, 2024
- Four-phase timeline established
- DFARS 7019 deleted, 7020 renumbered
- Obligations consolidated under DFARS 7021
2025 — Phase 1: CMMC Takes Effect
- Phase 1 begins November 10, 2025
- DFARS 252.204-7021 in solicitations
- Self-assessments required
- ~80 C3PAOs authorized
- GAO report GAO-26-107955 published
2026 — Phase 2: Mandatory
- Phase 2 begins November 2026
- Mandatory C3PAO certification at award
- No cert means no contract
- Assessment backlog expected
2027 — Phase 3: Options & Level 3
- Phase 3 begins November 2027
- Cert required at option exercise
- Level 3 DoD-led assessments begin
- NIST 800-172 enhanced requirements
2028 — Phase 4: Full Implementation
- Phase 4 begins November 2028
- Full CMMC across ALL DoD contracts
- No exceptions or waivers
- Annual affirmation required

CMMC Timeline, News & Regulatory Updates

Where CMMC Stands Today

CMMC Phase 2 Countdown

Key Regulatory Documents

Start Your CMMC Journey

The Complete CMMC Regulatory Timeline

2020 — CMMC 1.0 Published

2021 — CMMC 2.0 Announced

2023 — Proposed Rule Published

2024 — Final Rule Published

2025 — Phase 1: CMMC Takes Effect

2026 — Phase 2: Mandatory

2027 — Phase 3: Options & Level 3

2028 — Phase 4: Full Implementation

Technology Partners

Ready to Start Your CMMC Certification Journey?