Skip to content

CMMC Final Rule 2025 Key Dates, Phased Rollout and Timeline for CMMC Compliance

Phased implementation timeline of CMMC Rollout

On September 10, 2025, the U.S. Department of Defense (DoD) finalized the Cybersecurity Maturity Model Certification (CMMC) rule. Beginning November 10, 2025, CMMC requirements will start appearing in new DoD contracts, RFPs, and RFIs, initiating a four-phase rollout over three years across the Defense Industrial Base (DIB). Contractors and subcontractors must act now to align with certification requirements or risk exclusion from defense contracts. This article outlines the CMMC timeline, key milestones, and what organizations should expect as enforcement begins.

StratoKey provides data protection products that help organizations satisfy specific NIST SP 800-171 controls and store regulated data on-premises or in their FedRAMP-authorized environment. It is not a C3PAO and does not provide CMMC compliance advice. For advice, assessment and certification, consult an accredited C3PAO via the Cyber AB Marketplace. 

CMMC Implementation Timeline

The Department of Defense will roll out CMMC in four phases over three years, starting November 10, 2025. Phase 1 introduces self-assessment requirements for Levels 1 and 2, followed by Phase 2 in 2026, when Level 2 certifications from approved third-party assessors become mandatory. Phase 3, beginning in 2027, adds Level 3 requirements for critical programs aligned with NIST SP 800-172. By Phase 4 in 2028, CMMC will be fully integrated into all applicable DoD contracts, making certification a universal requirement across the Defense Industrial Base.

Phase 1: Initial Implementation

Phase 1 begins the CMMC rollout, requiring contractors to perform self-assessments for Level 1 and Level 2 under NIST SP 800-171. This stage establishes the baseline for compliance tracking and SPRS reporting across the Defense Industrial Base.

Start Date November 10, 2025
Trigger Event DFARS Final Rule (252.204-7021) becomes effective.
Applies To Contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) under new solicitations.
Level 1 & 2 Self-Assessments
  • Level 1 & Level 2 Self-Assessments required as a condition of award.
  • DoD may require self-assessments to renew or extend option periods on existing contracts.
Level 2 Third-Party (C3PAO) Certifications May appear selectively in contracts at DoD discretion.
Level 3 (DIBCAC) Certifications Not yet included in contracts.
Contractor Action Plan
  • Complete NIST SP 800-171 self-assessment.
  • Submit or update SPRS score.
  • Document POA&Ms.
  • Prepare evidence and governance artifacts in anticipation of third-party review.

Phase 2: Third-Party Certification

Phase 2 marks the shift from self-attestation to verified certification. Contractors pursuing CMMC Level 2 must undergo audits by C3PAO-accredited assessors, making third-party validation a key condition for new contract awards.

Start Date

November 10, 2026

(One calendar year following the start date of phase 1)

Trigger Event Expansion of CMMC requirements in solicitations.
Applies To Contractors seeking Level 2 certification for handling CUI.
Level 1 & 2 Self-Assessments
  • Included as a condition of contract award.
  • DoD may require to exercise an option period on a contract that was awarded before the CMMC rollout start date.
Level 2 Third-Party (C3PAO) Certification Assessments
  • Included as a condition of contract award.
Level 3 (DIBCAC) Certifications May appear at DoD discretion in select high-priority programs.
Contractor Action Plan
  • Engage an accredited C3PAO.
  • Close all identified POA&M gaps.
  • Validate encryption, access, and audit controls.
  • Budget for recurring external audits.

 

Phase 3: Advanced Assessment Integration

Phase 3 introduces CMMC Level 3 (Expert) assessments for high-priority defense programs. This phase focuses on advanced threat protection controls and compliance with NIST SP 800-172, targeting organizations handling sensitive or high-impact CUI.

Start Date

November 10, 2027

(One calendar year following the start date of Phase 2)

Trigger Event DoD begins including CMMC Level 3 (Expert) requirements in select high-priority contracts.
Applies To Contractors supporting critical or advanced defense programs handling high-value CUI.
Level 1 & 2 Self-Assessments
  • Included as a condition of contract award
  • May be required to exercise an option period on a contract that was awarded prior to the CMMC rollout start date at DoD discretion
Level 2 Third-Party (C3PAO) Certification Assessments Included as a condition of contract award and option exercise
Level 3 DIBCAC Certification Assessments
  • Included as a condition of contract award
Contractor Action Plan
  • Implement advanced threat protection controls (e.g., enhanced monitoring, segmentation, and encryption).
  • Conduct readiness testing under NIST SP 800-172.
  • Update incident response and vulnerability response procedures.

 

Phase 4: Full Implementation, CMMC Become Mandatory for All DoD Contracts

Phase 4 concludes the three-year transition. CMMC requirements apply to all new and renewed DoD contracts, and full compliance becomes mandatory for every contractor and subcontractor within the Defense Industrial Base.

Start Date

November 10, 2028

(One calendar year following the start date of Phase 3)

Trigger Event CMMC fully implemented across the Defense Industrial Base (DIB). The three-year transition period concludes.
Applies To All new DoD contracts and any existing contracts renewed or extended after this date.
CMMC Level Requirements
  • All applicable contracts include CMMC clauses (Levels 1–3).
  • No waivers or transition allowances remain — full compliance mandatory.
  • Level 1 and 2 self-assessments reaffirmed annually in SPRS.
  • Level 2 (C3PAO) and Level 3 (DIBCAC) certifications valid for 3 years; annual affirmation required.
  • Results maintained in SPRS and CMMC eMASS as applicable.
Contractor Action Plan
  • Maintain valid certification and annual affirmations.
  • Ensure subcontractors and vendors meet required CMMC levels through documented flow-downs.
  • Implement continuous monitoring, annual self-reviews, and evidence maintenance for audits.

 

Strategic Imperatives for Stakeholders

 

1. Baseline Assessment, Gap Analysis, and Roadmap Creation

Upon publication of the final rule, contractors should conduct self-assessments (for Level 1 and 2) against applicable control frameworks such as FAR 52.204-21 and NIST SP 800-171. Identify control gaps and build a remediation roadmap tied to CMMC rollout milestones, particularly Phases 1 and 2.

Learn more about how StratoKey helps meet NIST requirements

2. Budgeting and Resource Allocation

C3PAO and DIBCAC assessments will introduce both capital and operational costs. Budget across the 2025–2028 window for remediation, third-party reviews, and continuous monitoring. Account for internal resource constraints and potential audit fatigue.

3. Third-Party Assessor Selection and Management

By Phase 2, accredited assessors become mandatory for Level 2 certifications. Begin vetting C3PAOs early to confirm methodology, scope, and credentials align with your infrastructure, risk posture, and target CMMC level.

4. Supplier and Subcontractor Readiness

Compliance flows down the supply chain. Prime contractors must ensure all subcontractors handling Controlled Unclassified Information (CUI) can achieve the required CMMC level. Conduct maturity assessments and enforce remediation or replacement where necessary.

StratoKey can assist by helping your secure CUI upstream and managed access.

5. Systems Segmentation and Scoping

Effective scoping reduces cost and audit complexity. Not all systems will fall within CMMC boundaries, segment and enclave CUI environments to minimize exposure. Document scoping logic, boundaries, and justifications for audit defensibility.

6. Cloud Service Provider (CSP) Governance and FedRAMP Alignment

Organizations seeking CMMC Level 2 or Level 3 certification must verify that any Cloud Service Provider (CSP) handling Controlled Unclassified Information (CUI) is authorized at the FedRAMP Moderate (or higher) baseline or meets the security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. Using a non-authorized CSP introduces compliance gaps, as its environment does not meet DoD-approved security baselines.

When a required cloud platform lacks FedRAMP authorization, StratoKey’s tokenization gateway provides a compliant alternative. CUI is tokenized before it enters the SaaS or cloud system, ensuring only non-sensitive tokens reside in that environment. The original CUI is securely stored within the contractor’s own FedRAMP-authorized or on-premises environment, under full BYOK/HYOK key control.

This model keeps CUI entirely outside non-compliant systems, satisfies NIST SP 800-171 and 800-172 data-protection controls, and enables continued use of commercial cloud applications without compromising CMMC Level 2–3 requirements.

7. Continuous Compliance, POA&M Closure, and Audit Evidence Management

CMMC certification is not static. Maintain continuous monitoring, track remediation progress, and close Plans of Action and Milestones (POA&Ms) within prescribed timelines (typically 180 days for conditional certifications). Preserve audit-ready evidence at all times.

8. Risk Mitigation and Contract Strategy

Non-compliance can result in disqualification, loss of award eligibility, or potential False Claims Act exposure. Review and update contracting language to address CMMC obligations, include indemnification or limitation clauses, and ensure SPRS scores are accurate and current.

Key Takeaways

  • November 10, 2025 marks the first critical milestone: the CMMC rule becomes effective and Phase 1 begins.

  • The rollout proceeds in annual phases through November 10, 2028, when CMMC requirements apply to all new and renewed DoD contracts.

  • Contractors must plan early, integrating compliance budgeting, supplier alignment, and continuous monitoring into their governance programs.

  • Subcontractors become compliance gatekeepers; primes face bottlenecks or disqualification if their supply chains are not CMMC-ready.

  • Delays carry real risk, loss of eligibility, contract termination, or potential False Claims Act exposure.

How StratoKey CDP Platform Helps With CMMC Compliance

StratoKey’s gateway-architected platform directly maps to NIST SP 800-171 and NIST SP 800-172 controls, covering encryption, data tokenization, key management, access control, and audit readiness. By securing data before it enters the cloud, StratoKey helps defense contractors satisfy key CMMC and NIST objectives for confidentiality, integrity, and non-repudiation. With the November 2025 rollout approaching, adopting a gateway-based encryption and tokenization model can close compliance gaps and maintain continuous readiness across your cloud ecosystem.

Read more: How StratoKey Encryption Helps You Meet NIST Requirements

There’s Still Time to Secure Compliance

The phased roll-out starts November 10, 2025, but proactive contractors can still get ahead. StratoKey’s Cloud Data Protection Platform (CDP) enables defense suppliers to meet CMMC, ITAR, and FedRAMP-High requirements by encrypting and tokenizing Controlled Unclassified Information (CUI) before it ever enters cloud or SaaS environments.

With StratoKey, your organization retains full key control (BYOK/HYOK/CMEK), enforces separation of duties, and keeps sensitive data secured at arm’s length from third-party providers.

 

Get in Touch About Securing Your CMMC Regulated Data

Please provide details so we can best assist with your inquiry.