CMMC Final Rule 2025 Key Dates, Phased Rollout and Timeline for CMMC Compliance
On September 10, 2025, the U.S. Department of Defense (DoD) finalized the Cybersecurity Maturity Model Certification (CMMC) rule. Beginning November 10, 2025, CMMC requirements will start appearing in new DoD contracts, RFPs, and RFIs, initiating a four-phase rollout over three years across the Defense Industrial Base (DIB). Contractors and subcontractors must act now to align with certification requirements or risk exclusion from defense contracts. This article outlines the CMMC timeline, key milestones, and what organizations should expect as enforcement begins.
CMMC Implementation Timeline
The Department of Defense will roll out CMMC in four phases over three years, starting November 10, 2025. Phase 1 introduces self-assessment requirements for Levels 1 and 2, followed by Phase 2 in 2026, when Level 2 certifications from approved third-party assessors become mandatory. Phase 3, beginning in 2027, adds Level 3 requirements for critical programs aligned with NIST SP 800-172. By Phase 4 in 2028, CMMC will be fully integrated into all applicable DoD contracts, making certification a universal requirement across the Defense Industrial Base.
Phase 1: Initial Implementation
Phase 1 begins the CMMC rollout, requiring contractors to perform self-assessments for Level 1 and Level 2 under NIST SP 800-171. This stage establishes the baseline for compliance tracking and SPRS reporting across the Defense Industrial Base.
| Start Date | November 10, 2025 |
|---|---|
| Trigger Event | DFARS Final Rule (252.204-7021) becomes effective. |
| Applies To | Contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) under new solicitations. |
| Level 1 & 2 Self-Assessments |
|
| Level 2 Third-Party (C3PAO) Certifications | May appear selectively in contracts at DoD discretion. |
| Level 3 (DIBCAC) Certifications | Not yet included in contracts. |
| Contractor Action Plan |
|
Phase 2: Third-Party Certification
Phase 2 marks the shift from self-attestation to verified certification. Contractors pursuing CMMC Level 2 must undergo audits by C3PAO-accredited assessors, making third-party validation a key condition for new contract awards.
| Start Date |
November 10, 2026 (One calendar year following the start date of phase 1) |
|---|---|
| Trigger Event | Expansion of CMMC requirements in solicitations. |
| Applies To | Contractors seeking Level 2 certification for handling CUI. |
| Level 1 & 2 Self-Assessments |
|
| Level 2 Third-Party (C3PAO) Certification Assessments |
|
| Level 3 (DIBCAC) Certifications | May appear at DoD discretion in select high-priority programs. |
| Contractor Action Plan |
|
Phase 3: Advanced Assessment Integration
Phase 3 introduces CMMC Level 3 (Expert) assessments for high-priority defense programs. This phase focuses on advanced threat protection controls and compliance with NIST SP 800-172, targeting organizations handling sensitive or high-impact CUI.
|
Start Date |
November 10, 2027 (One calendar year following the start date of Phase 2) |
|---|---|
| Trigger Event | DoD begins including CMMC Level 3 (Expert) requirements in select high-priority contracts. |
| Applies To | Contractors supporting critical or advanced defense programs handling high-value CUI. |
| Level 1 & 2 Self-Assessments |
|
| Level 2 Third-Party (C3PAO) Certification Assessments | Included as a condition of contract award and option exercise |
| Level 3 DIBCAC Certification Assessments |
|
| Contractor Action Plan |
|
Phase 4: Full Implementation, CMMC Become Mandatory for All DoD Contracts
Phase 4 concludes the three-year transition. CMMC requirements apply to all new and renewed DoD contracts, and full compliance becomes mandatory for every contractor and subcontractor within the Defense Industrial Base.
|
Start Date |
November 10, 2028 (One calendar year following the start date of Phase 3) |
|---|---|
| Trigger Event | CMMC fully implemented across the Defense Industrial Base (DIB). The three-year transition period concludes. |
| Applies To | All new DoD contracts and any existing contracts renewed or extended after this date. |
| CMMC Level Requirements |
|
| Contractor Action Plan |
|
Strategic Imperatives for Stakeholders
1. Baseline Assessment, Gap Analysis, and Roadmap Creation
Upon publication of the final rule, contractors should conduct self-assessments (for Level 1 and 2) against applicable control frameworks such as FAR 52.204-21 and NIST SP 800-171. Identify control gaps and build a remediation roadmap tied to CMMC rollout milestones, particularly Phases 1 and 2.
Learn more about how StratoKey helps meet NIST requirements
2. Budgeting and Resource Allocation
C3PAO and DIBCAC assessments will introduce both capital and operational costs. Budget across the 2025–2028 window for remediation, third-party reviews, and continuous monitoring. Account for internal resource constraints and potential audit fatigue.
3. Third-Party Assessor Selection and Management
By Phase 2, accredited assessors become mandatory for Level 2 certifications. Begin vetting C3PAOs early to confirm methodology, scope, and credentials align with your infrastructure, risk posture, and target CMMC level.
4. Supplier and Subcontractor Readiness
Compliance flows down the supply chain. Prime contractors must ensure all subcontractors handling Controlled Unclassified Information (CUI) can achieve the required CMMC level. Conduct maturity assessments and enforce remediation or replacement where necessary.
StratoKey can assist by helping your secure CUI upstream and managed access.
5. Systems Segmentation and Scoping
Effective scoping reduces cost and audit complexity. Not all systems will fall within CMMC boundaries, segment and enclave CUI environments to minimize exposure. Document scoping logic, boundaries, and justifications for audit defensibility.
6. Cloud Service Provider (CSP) Governance and FedRAMP Alignment
Organizations seeking CMMC Level 2 or Level 3 certification must verify that any Cloud Service Provider (CSP) handling Controlled Unclassified Information (CUI) is authorized at the FedRAMP Moderate (or higher) baseline or meets the security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. Using a non-authorized CSP introduces compliance gaps, as its environment does not meet DoD-approved security baselines.
When a required cloud platform lacks FedRAMP authorization, StratoKey’s tokenization gateway provides a compliant alternative. CUI is tokenized before it enters the SaaS or cloud system, ensuring only non-sensitive tokens reside in that environment. The original CUI is securely stored within the contractor’s own FedRAMP-authorized or on-premises environment, under full BYOK/HYOK key control.
This model keeps CUI entirely outside non-compliant systems, satisfies NIST SP 800-171 and 800-172 data-protection controls, and enables continued use of commercial cloud applications without compromising CMMC Level 2–3 requirements.
7. Continuous Compliance, POA&M Closure, and Audit Evidence Management
CMMC certification is not static. Maintain continuous monitoring, track remediation progress, and close Plans of Action and Milestones (POA&Ms) within prescribed timelines (typically 180 days for conditional certifications). Preserve audit-ready evidence at all times.
8. Risk Mitigation and Contract Strategy
Non-compliance can result in disqualification, loss of award eligibility, or potential False Claims Act exposure. Review and update contracting language to address CMMC obligations, include indemnification or limitation clauses, and ensure SPRS scores are accurate and current.
Key Takeaways
-
November 10, 2025 marks the first critical milestone: the CMMC rule becomes effective and Phase 1 begins.
-
The rollout proceeds in annual phases through November 10, 2028, when CMMC requirements apply to all new and renewed DoD contracts.
-
Contractors must plan early, integrating compliance budgeting, supplier alignment, and continuous monitoring into their governance programs.
-
Subcontractors become compliance gatekeepers; primes face bottlenecks or disqualification if their supply chains are not CMMC-ready.
-
Delays carry real risk, loss of eligibility, contract termination, or potential False Claims Act exposure.
How StratoKey CDP Platform Helps With CMMC Compliance
StratoKey’s gateway-architected platform directly maps to NIST SP 800-171 and NIST SP 800-172 controls, covering encryption, data tokenization, key management, access control, and audit readiness. By securing data before it enters the cloud, StratoKey helps defense contractors satisfy key CMMC and NIST objectives for confidentiality, integrity, and non-repudiation. With the November 2025 rollout approaching, adopting a gateway-based encryption and tokenization model can close compliance gaps and maintain continuous readiness across your cloud ecosystem.
Read more: How StratoKey Encryption Helps You Meet NIST Requirements
There’s Still Time to Secure Compliance
The phased roll-out starts November 10, 2025, but proactive contractors can still get ahead. StratoKey’s Cloud Data Protection Platform (CDP) enables defense suppliers to meet CMMC, ITAR, and FedRAMP-High requirements by encrypting and tokenizing Controlled Unclassified Information (CUI) before it ever enters cloud or SaaS environments.
With StratoKey, your organization retains full key control (BYOK/HYOK/CMEK), enforces separation of duties, and keeps sensitive data secured at arm’s length from third-party providers.
Get in Touch About Securing Your CMMC Regulated Data
Please provide details so we can best assist with your inquiry.
- Practical Steps to Control AI Access to Regulated Data
- What to Replace ServiceNow Edge Encryption With
- ITAR & EAR Compliance for Multinationals: A SaaS Guide
- Your SaaS is Adding AI Faster Than Compliance Can Keep Up
- The Death of On-Premise and What it Means for Your Sensitive Data
- Why Data Residency Does Not Equal Data Sovereignty
- AI Creates CMMC Compliance Risks. What Can You Do About it?
- Securing the Defense Manufacturing Supply Chain for CMMC Compliance
- AI and HIPAA Compliance: The Risks and How to Reduce Your Exposure
- CMMC Flow Down Requirements 2026: What Major Defense Primes Are Requiring From Subcontractors
- CMMC Flow Down Requirements 2026: What Major Defense Primes Are Requiring From Subcontractors
- What Is Data Tokenization and Why Is It So Important?
- Data Residency, What Is It and Why It Is So Important for Global Data Compliance
- GSA's CMMC Style Cybersecurity Guide, CIO-IT Security-21-112
- Final Rule Update: 48 CFR and the CMMC Contract Clause Are Now in Motion
- Meeting NIST Encryption Standards with the Cloud Data Protection Platform
- Why You Should Host Your Own Cloud Encryption Gateway
- CMMC Final Rule 2025 Key Dates, Phased Rollout and Timeline for CMMC Compliance
- AI and HIPAA Compliance: The Risks and How to Reduce Your Exposure
- Securing the Defense Manufacturing Supply Chain for CMMC Compliance


