A current, no-hype status update on the Cybersecurity Maturity Model Certification and what to do about it now.
Published June 5, 2026 by the Government.biz editorial team. CMMC dates depend on rulemaking; verify specifics against official DoD sources.
Few topics in defense contracting have generated more confusion than CMMC's timeline. Headlines have promised "CMMC required next year" for several years running. The reality in 2026 is more nuanced — and more manageable — than the headlines suggest: CMMC is real, the rules are final, and the requirement is being phased in over several years rather than switched on all at once. Here's where things actually stand.
CMMC runs on two separate regulations, and conflating them is the source of most confusion:
Rather than requiring every contractor to be certified on day one, the DoD designed a staged rollout that ramps up over roughly three years:
| Phase | What it introduces |
|---|---|
| Phase 1 | CMMC Level 1 and Level 2 self-assessment requirements begin appearing in applicable solicitations. |
| Phase 2 | Level 2 third-party (C3PAO) certification requirements are added for applicable contracts. |
| Phase 3 | Level 3 requirements are introduced for the highest-priority programs. |
| Phase 4 | Full implementation — CMMC requirements apply across all applicable DoD solicitations and contracts. |
Each phase builds on the last, giving the assessor ecosystem time to scale. Because the exact calendar dates hinge on the DFARS rule's effective date and DoD discretion, treat any specific date you read with caution and confirm against official sources. What's stable is the structure: self-assessment first, third-party certification next, then the most sensitive programs.
17 basic practices protecting Federal Contract Information (FCI). Met by an annual self-assessment; no external assessor required.
The 110 controls of NIST SP 800-171, protecting Controlled Unclassified Information (CUI). Met by self-assessment for some contracts and a C3PAO assessment every three years for others. This is where most affected contractors land.
Adds controls from NIST SP 800-172 for advanced-threat protection. Government-assessed and reserved for the highest-priority programs.
For the full breakdown of practices, costs, and the assessment process, see our CMMC certification guide.
The contractors who will struggle are the ones who wait for CMMC to appear in a solicitation and then scramble. Getting to Level 2 from a standing start can take many months. Practical steps to take today:
It's being phased into DoD solicitations, not applied to all contracts at once. The program rule is in effect and the DFARS rule introduces the requirement on a multi-year schedule. Whether a specific contract requires CMMC, and at what level, depends on the solicitation — always check it.
Most contractors handling CUI need Level 2 (the 110 NIST 800-171 controls). Those handling only FCI generally need Level 1 (annual self-assessment). Level 3 applies to a small set of the highest-priority programs.
Some Level 2 contracts allow an annual self-assessment; others require a C3PAO third-party assessment every three years. The contract specifies which. Level 1 is always self-assessed; Level 3 is government-assessed.
Authoritative sources: DoD CIO — CMMC and 32 CFR Part 170. This page is general information, not legal or cybersecurity advice.