CMMC 2.0 Timeline: Key Dates and Milestones for Defense Contractors
CMMC 2.0 rulemaking is complete and phased implementation has begun. Here's every milestone defense contractors need to track, from self-assessment deadlines to C3PAO availability.
Cabrillo Club
Editorial Team · February 5, 2026
CMMC 2.0 is no longer theoretical. The final rule published in October 2024 established a phased implementation timeline that is now active. If you're a defense contractor handling CUI, these dates directly affect your contract eligibility.
This timeline supplements our comprehensive CMMC compliance guide which covers the full control requirements.
Phase 1: Self-Assessment (Active Now)
Phase 1 began when the 48 CFR rule took effect. During this phase:
- CMMC Level 1 self-assessments can appear in new contracts as a requirement
- CMMC Level 2 self-assessments can be required for contracts involving CUI that doesn't require third-party assessment
- Contractors must submit self-assessment scores to SPRS (Supplier Performance Risk System)
Action required: Complete your NIST 800-171 self-assessment and submit your score to SPRS if you haven't already. Ensure your score is accurate—false claims carry False Claims Act liability.
Phase 2: Third-Party Assessments (Starting ~2026)
Phase 2 begins approximately one year after Phase 1:
- CMMC Level 2 certification assessments (C3PAO) can be required in contracts involving prioritized CUI
- C3PAOs (CMMC Third-Party Assessment Organizations) will conduct on-site assessments
- Plan of Action & Milestones (POA&M) will be accepted for limited scope, with 180-day closeout
Action required: Begin remediation of any gaps identified in your self-assessment. C3PAO capacity will be limited initially—early movers will have more scheduling options.
How ready are you for CMMC?
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC ReadinessPhase 3: Full Implementation (~2027)
Phase 3 begins approximately one year after Phase 2:
- CMMC Level 3 (DIBCAC-led assessments) can be required for highest-priority CUI
- All CMMC levels can be included in all applicable contracts
- Option periods and renewals will require current CMMC certification
What This Means for Your CRM
Your CRM is part of your CUI boundary. When a C3PAO assesses your organization, they will examine how your CRM handles CUI. This includes email sync, access controls, audit logging, and AI features. Review our CUI-Safe CRM guide to understand the requirements and our CRM compliance checklist to verify your implementation.
How ready are you for CMMC?
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC ReadinessCabrillo Club
Editorial Team
Cabrillo Club helps government contractors win more contracts with AI-powered proposal automation and compliance solutions.
