CMMC 2.0 Timeline: Key Dates and Milestones for Defense Contractors
CMMC 2.0 rulemaking is complete and phased implementation has begun. Here's every milestone defense contractors need to track, from self-assessment deadlines to C3PAO availability.
Cabrillo Club
Editorial Team · February 5, 2026 · Updated Feb 16, 2026 · 2 min read
CMMC 2.0 is no longer theoretical. The final rule published in October 2024 established a phased implementation timeline that is now active. If you're a defense contractor handling CUI, these dates directly affect your contract eligibility.
This timeline supplements our comprehensive CMMC compliance guide which covers the full control requirements.
Phase 1: Self-Assessment (Active Now)
Phase 1 began when the 48 CFR rule took effect. During this phase:
- CMMC Level 1 self-assessments can appear in new contracts as a requirement
- CMMC Level 2 self-assessments can be required for contracts involving CUI that doesn't require third-party assessment
- Contractors must submit self-assessment scores to SPRS (Supplier Performance Risk System)
Action required: Complete your NIST 800-171 self-assessment and submit your score to SPRS if you haven't already. Ensure your score is accurate—false claims carry False Claims Act liability.
Phase 2: Third-Party Assessments (Starting ~2026)
Phase 2 begins approximately one year after Phase 1:
- CMMC Level 2 certification assessments (C3PAO) can be required in contracts involving prioritized CUI
- C3PAOs (CMMC Third-Party Assessment Organizations) will conduct on-site assessments
- Plan of Action & Milestones (POA&M) will be accepted for limited scope, with 180-day closeout
Action required: Begin remediation of any gaps identified in your self-assessment. C3PAO capacity will be limited initially—early movers will have more scheduling options.
How ready are you for CMMC?
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC Readinessor try our free CMMC Cost Estimator →
Phase 3: Full Implementation (~2027)
Phase 3 begins approximately one year after Phase 2:
- CMMC Level 3 (DIBCAC-led assessments) can be required for highest-priority CUI
- All CMMC levels can be included in all applicable contracts
- Option periods and renewals will require current CMMC certification
What This Means for Your CRM
Your CRM is part of your CUI boundary. When a C3PAO assesses your organization, they will examine how your CRM handles CUI. This includes email sync, access controls, audit logging, and AI features. Review our CUI-Safe CRM guide to understand the requirements and our CRM compliance checklist to verify your implementation.
How ready are you for CMMC?
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC Readinessor try our free CMMC Cost Estimator →
How to Prepare Now
- Complete your self-assessment. Score yourself honestly against all 110 NIST 800-171 controls.
- Map your CUI boundary. Know exactly where CUI lives in your systems—including your CRM.
- Create your SSP. Document how you meet each control. Use our SSP template for CRM-specific documentation.
- Budget for remediation. Closing gaps takes time and investment. Start now before C3PAO demand spikes.
- Engage a C3PAO early. Assessment capacity will be constrained. Get on a C3PAO's schedule before the rush.
How ready are you for CMMC?
Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.
Check Your CMMC Readinessor try our free CMMC Cost Estimator →
Cabrillo Club
Editorial Team
Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.
Related Articles
CRM Compliance Checklist for Defense Contractors: Is Yours CMMC Ready?
A practical, technical checklist to assess whether your CRM can support CMMC-aligned controls for handling CUI. Learn architecture, configs, and evidence to collect.
CMMC Flowdown Requirements and Your CRM: What Primes Owe Subcontractors (and Vice Versa)
When primes share CUI with subcontractors via CRM, the sub's CRM must also meet CMMC requirements. This guide covers 32 CFR 170.23 flowdown rules, how CUI flows through CRM in prime-sub relationships, verification obligations, common failures, and why purpose-built CRM solves the 300,000-company supply chain compliance problem.
CRM Migration to CMMC Compliance: The Defense Contractor's Roadmap
The defense contractor's roadmap for migrating CRM to CMMC compliance before Phase 2 enforcement. Covers three migration paths (gov cloud upgrade, purpose-built CRM, dual environment), 8-phase timeline, CUI data cleansing, integration challenges, and realistic cost analysis ($50K-$200K).