CMMC 2.0 Timeline: Key Dates and Milestones for Defense Contractors

CMMC 2.0 is no longer theoretical. The final rule published in October 2024 established a phased implementation timeline that is now active. If you're a defense contractor handling CUI, these dates directly affect your contract eligibility.

This timeline supplements our comprehensive CMMC compliance guide which covers the full control requirements.

Phase 1: Self-Assessment (Active Now)

Phase 1 began when the 48 CFR rule took effect. During this phase:

• CMMC Level 1 self-assessments can appear in new contracts as a requirement
• CMMC Level 2 self-assessments can be required for contracts involving CUI that doesn't require third-party assessment
• Contractors must submit self-assessment scores to SPRS (Supplier Performance Risk System)

Action required: Complete your NIST 800-171 self-assessment and submit your score to SPRS if you haven't already. Ensure your score is accurate—false claims carry False Claims Act liability.

Phase 2: Third-Party Assessments (Starting ~2026)

Phase 2 begins approximately one year after Phase 1:

• CMMC Level 2 certification assessments (C3PAO) can be required in contracts involving prioritized CUI
• C3PAOs (CMMC Third-Party Assessment Organizations) will conduct on-site assessments
• Plan of Action & Milestones (POA&M) will be accepted for limited scope, with 180-day closeout

Action required: Begin remediation of any gaps identified in your self-assessment. C3PAO capacity will be limited initially—early movers will have more scheduling options.

Phase 3: Full Implementation (~2027)

Phase 3 begins approximately one year after Phase 2:

• CMMC Level 3 (DIBCAC-led assessments) can be required for highest-priority CUI
• All CMMC levels can be included in all applicable contracts
• Option periods and renewals will require current CMMC certification

What This Means for Your CRM

Your CRM is part of your CUI boundary. When a C3PAO assesses your organization, they will examine how your CRM handles CUI. This includes email sync, access controls, audit logging, and AI features. Review our CUI-Safe CRM guide to understand the requirements and our CRM compliance checklist to verify your implementation.

How to Prepare Now

1. Complete your self-assessment. Score yourself honestly against all 110 NIST 800-171 controls.
2. Map your CUI boundary. Know exactly where CUI lives in your systems—including your CRM.
3. Create your SSP. Document how you meet each control. Use our SSP template for CRM-specific documentation.
4. Budget for remediation. Closing gaps takes time and investment. Start now before C3PAO demand spikes.
5. Engage a C3PAO early. Assessment capacity will be constrained. Get on a C3PAO's schedule before the rush.