Some new Department of Defense (DoD) contracts are already referencing CMMC 2.0 requirements.
Primes are tightening requirements. Contract officers are watching for early compliance signals. Waiting for the full implementation of program requirements in 2028 might leave you out of consideration before you even bid.
This article breaks down the actual CMMC 2.0 timeline. You’ll see when Level 2 requirements start showing up in solicitations, what phased implementation really means, and how to prepare on time.
CMMC MSP Consulting: Navigating Compliance offers broader insights into partnering with a provider to support CMMC readiness.
CMMC 2.0 and the Compliance Landscape
The Cybersecurity Maturity Model Certification (CMMC) is how the DoD enforces cybersecurity across its supply chain. Version 2.0 narrowed the model and raised the bar for contractors managing sensitive data.
The model now includes three levels:
- Level 1: Basic safeguarding for federal contract information (FCI) based on FAR 52.204-21, validated through annual self-assessment.
- Level 2: Based on NIST SP 800-171, required for contractors handling CUI, validated by third-party audit for prioritized contracts.
- Level 3: Advanced cybersecurity requirements for contractors supporting high-priority or critical national security programs, building on Level 2 and validated through government-led assessments.
Most mid-sized defense contractors fall under Level 2.
The jump from Level 1 to Level 2 is significant. Level 2 requires implementation and assessment against 110 controls,and can require third-party certification or self-assessment as defined by contracts. Many DoD contractors are still working to implement the necessary technical safeguards, formalize policies and procedures, and build repeatable operational processes. Just as importantly, teams must be trained to execute and maintain these requirements consistently over time, and that doesn’t happen overnight. That process takes time.
Don’t know where to start? Read Demystifying CMMC Compliance: Breaking Down the Basics.
The Real CMMC 2.0 Timeline: What to Expect and When
The CMMC 2.0 rollout is already underway. Contractors handling CUI will need to meet Level 2 requirements as CMMC is incorporated into new DoD solicitations and contracts through the phased rollout. The key is understanding when those requirements begin appearing in your contract pipeline and what phases to watch for.
Where Things Stand Now
The DoD’s CMMC acquisition rule (48 CFR/DFARS final rule) went into effect on November 10, 2025. This is the final rule that integrates CMMC into federal contracting requirements. The final rule is being implemented over a four-phase plan over three years. Although certification requirements are being phased in, compliance expectations are already showing up in solicitations, pre-award questionnaires, and subcontractor evaluations.
Official guidance outlines a four-phase implementation model:
Phase 1
Initial Contract Inclusion
- Became effective November 10, 2025.
- CMMC requirements begin appearing in select contracts and solicitations as implementation starts.
- Level 1 is validated through annual self-assessment.
- Level 2 is validated through self-assessment for non-prioritized acquisitions, while third-party certification may be required for prioritized contracts.
- Level 1 and Level 2 self-assessment results (including required affirmations) are submitted through SPRS when applicable.
- Contractors are expected to begin building and demonstrating compliance readiness, even when certification is not yet required for a specific contract.
- As CMMC begins appearing in DoD contracts in Phase 1, prime contractors will be expected to manage CMMC flowdown requirements across their subcontractor base—especially where subcontractors handle CUI.
Phase 2
Broader enforcement begins
- Begins November 10, 2026.
- Level 2 third-party certification requirements become more common in contracts involving CUI.
- Certification increasingly becomes a condition of award for applicable work.
- Prime contractors increasingly require verified compliance status from subcontractors before awarding work involving CUI.
Phase 3
Certification expectations mature
- Begins November 10, 2027.
- Certification requirements are routinely included in applicable solicitations.
- Greater scrutiny is placed on audit readiness, documentation, and ongoing compliance.
- Level 3 requirements begin appearing for programs involving critical national security information.
Phase 4 – Full Implementation
Baseline expectation across applicable contracts
- Begins November 10, 2028.
- CMMC certification becomes a standard requirement for all applicable DoD contracts.
- Contractors without the required Level 2 validation (self-assessment or certification, depending on the contract) will be ineligible for award.
- Ongoing compliance, not one-time certification, becomes the norm.
Why Waiting is Risky
Although enforcement is being phased in, many prime contractors are already evaluating subcontractors based on compliance readiness. Gap assessments, documented policies, and clear remediation plans are increasingly influencing vendor selection.
But contractors should understand: the phased rollout only affects when requirements appear in contracts. Once a contract requires Level 2 validation, the assessment rules apply immediately, and those rules are stricter than many organizations expect.
For Level 2, organizations may receive either:
- Final Level 2 status, meaning all requirements are implemented with supporting evidence, or
- Conditional Level 2 status, which allows limited remediation through a POA&M only if the organization scores at least 88/110, does not include any requirements that are prohibited from being on a POA&M, and closes all POA&M items within 180 days to maintain eligibility and achieve Final Level 2 status.
This is why waiting is risky: once certification requirements are enforced in applicable contracts, preparation must already be complete or close enough that any remaining gaps can be remediated within the allowed window. Contractors and subcontractors that wait until certification is mandatory risk being excluded before they have the opportunity to compete.
Timeline Takeaway
If you handle CUI, assume Level 2 certification will be required in upcoming contract cycles. The time to act is months before a solicitation appears, when there’s still room to plan and prepare.
Getting to Level 2: What Contractors Need to Do Now
Preparing for CMMC 2.0 Level 2 certification is both a technical project and an operational priority. Most contractors need between six to twelve months to get audit-ready, and that timeline starts before certification is even on paper.
Key Steps to Start Now
Here’s what defense contractors should be doing before Level 2 shows up in a contract clause:
- Identify your data scope
Confirm whether your organization handles CUI. If it does, Level 2 applies. - Run a gap assessment
Compare your current environment against NIST SP 800-171 controls. This will highlight what’s missing and where risks exist. - Create a system security plan (SSP)
This formal document outlines your current security posture, controls in place, and how you meet the required standards. - Build a POA&M
A Plan of Actions and Milestones (POA&M) shows how you intend to close remaining gaps, and on what timeline. - Select a C3PAO
For prioritized contracts, certification must come from a Certified Third-Party Assessor Organization (C3PAO). Selection and scheduling should happen well in advance. - Start documentation now
Policies, procedures, access control, logging, incident response. If it’s not documented, it doesn’t count.
These are not tasks to tackle during an active proposal. They are groundwork.
Pitfalls to Avoid
There’s a pattern emerging among defense contractors who delay preparation. These are the most common missteps:
- Assuming Level 1 covers them
If you handle CUI, Level 1 is not enough. Only Level 2 meets that bar. - Relying on internal checklists
Without alignment to NIST 800-171, those checklists won’t survive an audit. - Waiting for the final rule
Prime contractors are already pressing vendors for proof of readiness. - Underestimating the effort
Documentation and remediation take time, especially for mid-sized orgs juggling multiple systems.
Industry advocates have raised concerns about timing and burden, but the requirements remain in motion. The best position to be in is ready.
As compliance models evolve, so do the tools used to support them. The Role of AI in Modern Cybersecurity: Opportunities and Risks explores how emerging technologies are reshaping defense and security environments.
Compliance Builds Resilience
Businesses that prepare properly often gain stronger systems, clearer internal processes, and better long-term control.
What improves through early certification prep:
- Operational discipline
Policies shift from informal habits to documented, repeatable practices. - Stronger IT management
Security controls become structured and easier to monitor. - Faster decisions
Leaders gain clearer visibility into risk, user activity, and system health.
Preparation for Level 2 sharpens the entire business. It also helps organizations address vulnerabilities beyond compliance:
Compliance work often reveals blind spots in cloud environments. Cloud Security Myths Debunked: What Every Business Leader Should Know breaks down where those assumptions tend to fall short.
Move Early. Certify with Confidence.
CMMC 2.0 is here. Primes are paying attention. Level 2 certification is becoming the standard for handling CUI, and defense contractors who wait may find themselves behind.
Preparation helps you operate with more clarity and resilience.
SecureTech helps contractors move forward with confidence. We support the full lifecycle of CMMC 2.0 readiness, from assessment and documentation to remediation and long-term maintenance. Our approach is structured, responsive, and tailored to the realities of midsized businesses navigating federal contract requirements.
If Level 2 certification is in your path, the next move is clear.
Explore SecureTech’s CMMC Services to take the next step toward readiness.
Frequently Asked Questions
CMMC 2.0 reduced the model from five levels to three. It removed process maturity requirements and aligned Level 2 directly with NIST SP 800-171. It also introduced self-assessments for some contracts and tightened audit rules for others.
With the 48 CFR/DFARS rule now effective, Level 2 compliance validation becomes mandatory when a DoD solicitation or contract requires it. DoD is phasing CMMC into contracting, and by November 10, 2028 (Phase 4), all applicable DoD solicitations and contracts will include the relevant CMMC level requirement as a condition of award.
SecureTech recommends a structured 3-step approach:
- Assess & Identify Gaps
Confirm whether you handle CUI, then evaluate your current environment against Level 2 requirements (NIST SP 800-171) to understand what’s missing and what’s already in place. - Build the Compliance Roadmap (SSP + POA&M Plan)
Create a practical roadmap that defines scope, prioritizes remediation, and documents exactly how gaps will be closed. This includes updating the System Security Plan (SSP) and building a Plan of Actions & Milestones (POA&M). The POA&M is the formal remediation plan that lists each unmet requirement, who owns it, what will be done, and the timeline to completion (with the understanding that not all requirements may be eligible to remain on a POA&M depending on the contract/assessment type). - Implement, Validate, and Maintain
Close the technical and operational gaps, prepare for the required validation method (self-assessment or C3PAO certification, depending on the contract), and establish repeatable processes to sustain compliance long-term, not just “pass once.” CMMC requires ongoing accountability through annual affirmations and recurring reassessments on a three-year cycle for Level 2 certification.
No. Level 2 applies when a contractor handles Controlled Unclassified Information (CUI) on covered DoD work and the contract requires Level 2 validation. If your work only involves Federal Contract Information (FCI), Level 1 requirements—validated through annual self-assessment—will typically apply. However, many mid-sized defense contractors and subcontractors fall into the Level 2 category due to CUI flowdown requirements from prime contracts, so planning early is essential.