Important CMMC 2.0 Deadlines – Phased Implementation Details
October 30, 2025
In our October 17, 2025 publication, we briefly noted that the first phase of the Cybersecurity Maturity Model Certification 2.0 program will begin on November 10, 2025, and that clauses such as DFARS 252.204-7021 will start to appear in solicitations and contracts. However, the October 17 publication did not explain the details of the phased rollout. It is important to note that the CMMC 2.0 program will be implemented on a phased timeline (see 32 CFR 170.3(e)):
- Phase 1 (Beginning November 10, 2025): Level 1 (Self-assessment) or Level 2 (Selfassessment) requirements will be included in applicable contracts. However, it is likely that, even during Phase 1, a C3PAO Level 2 certification will be required if the contract involves defense-related CUI.
- Phase 2 (Beginning November 10, 2026): Level 2 contracts will require a C3PAO certification assessment. Also, the Department of Defense will have discretion to include Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certification for Level 3 contracts.
- Phase 3 (Beginning November 10, 2027): DIBCAC certification requirement will be included in all Level 3 contracts.
- Phase 4 (Beginning November 10, 2028): All CMMC requirements will be included in all contracts.
For subcontractors, it is important to understand that, in general, it is the prime contractor (or the higher-tier subcontractor) that is responsible for determining what CMMC Level requirements need to be flowed down to the subcontractor based on the information that is or will be at issue CUI, FCI, etc. It is difficult or impossible for a subcontractor to ascertain what CMMC Level may be required in a subcontract prior. As a practical matter, if you will handle CUI, you must be Level 2 self-assessment compliant, and, as explained above, if you handle defense-related CUI, it is likely that a Level 2 C3PAO certification may be required prior to any contract award involving CUI.