Skip to Main Content
All Trimarc services are now delivered through TrustedSec! Learn more
September 10, 2025

A Big Step on the CMMC Rollout Timeline

Written by Chris Camejo
CMMC Information Security Compliance

Table of contents

A major step on the CMMC rollout timeline was completed recently as the regulatory change that will create the CMMC contract clause made its way to the Office of Information and Regulatory Affairs (OIRA). This post covers what that means for contractors that want to know when to expect CMMC clauses in their contracts.

September 10, 2025 update: This post has been updated to reflect the publication of the finalized CMMC contract clause with a start date of November 10, 2025.

There are three pieces of information that a contractor needs in order to determine when they can expect to see CMMC requirements in their contracts:

  1. The CMMC level and assessment requirements the contractor expects to be subject to
  2. The start date of the CMMC rollout
  3. The phases of the CMMC rollout

Contractors that are unsure of their future CMMC level and assessment requirements should take a detour to our previous blog post on CMMC Level and Assessment Requirements for Defense Contractors, as the phased rollout information below will be more useful with this knowledge.

A specific start date for the CMMC rollout to begin has not been released. However, based on the submission to OIRA we can estimate that it will be no earlier than October 2025 and likely no later than January 2026. This post will be updated once we have a definitive start date. Additional information on how this range was estimated is provided below.

Some contractors may encounter supposed CMMC clauses even though the CMMC rollout had not yet begun or, if you’re reading this in the future, CMMC clauses that don’t align with the phased rollout schedule. These clauses are suspicious, and contractors should refer to our previous blog post on The Proliferation of “Fake” CMMC Contract Clauses for more information on this topic.

CMMC Rollout Start Date Estimate

The regulation that defines the CMMC program and its requirements, known as 32 CFR 170, was finalized on October 15, 2024. This regulation lays out a phased rollout for CMMC that will take place over three years (explained below); however, it does not set the start date for that rollout, nor does it define the contracting procedures that would impose CMMC obligations on contractors.

Another regulation that creates the CMMC contracting procedures, including the CMMC contract clause and start date for the CMMC phased rollout, was finalized and published on September 10, 2025. The start date for the CMMC rollout will be November 10, 2025.

The publication of the start date doesn’t mean defense contractors will suddenly need to be CMMC compliant on November 10 for a few reasons:

  • The CMMC rules do not alter any prior existing contracts so contractors will continue to protect information they handle today under the terms of the specific contract that information was received or created under. CMMC obligations will only apply to information received or created under new contracts containing CMMC clauses that the contractor receives after the rollout commences.
  • The phased CMMC rollout defined in 32 CFR 170 (and explained below) means that contracts that should eventually contain CMMC clauses will not contain these clauses or will contain clauses that require a lower CMMC level than would be expected based on the information that is being handled during the first three years after the start of the rollout.

The final version of the CMMC contract clause will be inserted at 48 CFR 252.204-7021 (better known as DFARS 7021) to replace the old clause from CMMC 1.0. Organizations interested in what to expect can review the final rule published in the Federal Register. The most interesting parts are the DFARS 7021 clause itself and the DFARS 7025 clause that will be inserted into solicitations to warn of CMMC requirements.

CMMC Rollout Phases

The phases of the CMMC rollout are based on which CMMC level and assessment requirements should apply to a specific contract. The phased rollout of CMMC is defined in 32 CFR 170.3 and contains four phases that dictate when certain types of CMMC requirements will start appearing in new DoD contracts:

Phase 1

Starts:

Effective date of the Title 48 CMMC Acquisition Final Rule

Start Date:

November 10, 2025

Level 1 and 2 Self-Assessments:

  • Included as a condition of contract award
  • May be required to exercise an option period on a contract that was awarded prior to the CMMC rollout start date at DoD discretion

Level 2 C3PAO Certification Assessments:

May be included in some contracts at DoD discretion

Level 3 DIBCAC Certification Assessments:

Not included in contracts

Phase 2

Starts:

One calendar year following the start date of Phase 1

Start Date:

November 10, 2026

Level 1 and 2 Self-Assessments:

  • Included as a condition of contract award
  • May be required to exercise an option period on a contract that was awarded prior to the CMMC rollout start date at DoD discretion

Level 2 C3PAO Certification Assessments:

  • Included as a condition of contract award
  • May be delayed to an option period instead of as a condition of contract award at DoD discretion

Level 3 DIBCAC Certification Assessments:

May be included in some contracts at DoD discretion

Phase 3

Starts:

One calendar year following the start date of Phase 2

Start Date:

November 10, 2027

Level 1 and 2 Self-Assessments:

  • Included as a condition of contract award
  • May be required to exercise an option period on a contract that was awarded prior to the CMMC rollout start date at DoD discretion

Level 2 C3PAO Certification Assessments:

Included as a condition of contract award and option exercise

Level 3 DIBCAC Certification Assessments:

  • Included as a condition of contract award
  • May be delayed to an option period instead of as a condition of contract award at DoD discretion

Phase 4 (Full Implementation)

Starts:

One calendar year following the start date of Phase 3

Start Date:

November, 2028

Level 1 and 2 Self-Assessments:

Included as a condition of contract award and option exercise

Level 2 C3PAO Certification Assessments:

Included as a condition of contract award and option exercise

Level 3 DIBCAC Certification Assessments:

Included as a condition of contract award and option exercise

Next Steps

Based on the information above, a contractor should now have a reasonable understanding of which CMMC level and assessment requirements they will eventually be subject to and when to expect these requirements. Contractors should begin work on achieving compliance at the appropriate level prior to receiving CMMC contract clauses. Contractors that will require Level 2 or Level 3 certification assessments may also want to schedule the necessary third-party assessments with a CMMC Third-Party Assessor Organization (C3PAO) and/or DIBCAC so they are prepared for phase 2 and 3 contract requirements.

Unlike other compliance frameworks, the CMMC program differentiates between organizations that help contractors implement compliance (CMMC Registered Practitioner Organizations or RPOs) and organizations that assess contractors for certification or C3PAOs. TrustedSec is a CMMC RPO and is available to help understand and implement CMMC requirements. Get in touch with us if you need assistance!