The Department of Defense (“DoD”) began the phased rollout of the Cybersecurity Maturity Model Certification 2.0 (“CMMC 2.0”) program on November 10, 2025, officially making compliance with CMMC 2.0 mandatory, and not merely a suggestion, for defense contractors and subcontractors.
For contractors that handle federal contract information (“FCI”) or controlled unclassified information (“CUI”), 2026 marks the first full year of mandatory compliance with CMMC 2.0 and thus attainment of the requisite certifications and measures for compliance can no longer be postponed. A quick reminder of the timeline for this phased rollout bears repeating.
The Phases of Implementation are Scheduled as Follows:
Phase 1 began on November 10, 2025, and will run through November 9, 2026.
DoD has already started to include Level 1 and Level 2 self-assessment requirements in DoD solicitations and contracts. Contractors should be reading solicitations and contracts carefully, looking for level-certification requirements.
Phase 2 begins on November 10, 2026, and will run through November 9, 2027.
In addition to Phase 1 requirements, the DoD will also require Level 2 CMMC Third-Party Assessment Organizations (“C3PAO”) certification in all applicable contracts—affecting the majority of contractors handling DoD contracts that involve CUI. Contractors that regularly work with DoD contracts involving CUI can proactively be working with C3PAOs to begin this process prior to November 10, 2026, to avoid delays. C3PAO schedules are already filling up.
Phase 3 begins on November 10, 2027, and will run through November 9, 2028.
During the third phase, the DoD will include Level 2 C3PAO certification assessment requirements as a condition of contract award. At this time, DoD may also include Level 3 certification assessment requirements in applicable solicitations and contracts as a condition of contract award.
Contractors should note that during phases two and three, DoD has the discretion to delay certification requirements to an option period, instead of imposing it as a condition of contract award, providing some flexibility to contractors. At this stage it is uncertain how much DoD will use its ability to delay to an option period, and thus, contractors should not rely on any such offering.
Phase 4 begins on November 10, 2028.
By this time, all DoD solicitations and contracts must include applicable CMMC 2.0 level requirements, and certification requirements will be enforced across all applicable levels.
What Should Contractors Be Doing Now?
Contractors should be immediately and continuously identifying the language in DoD solicitations and contracts that specify which CMMC 2.0 certification levels are applicable. Once identified, contractors who have not already obtained the appropriate self-assessment or certification assessment must do so. Contractors should be mindful that DoD has the ability to implement CMMC 2.0 standards earlier than the phased rollout timeline (for example, where certain highly sensitive contracts may require Level 2 C3PAO certification during Phase 1). Preparation is key and procrastination should be avoided.
Throughout all the above-mentioned phases, contractors should be monitoring their related subcontracts, ensuring that the contractors have expressed what level of CMMC 2.0 certification applies to these lower-tier subcontracts. The onus is on the contractor to ensure subcontractor compliance with the applicable CMMC 2.0 standards.
Smith Currie Oles will be monitoring impacts of the CMMC 2.0 program and stands ready to provide guidance and assistance to contractors in meeting these complex requirements and safeguarding their interests.
Smith Currie Oles LLP provides comprehensive legal services to all parts of the construction industry across the nation. Smith Currie lawyers have decades of demonstrated success representing construction and federal government contracting clients “From the Ground Up,” including procurement matters, contract formation and negotiation, project administration, claims prosecution and, when necessary, in litigation and other forms of dispute resolution.
The views expressed in this article are not necessarily those of ConsensusDocs. Readers should not take or refrain from taking any action based on any information without first seeking legal advice.