The Department of Defense (DoD) has outlined its four (4) phase approach for the inclusion of Cybersecurity Maturity Model Certification (CMMC) Program requirements in solicitations and contracts. The first phase is expected to begin in the 1st quarter of 2025, after The Office of Information and Regulatory Affairs (OIRA) approval, and conclude with the fourth phase expected around September 2027.
Please note: These dates reflect our expectations based on the information provided by the DoD. Therefore, these dates may change. We will update our site as soon as new information becomes available.
Phase Timeline:
- Phase 1 (1st quarter of 2025): Begins on the effective date of the CMMC revision to DFARS 252.204–7021
- Phase 2: Begins six months following the start date of Phase 1
- Phase 3: Begins one calendar year following the start date of Phase 2.
- Phase 4: Full Implementation. Begins one calendar year following the start date of Phase 3.
Each Phase In Detail:
Phase 1 (1st Quarter of 2025):
The DoD plans to incorporate either CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment as a prerequisite for contract award in all relevant DoD solicitations and contracts. Additionally, DoD reserves the right, at its discretion, to include CMMC Level 1 Self-Assessment or CMMC Level 2 Self-Assessment as a condition for exercising an option period on contracts awarded before the effective date. Furthermore, DoD may choose, at its discretion, to replace CMMC Level 2 Self-Assessment with CMMC Level 2 Certification Assessment in applicable DoD solicitations and contracts.
Phase 2 (6 Months After Start of Phase 1):
In addition to the Phase 1 requirements, the DoD plans to incorporate CMMC Level 2 Certification Assessment for all relevant DoD solicitations and contracts, making it a prerequisite for contract award. DoD retains the discretion to defer the inclusion of CMMC Level 2 Certification Assessment to an option period instead of making it a condition for contract award. Moreover, DoD may, at its discretion, introduce CMMC Level 3 Certification Assessment for applicable DoD solicitations and contracts.
Phase 3 (1 Year After Start of Phase 2):
Building upon Phase 1 and 2 prerequisites, the Department of Defense (DoD) aims to mandate CMMC Level 2 Certification Assessment for all relevant DoD solicitations and contracts, both as a requirement for contract award and for the exercise of an option period on contracts awarded before the effective date. Additionally, DoD plans to enforce CMMC Level 3 Certification Assessment for all applicable DoD solicitations and contracts as a prerequisite for contract award. However, DoD reserves the right, at its discretion, to postpone the inclusion of CMMC Level 3 Certification Assessment to an option period rather than making it a condition for contract award.
Phase 4 (1 Year After Start of Phase 3):
This phase is full implementation. As such, the DoD will incorporate CMMC Program requirements into all relevant DoD solicitations and contracts, encompassing option periods for contracts awarded before the commencement of Phase 4.
Get a CMMC Readiness Assessment and Prepare Today
Many DoD contractors lack the resources to conduct their own assessment to effectively prepare for CMMC. That’s why many choose to outsource the task to a qualified CMMC consultant like SysArc. We can conduct a CMMC readiness assessment or mock assessment and develop a roadmap for you to achieve CMMC certification so you can continue to do business with the DoD. SysArc has helped over 1,500 DoD contractors navigate the complexities of CMMC and would love to help you. Request a free consultation here.