CMMC 2.0 Timeline Update: What Contractors Need to Know

CMMC 2.0 Is Here — Are You Ready?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework has moved from rulemaking to enforcement. As of early 2026, the Department of Defense has begun including CMMC Level 2 requirements in new solicitations, and the timeline for full implementation across the Defense Industrial Base is accelerating. If you handle Controlled Unclassified Information (CUI) and plan to bid on DoD contracts, CMMC compliance is no longer optional.

The final rule, published in late 2025, streamlined the original five-tier model down to three levels. Level 1 requires basic cyber hygiene (17 practices) with annual self-assessment. Level 2 maps to the full NIST SP 800-171 Rev 2 framework (110 controls) and requires a third-party assessment for contracts involving critical CUI. Level 3 adds advanced practices from NIST SP 800-172 and requires a government-led assessment.

Current Implementation Timeline

DoD began a phased rollout in Q1 2026. Phase 1 requires CMMC Level 1 self-assessments for all new DoD contracts involving Federal Contract Information (FCI). Phase 2, starting in mid-2026, adds Level 2 requirements for contracts handling CUI. Phase 3, projected for early 2027, extends Level 2 third-party assessments to all relevant contracts. Phase 4 brings Level 3 requirements for the most sensitive programs.

The Cyber AB (formerly the CMMC Accreditation Body) has authorized over 40 C3PAOs (Certified Third-Party Assessment Organizations) to conduct Level 2 assessments. However, demand far outstrips supply — current wait times for an assessment are running 4-6 months. Contractors who wait until a solicitation requires CMMC will likely miss the bidding window.

What You Should Do Right Now

First, complete a gap assessment against NIST SP 800-171. Identify which of the 110 controls you fully meet, partially meet, or do not meet. Document your findings in a System Security Plan (SSP) and create a Plan of Action and Milestones (POA&M) for any gaps. Second, engage with a Registered Practitioner (RP) or C3PAO early to understand the assessment process and timeline. Third, ensure your subcontractors are also on the CMMC compliance path — primes are increasingly requiring CMMC readiness from their supply chain.

The Cost Factor

CMMC compliance is not cheap. Industry estimates for a mid-sized contractor to achieve Level 2 range from $50,000 to $250,000, depending on existing infrastructure and the number of systems in scope. However, DoD has signaled that CMMC compliance costs may be allowable as direct costs on contracts. The key is to start now, document your investments, and factor compliance costs into your indirect rate structure.

Small Business Considerations

Small businesses face a disproportionate burden. The SBA and DoD have acknowledged this and are exploring options including phased implementation for small businesses, subsidized assessment costs, and shared compliance infrastructure through CMMC marketplace solutions. Check with your local PTAC for free CMMC readiness assessments and guidance tailored to small businesses.