The CMMC requirement isn't arriving all at once — it's rolling into contracts in phases. The date that matters most for the defense industrial base is November 10, 2026, when third-party certification becomes a hard gate for contracts involving CUI.
The phased rollout
| Phase | Starting | What it means |
|---|---|---|
| Phase 1 | Nov 10, 2025 | Self-assessment requirements begin appearing in solicitations. |
| Phase 2 | Nov 10, 2026 | Third-party C3PAO Level 2 certification required for applicable CUI contracts — self-attestation no longer satisfies them. |
| Phase 3-4 | 2027-2028 | Scope widens; higher-level requirements apply to more programs. |
Why you can't wait until the deadline
Certification is the end of the process, not the start. Before a C3PAO ever assesses you, you have to close your gaps — which can mean new tooling, policy work, a System Security Plan, and sometimes migrating CUI into a compliant environment. That remediation typically takes months, and C3PAO assessment slots are limited and filling up as the deadline nears.
What to do now
- Get a gap assessment against all 110 controls so you know your real SPRS score and where you stand.
- Build your SSP and POA&M — the documentation an assessor requires.
- Remediate, highest-risk gaps first.
- Schedule your C3PAO assessment early, before the rush.
Start with step one. It's fast, it's fixed-fee, and it tells you exactly how much runway you have.
Beat the deadline.
Remediation takes months. Start with a gap assessment today.