December 26
CMMC Final Rule became effective
by Mustafa Mukhtar, MBA, ITIL
Consultant/Content Contributor, E-N Computers
20+ years of experience in IT management, project planning, enterprise systems and user support
Updated April 27, 2026
CMMC deadlines are happening, and businesses that work with the Department of Defense need to prepare now.
Here’s a running timeline of what’s already happened and what’s coming next.
QUICK ANSWER:
What is the timeline for CMMC?
The CMMC Final Rule took effect on December 26, 2024. On September 10, 2025, the Department of Defense published the 48 CFR CMMC Acquisition Rule in the Federal Register, with an effective date of November 10, 2025. Starting then, new DoD solicitations may include CMMC requirements, including Level 2 certifications during Phase 1 of the rollout. By October 31, 2026, CMMC requirements will be present in all new DoD solicitations under Phase 1 of the rollout. But October 2026 is not a universal hard deadline for every contractor. Your actual deadline depends on when your specific contracts are solicited and awarded. For many contractors, that date is sooner.
Key CMMC compliance deadlines and their impact
The dates below mark when CMMC requirements enter the DoD acquisition process — they define the rollout schedule, not your individual compliance deadline. Your actual deadline is determined by when your specific contract opportunities are solicited and awarded, which may be earlier than any phase milestone on this calendar.
December 26, 2024 – CMMC Final Rule became effective
The CMMC Final Rule (32 CFR) officially took effect. Compliance is no longer a “maybe later” situation — businesses handling Controlled Unclassified Information (CUI) need to act.
January 31, 2025 – CMMC assessments began
Organizations can now undergo official CMMC assessments. If you want to keep bidding on DoD contracts, it’s time to make sure your cybersecurity practices are up to date.
July 2025 – Final Rule Approval Process Concluded
The Department of Defense submitted the finalized 48 CFR Acquisition Rule (DFARS Case 2019-D041) to the Office of Information and Regulatory Affairs (OIRA) on July 22, 2025. This was the final administrative step that cleared the way for the rule’s official publication in the Federal Register later that September.
November 10, 2025 – 48 CFR CMMC Acquisition Rule became effective
Beginning November 10, 2025 (published in the Federal Register on September 10, 2025), the 48 CFR rule became enforceable and DFARS clause 252.204-7021 became mandatory in nearly all DoD solicitations involving FCI or CUI—except for mass-produced commercial items such as standard laptops, software, or unmodified networking gear. Contractors must have current certification or a self-assessment posted in SPRS to be eligible for awards.
Upcoming Deadlines:
Q1 2026 – Broader rollout of CMMC requirements in new DoD contracts
After the acquisition rule went into effect on November 10, 2025, CMMC Level 1 and Level 2 requirements will start appearing in a growing number of contracts. Level 2 will require assessment by a certified third-party assessment organization (C3PAO); Level 1 can still be self-assessed.
October 2026 – CMMC compliance required for all new DoD contract awards
This is the hard deadline. No certification = no new business. While existing contracts may not be immediately affected, any new task orders or recompetes will likely trigger the compliance requirement.
2026–2027 – Third-party assessments for Level 2 go mainstream
If you’re handling CUI, you’ll no longer be able to self-assess. Getting your C3PAO assessment scheduled is important, but it’s not the primary bottleneck most contractors face. The bigger constraint is implementation readiness — having your controls, documentation, and processes in place before the assessment. Booking a slot before you’re ready doesn’t help. Focus on getting compliant first; the assessment follows from that.
2028 – Full CMMC implementation across all DoD contracts
By November 10, 2028, all applicable DoD contracts will require CMMC compliance. This marks the full operational rollout. If you’re still unprepared at this point, you’re effectively out of the running.
CMMC compliance dates at a glance
Top do’s and don’ts for CMMC compliance
The Do’s
- Use your free consultation: A great first step would be to schedule a complimentary 30-minute consulting session with one of our experienced engineers. During even a short consulting session, some businesses have learned they don’t even need to reach level 2 for CMMC and instead should aim for level 1. A second step would be to take advantage of free or low cost CMMC training.
- Know your level:
- Find out if you need Level 1 (self-assessment) or Level 2 (third-party certification).
- Between 2025 and 2026, Level 1 contractors handling FCI can self-assess. Level 2 contractors dealing with CUI must prepare for third-party assessments starting in 2026.
- COTS Exemption: If you’re selling purely commercial off-the-shelf (COTS) products, like office furniture, you do not need CMMC certification. But if you handle CUI, compliance is non-negotiable.
- Start with a gap analysis: Assess your current cybersecurity posture against CMMC requirements and identify what is missing. Finding weaknesses early gives you more time to fix them without stress.
- Budget for CMMC compliance: CMMC compliance isn’t just about IT upgrades—it’s an investment in your business’s future. But navigating costs can be overwhelming. E-N Computers makes it easy; we’ll assess your cybersecurity, identify gaps, and create a cost-effective roadmap. From budgeting for assessments to exploring government grants, we’ll help you stay compliant without overspending.
- Consider CMMC managed IT services: These services allow you to outsource all or most of your IT work to experts who make sure all your systems are (and stay) compliant. See a detailed list.
- Schedule your assessment: If you need a third-party review, book it well ahead of the October 2026 deadline to avoid last-minute chaos.
- Stay updated: The DoD loves a good policy change, so keep an eye out for updates that may affect your timeline. The best sources are the official CMMC website, the Federal Register, and the DoD’s Cybersecurity Maturity Model Certification page.
Don’t:
- Start late:The biggest mistake companies make is assuming they can figure out compliance at the last minute.Many businesses underestimate the complexity of CMMC requirements, only to find themselves scrambling when a contract demands compliance. This leads to rushed, incomplete security implementations and lost contract opportunities.
If you’re starting from scratch, expect the process to take 12-18 months. Companies already aligned with NIST 800-171 may have a shorter road ahead.
The longest step in the compliance journey is implementing security controls and policies. Businesses needing significant IT upgrades, documentation overhauls, and staff training should start now. - Treat the phased rollout calendar as your deadline — it’s a DoD schedule, not a contractor compliance date. See How do I find out my actual CMMC deadline?
Common questions about the CMMC compliance timeline
When is the final deadline to be CMMC-compliant?
There isn’t a single universal deadline. October 2026 is a phase milestone in the DoD’s rollout, but it doesn’t apply equally to every contractor. Your actual deadline is tied to when your specific contract opportunities are solicited and awarded — a metric called Procurement Administrative Lead Time, or PALT. For many small contractors pursuing sub-$10M awards, that window can be as short as 90 days or less from solicitation to award — far too short to begin implementation. In practice, most contractors need to start 12–18 months before their anticipated contract award, which means the real deadline for many is already here or past.
Are there different deadlines for prime contractors and subcontractors?
While the final deadline applies to everyone, some contracts may have earlier requirements for primes and their subs. In general, contractors and subcontractors will be hit with those deadlines.
Can businesses bid on contracts while working toward compliance?
It depends. Some contracts may allow businesses to bid while working toward compliance. For example, if you’re providing IT support services that don’t involve handling CUI, you may still qualify. However, if your company deals with sensitive data like blueprints for defense equipment, you will likely need full CMMC certification before you can even submit a bid.
Will there be a grace period or extensions for small businesses?
While there’s no official grace period for small businesses, the DoD has made compliance more attainable. CMMC 2.0 allows self-assessments for Level 1 and some Level 2 requirements, reducing the burden. Also businesses actively working toward compliance and demonstrating their commitment through self-assessments may still be eligible for contracts, provided they meet the necessary requirements
Which step in the CMMC process tends to take the longest, and why?
Implementation. Developing and documenting security controls takes longer than most contractors expect — it involves coordinating across teams, writing policies, and sometimes making significant IT changes. Many organizations also discover gaps during this phase that require backtracking. The assessment itself is the easy part once your house is in order.
How do I find out my actual CMMC deadline?
Look up your customer’s long-range acquisition forecast. Federal law requires all DoD components to publish these publicly — you can find them on each service branch’s Office of Small Business Programs website. They show anticipated solicitation and award quarters for upcoming contracts, which lets you calculate how much runway you actually have and work backward to figure out when you need to start.
References
- U.S. Department of Defense: CMMC Overview
- Federal Register: CMMC Final Rule
- National Institute of Standards and Technology (NIST): 800-171 Standards
- CMMC Accreditation Body: Official Website
Complimentary review with an experienced engineer
Are you ready for CMMC?
Get a free strategic consultation to start or streamline your journey toward CMMC compliance.
Next steps
If your business works with the DoD, now is the time to start your CMMC compliance journey. The process can be complex, but getting ahead of the deadlines will help you stay eligible for contracts without unnecessary stress.
Need help with CMMC compliance? Contact our team to learn how we can assist you in preparing for certification and securing your DoD contracts.
Related articles:
If you need CMMC managed IT services
If you need to better understand CMMC requirements:
- The Ultimate Guide to CMMC
- The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
- What is FCI and should I worry about it?
- What is CUI and should I worry about it?
- CMMC compliance deadlines: Key dates and what they mean
- How long does CMMC compliance really take?
If you’re looking for CMMC tools and training:
- We found the best GRC tool for CMMC
- What is Microsoft GCC High and do I need it?
- Best CMMC training resources
- CMMC Level 1 guide as audio book
- CMMC Level 2 guide as audio book
- CUI enclaves in CMMC compliance: Are they right for your business?
If you’re looking for a CMMC consultant or Registered Practitioner Organization:
- Best CMMC manages service providers in DC metro area
- Best CMMC consultants
- Best CMMC RPOs near Washington, DC
- Best Virginia Registered Practitioner Organizations
- Case Study: Virginia government contractor nears CMMC compliance
- CMMC Gap Analysis
If you’re looking for a CMMC assessor:
If you’re looking for information about CMMC that is targeted toward smaller businesses:
