December 26
CMMC Final Rule became effective
by Mustafa Mukhtar, MBA, ITIL
Consultant/Content Contributor, E-N Computers
20+ years of experience in IT management, project planning, enterprise systems and user support
Updated August 18, 2025
CMMC deadlines are happening, and businesses that work with the Department of Defense need to prepare now.
To make this easier (and save you from endless Googling), here’s a clear, complete, and no-nonsense timeline of what’s coming and what it means for you.
QUICK ANSWER:
What is the timeline for CMMC?
The CMMC Final Rule took effect on December 26, 2024. Starting July 25, 2025, select DoD contracts may include CMMC requirements. Full implementation will roll out in phases, with the mandatory compliance date for all DoD contractors set for October 31, 2026. After that, contractors who are not compliant will no longer be eligible for new contracts or task orders. By 2028, CMMC compliance is expected to be fully enforced across all DoD contracts.
Key CMMC compliance deadlines and their impact
December 26, 2024 – CMMC Final Rule become effective
The CMMC Final Rule (32 CFR) officially took effect, meaning the program is set in stone. Compliance is no longer a “maybe later” situation. It’s happening, and businesses handling Controlled Unclassified Information (CUI) need to get with the program.
January 31, 2025 – CMMC assessments began
Organizations can now undergo official CMMC assessments. If you want to keep bidding on DoD contracts, it’s time to make sure your cybersecurity practices are up to date.
July 22-23, 2025 – Final Rule Submitted
The Department of Defense sent the finalized 48 CFR Acquisition Rule (DFARS Case 2019 D041) to the Office of Information and Regulatory Affairs (OIRA) on July 22, 2025, marking the last stage of formal rulemaking before publication.
Once OIRA approves the rule (typically within 90 days), it is published in the Federal Register and becomes legally enforceable—often immediately upon publication.
Upcoming Deadlines:
October 1, 2025 – 48 CFR CMMC Acquisition Rule expected to be finalized
Beginning October 1, 2025, the 48 CFR rule becomes enforceable and DFARS clause 252.204-7021 becomes mandatory in nearly all DoD solicitations involving FCI or CUI—except for mass-produced products (like standard laptops, software, or networking gear) that are the same as the commercial version. Contractors must have current certification or a self-assessment posted in SPRS to be eligible for awards.
Q1 2026 – Broader rollout of CMMC requirements in new DoD contracts
After the acquisition rule goes into effect, CMMC Level 1 and Level 2 requirements will start showing up in a growing number of contracts. Level 2 will require assessment by a certified third-party assessment organization (C3PAO); Level 1 can still be self-assessed.
October, 2026 – CMMC compliance required for all new DoD contract awards
This is the hard deadline. No certification = no new business. While existing contracts may not be immediately affected, any new task orders or recompetes will likely trigger the compliance requirement.
2026–2027 – Third-party assessments for Level 2 go mainstream
If you’re handling CUI, you’ll no longer be able to self-assess. Expect a backlog for C3PAO slots, so plan ahead. The sooner you get in line, the better your odds of meeting deadlines.
2028 – Full implementation across all DoD contracts
By 2028, all applicable DoD contracts will require CMMC compliance. This marks the full operational rollout. If you’re still unprepared at this point, you’re effectively out of the running.
CMMC compliance dates at a glance
Top do’s and don’ts for CMMC in 2025
The Do’s
- Use your free consultation: A great first step would be to schedule a complimentary 30-minute consulting session with one of our experienced engineers. During even a short consulting session, some businesses have learned they don’t even need to reach level 2 for CMMC and instead should aim for level 1. A second step would be to take advantage of free or low cost CMMC training.
- Know your level:
- Find out if you need Level 1 (self-assessment) or Level 2 (third-party certification).
- Between 2025 and 2026, Level 1 contractors handling FCI can self-assess. Level 2 contractors dealing with CUI must prepare for third-party assessments starting in 2026.
- COTS Exemption: If you’re selling purely commercial off-the-shelf (COTS) products, like office furniture, you do not need CMMC certification. But if you handle CUI, compliance is non-negotiable.
- Start with a gap analysis: Assess your current cybersecurity posture against CMMC requirements and identify what is missing. Finding weaknesses early gives you more time to fix them without stress.
- Budget for CMMC compliance: CMMC compliance isn’t just about IT upgrades—it’s an investment in your business’s future. But navigating costs can be overwhelming.E-N Computers makes it easy; we’ll assess your cybersecurity, identify gaps, and create a cost-effective roadmap. From budgeting for assessments to exploring government grants, we’ll help you stay compliant without overspending.
- Consider CMMC managed IT services: These services allows you to outsource all or most of your IT work to experts who make sure all of your systems are (and stay) compliant. See a detailed list.
- Schedule your assessment: If you need a third-party review, book it well ahead of the October 2026 deadline to avoid last-minute chaos.
- Stay updated: The DoD loves a good policy change, so keep an eye out for updates that may affect your timeline. The best sources are the official CMMC website, the Federal Register, and the DoD’s Cybersecurity Maturity Model Certification page.
Don’t:
- Start late: The biggest mistake companies make is assuming they can figure out compliance at the last minute.
Many businesses underestimate the complexity of CMMC requirements, only to find themselves scrambling when a contract demands compliance. This leads to rushed, incomplete security implementations and lost contract opportunities.
If you’re starting from scratch, expect the process to take 12-18 months. Companies already aligned with NIST 800-171 may have a shorter road ahead.
The longest step in the compliance journey is implementing security controls and policies. Businesses needing significant IT upgrades, documentation overhauls, and staff training should start now.
Common questions about the CMMC compliance timeline
When is the final deadline to be CMMC-compliant?
October 31, 2026. But waiting until the last minute is a bad idea—CMMC requirements will start showing up in contracts well before then.
Are there different deadlines for prime contractors and subcontractors?
While the final deadline applies to everyone, some contracts may have earlier requirements for primes and their subs. In general, contractors and subcontractors will be hit with those deadlines.
Can businesses bid on contracts while working toward compliance?
It depends. Some contracts may allow businesses to bid while working toward compliance. For example, if you’re providing IT support services that don’t involve handling CUI, you may still qualify. However, if your company deals with sensitive data like blueprints for defense equipment, you will likely need full CMMC certification before you can even submit a bid.
Will there be a grace period or extensions for small businesses?
While there’s no official grace period for small businesses, the DoD has made compliance more attainable. CMMC 2.0 allows self-assessments for Level 1 and some Level 2 requirements, reducing the burden. Also businesses actively working toward compliance and demonstrating their commitment through self-assessments may still be eligible for contracts, provided they meet the necessary requirements
Which step in the CMMC process tends to take the longest, and why?
The step that typically takes the longest in the CMMC process is Documenting and Implementing Practices. This is because it requires organizations to develop and implement a wide range of security controls, policies, and procedures, which must be thoroughly documented. The process often involves coordination across departments, internal assessments, and possibly external audits, which can delay progress, especially if corrective actions are needed.
References
- U.S. Department of Defense: CMMC Overview
- Federal Register: CMMC Final Rule
- National Institute of Standards and Technology (NIST): 800-171 Standards
- CMMC Accreditation Body: Official Website
Complimentary review with an experienced engineer
Are you ready for CMMC?
Get a free strategic consultation to start or streamline your journey toward CMMC compliance.
Next steps
If your business works with the DoD, now is the time to start your CMMC compliance journey. The process can be complex, but getting ahead of the deadlines will help you stay eligible for contracts without unnecessary stress.
Need help with CMMC compliance? Contact our team to learn how we can assist you in preparing for certification and securing your DoD contracts.
Related articles:
If you need CMMC managed IT services
If you need to better understand CMMC requirements:
- The Ultimate Guide to CMMC
- The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
- What is FCI and should I worry about it?
- What is CUI and should I worry about it?
- CMMC compliance deadlines: Key dates and what they mean
If you’re looking for CMMC tools and training:
- We found the best GRC tool for CMMC
- What is Microsoft GCC High and do I need it?
- Best CMMC training resources
- CMMC Level 1 guide as audio book
- CMMC Level 2 guide as audio book
- CUI enclaves in CMMC compliance: Are they right for your business?
If you’re looking for a CMMC consultant or Registered Practitioner Organization:
- Best CMMC consultants
- Best CMMC RPOs near Washington, DC
- Best Virginia Registered Practitioner Organizations
- Case Study: Virginia government contractor nears CMMC compliance
- CMMC Gap Analysis
If you’re looking for a CMMC assessor:
If you’re looking for information about CMMC that is targeted toward smaller businesses:
