The U.S. federal government formalized Cybersecurity Maturity Model Certification (CMMC) 2.0 in the Defense Federal Acquisition Regulation Supplement (DFARS) in November 2025, which moved CMMC from pending policy to an enforceable contract requirement. This means your timeline is now tied to active and upcoming Department of Defense (DoD) solicitations and contracts.
November 10, 2026, marks the next major milestone, as Level 2 certification requirements expand across contractors handling Controlled Unclassified Information (CUI). Organizations that prepare now position themselves to complete confidently, while those that wait risk delays when requirements appear.
RADICL is ready to help you understand the CMMC compliance process, so you can stay ahead. Not just for 2026, but for the next contract that depends on it.
CMMC is not a single deadline. Requirements become mandatory when they appear in DoD contracts, so organizations need to be prepared ahead of time.
Key CMMC phase-in milestones:
Final Rule (32 CFR) effective: December 16, 2024
Phase 1 began: November 10, 2025
Phase 2 begins: November 10, 2026
Full implementation across the DIB: November 10, 2028
Starting early — through self-assessments, SPRS score improvements, and documentation — helps avoid delays as certification requirements expand, especially leading into the November 10, 2026 milestone.
Key CMMC milestones are already in effect. The December 2024 32 CFR Part 170 rule established CMMC 2.0 requirements, and the September 2025 DFARS publication in the Federal Register enabled enforcement in active contracts.
By focusing now on 2025 and 2026 requirements, you build the foundation for full Defense Industrial Base (DIB)-wide enforcement in November 2028. This will help you stay eligible for future contracts.
Throughout 2026, CMMC requirements continue to appear in more Department of Defense (DoD) contracts as Phase 1 progresses.
What to expect during this period:
More Level 1 and Level 2 requirements appear in solicitations and contracts.
Increased emphasis on validated self-assessments and SPRS affirmations.
Growing demand for third-party assessments as organizations prepare for Phase 2.
Potential assessment bottlenecks as more contractors pursue certification.
As Phase 2 begins, CMMC requirements expand significantly across DoD contracts. Many contracts involving FCI or CUI will require a defined CMMC level as a condition of award or renewal.
At this stage, organizations must demonstrate the required CMMC status — whether through self-assessment or third-party certification — and maintain supporting documentation and affirmations in the SPRS. These requirements increasingly extend to subcontractors, as prime contractors flow compliance obligations down their supply chains.
CMMC covers more ground than your internal policies and document handling. A CMMC enclave enforces real security operations and demands continuous monitoring of your business and security environment.
But how do you know which CMMC level applies to you?
Level 1 (FCI): Annual self-assessment proving basic cybersecurity practices, with results uploaded to SPRS.
Level 2 (CUI): Full security program aligned to NIST SP 800-171, requiring a self-assessment or third-party assessment documented in SPRS.
Third-Party Compliance: Any partners handling FCI or CUI must meet requirements; your organization remains responsible for documented policies, controls, and audit-ready evidence.
Phase 1 may still be approaching for some organizations, but this isn’t a deadline you can successfully meet in a month. There is a significant bottleneck in the number of C3PAO assessors. You need to have your environment ready and an assessment booked well in advance.
This is the expected timeline for CMMC compliance:
Nov 10, 2025: Your organization should be positioned to meet CMMC requirements as they begin appearing in new DoD solicitations, with foundational controls and documentation already in place.
Q1 2026: This is a key period to complete Level 1 or Level 2 readiness activities, including self-assessments or preparing for third-party certification, as requirements expand across more contracts.
Nov 10, 2026: By this point, your team should be operating with the required CMMC level for applicable contracts. Phase 2 begins at this stage, and certification requirements expand, especially for organizations handling CUI.
2028: CMMC becomes part of steady-state operations, with ongoing compliance, documentation, and audit readiness integrated into your day-to-day security and governance practices.
Technically, CMMC becomes “required” when it shows up in your specific solicitation, award, option, or task order, not just at the estimated benchmark dates. Even if your specific DoD contract doesn’t require it yet, prime contractors can flow requirements down early.
Remember: If you support any prime contractors on DoD contracts, your effective compliance timeline may be sooner than the DoD-wide milestones.
Starting now on the compliance process your contracts require is the best-case scenario, but what happens if you’re not ready when CMMC requirements appear in your contracts?
If a contract requires a CMMC level and you can’t demonstrate it, you can become ineligible for an award or lose out on renewals and options. This directly impacts revenue, whether you’re the prime contractor or a subcontractor.
Missing the deadline usually triggers a last-minute scramble. Rushed remediation, incomplete documentation, and delays caused by assessment scheduling and rework can create chaos in daily operations.
This creates an ongoing business risk if you can’t demonstrate evidence quickly when a customer or prime contractor asks for it.
CMMC readiness gives you a competitive edge, especially when you’re one of the few certified firms and can prove it quickly.
RADICL’s Managed CMMC compliance solution provides clear, trackable steps to achieve Level 2 readiness. Our CMMC compliance checklist will help you:
Identify where you are in your compliance journey with clear, actionable steps to drive readiness.
Prioritize gaps by identifying your most critical process gaps and how to address them.
Remediate efficiently with guided steps aligned to DoD control requirements.
Verify fixes to ensure nothing has been missed, and you can prove compliance with confidence.
Retain audit-ready documentation that is organized, accessible, and continuously updated in the RADICL platform dashboard.
Our Cybersecurity-as-a-Service (CSaaS) platform addresses up to 30 of the hardest controls and provides continuous monitoring required by CMMC. You get a structured readiness plan and evidence that stays organized over time.
That means a clearer path to readiness when CMMC requirements appear in contracts without putting the burden on your founder, IT manager, or MSP.
The CMMC final rule doesn’t have to be a last-minute hurdle. With the right structure in place, it becomes a repeatable process you can carry into every contract, renewal, and audit.
RADICL helps you get there with a guided approach to compliance, clear documentation, and a centralized dashboard that tracks progress and builds evidence over time. Instead of scrambling for each bid, your team stays prepared with a system that supports ongoing readiness.
Talk to a RADICL expert today to get compliant, stay audit-ready, and move forward with confidence on every DoD opportunity.
CMMC becomes required as it is included in DoD contracts, with implementation now underway in 2026. Requirements will continue expanding as more contracts incorporate CMMC over time. Subcontractors may face earlier deadlines depending on prime contractor requirements.
32 CFR establishes the CMMC program, including its requirements and assessment framework. 48 CFR (DFARS) is what implements CMMC in DoD contracts, making compliance a condition for contract award.
No. CMMC is being phased into DoD contracts over time, so requirements depend on when they appear in your specific contracts. Rather than a single deadline, organizations should focus on being ready as requirements continue to expand.
Most organizations take 6 to 12 months to reach CMMC readiness, depending on their current security posture and resources. Starting early gives organizations time to identify and close gaps, document implemented controls, and prepare for assessment.
Yes. If you handle FCI or CUI as a subcontractor, you are expected to meet the same CMMC level required of the prime for that contract.
In some cases, yes. Organizations may be able to bid while working toward compliance, but they must meet the required CMMC level by the time of contract award.
A low SPRS score indicates gaps in your NIST SP 800-171 controls. You can improve your score by addressing those gaps and updating your assessment before pursuing contracts that require compliance.
The fastest path to audit readiness is to prioritize closing control gaps, document policies and procedures, and validate your environment against CMMC requirements. Using structured resources, such as those available from RADICL, can help accelerate this process.