CMMC is coming, but when can we expect it to become effective?
A lot of assumptions and misinformation surround CMMC’s rollout. This uncertainty has made it challenging for businesses to know how to act.
In order to help you to plan, this article summarizes our best estimates at the current time for when CMMC will be rolled out. We will update this post as more information emerges. Are you interested in learning more? Check out our definitive guide to CMMC!
Two CMMC Rules
CMMC is split between two rules:
- 32 CFR CMMC Final Rule: Activates the CMMC program, allowing C3PAOs to conduct assessments and contractors to achieve official certification. Effective as of December 16, 2024.
- 48 CFR CMMC Proposed Rule: Requires contract officers to include CMMC certification requirements into new and existing defense contracts. The government will require certification requirements to be added into solicitations over a three year rollout period, but contract officers have the right to flow down requirements earlier.
Estimated effective Date: Q4 2025.
These two proposed rules are at different stages of the review process.
The CMMC Marketplace is Active as of December 16, 2024
- CMMC Level 2 assessments began on January 2, 2025
- As of July 2025, 269 defense companies achieved CMMC Level 2 certification
CMMC Certification Requirements Expected in Q4 2025
- CMMC 48 CFR rule went to OMB for final review on July 22, 2025. OMB has 90 days to review and can ask for an extension if needed. However, 32 CFR was reviewed and approved in just 78 days
- After OMB review, the final rule will be published into the Federal Register and activate the government's phased rollout plan
- While the government provides a three-year rollout period, prime contractors can flow down requirements to their supply chain ahead of the rollout
ISI Insight: Contractors that achieve their CMMC Level 2 assessment before 48 CFR goes into effect have a significant competitive advantage within the DIB.
(timeline last updated 08/08/2025)
Preparing your organization for CMMC
Answering the following questions can help you determine when it is right for your organization to start preparing for CMMC:
- Will you be bidding on new contracts in 2025? We expect CMMC requirements to start appearing in some new DoD contracts in Q4 2025.
- What is your Prime’s expectation regarding CMMC? CMMC requirements may flow down to you via your Prime. It is important to communicate with your prime, if they haven't already, to understand their expectations and timeline. Additionally, visit your prime's Supplier or Supplier Cybersecurity web pages for additional information.
- What CMMC level do you require?
- Level 1, for contractors dealing only with FCI (Federal Contract Information), requires adherence to 17 controls.
- Level 2, for contractors holding, processing or transmitting controlled unclassified information (CUI), requires you to meet all 110 controls and 320 objectives in NIST 800-171.
- Level 3, which will apply only to companies that handle specific CUI for DoD programs with the highest priority and are likely to experience advanced persistent threats. Requires a Level 2 (C3PAO) and Level 3 (DIBCAC) certifications
- What is your current state of CMMC readiness? You should allot at least 6 months for remediation, but most projects take 9-12 months to achieve CMMC Level 2 readiness.
- How do you intend to approach NIST 800-171 compliance (in-house vs. an expert partner)? Your choice of approach will impact your likely timelines for rollout. NIST 800-171 is complex, and an experienced expert partner can help you shorten the time to compliance.
- Can you afford to wait? Given the volume of companies that will be seeking C3PAO assessments, and the small number of these organizations that exist, wait times are expected to increase once the 48 CFR rule final rule is published. As of July 2025, we have seen C3PAOs booked out until Q2 2025.
Remember: Adherence to NIST SP 800-171 has been a requirement for DoD contractors with DFARS 252.204-7012 in their contracts since December 2017.
If you’d like to speak to an expert about your business and CMMC, arrange a complementary consultation.
