CMMC: Phased Rollout Timeline
After years of delays, CMMC is finally launching. Six years, ten months, and 26 days after CMMC was first announced, the final rule putting CMMC into DoD contracts was published September 10, 2025.
Starting November 10, 2025, the Department of Defense begins requiring cybersecurity certifications for contractors—and your company’s ability to win future contracts depends on understanding these new rules. Here we summarize the Phased Rollout of CMMC.
Upfront some definitions:
- OSC: Organization Seeking Certification (that would be you)
- COTS: Commercial Off-The Shelf
- FCI: Federal Contract Information
- CUI: Controlled Unclassified Information
- SPRS: Supplier Performance Risk System
- C3PAO: Certified Third Party Assessment Organization
Understanding CMMC UIDs (Unique Identifiers)
- Each UID represents one assessment scope (the systems/enclave you evaluated)
- If you have multiple separate systems handling FCI/CUI, you may have multiple UIDs
- You provide these UIDs in your proposals so contracting officers can verify your status
- UIDs stay with those specific systems – if you change your system setup, you may need new UIDs
What “CMMC phased rollout” means
The CMMC phased rollout timeline is based on 4-phases: the initial rollout in 3 phases over three years, with full implementation (Phase 4) beginning in year four:
- Years 1–3 (Nov 10, 2025 → Nov 9, 2028): CMMC appears selectively. Program offices add it where they decide it’s appropriate (COTS-only awards are excluded – CMMC does not apply to them).
- Year 4 onward (Nov 10, 2028+): CMMC is generally required whenever the contract requires using contractor systems to process, store, or transmit FCI or CUI (again, excluding COTS-only).
What this means for you: Not every new solicitation after Nov 10, 2025 will carry CMMC, but many will – by policy choice – through the three-year phase-in. After Nov 10, 2028, expect CMMC requirements whenever your systems will handle FCI/CUI. Remember: Even if DoD doesn’t require CMMC in a specific contract right away, prime contractors can – and increasingly will – require it from their subs.
What contracting officers will check
You will have to meet any CMMC requirements before contract award. Once CMMC appears in a solicitation, here’s what contracting officers will verify and what you need to maintain:
Before contract award:
During contract performance:
Where this comes from: DFARS 252.204-7021 is the clause, and DFARS 252.204-7025 is the solicitation provision used when 7021 appears.
Conditional status & POA&M (Level 2/3 only)
DoD permits a Conditional CMMC status (i.e., with valid POA&Ms) for Levels 2 and 3 only, and for up to 180 days from the conditional date – award may occur with conditional status (subject to program needs).
Important: Even for conditional status, your self-assessment must achieve a minimum score of 88 points out of 110 possible points in NIST SP 800-171. Only certain limited control requirements are allowed to be on your POAM which needs to be closed out within 180 days.
Level 1 has no conditional path.
Flowdown & subcontractors
Subcontractors must comply with CMMC at the required level the same way primes do, including self-assessment posting, certification, and annual affirmation in SPRS. Only the prime submits UIDs to the contracting officer (subcontractors enter results in SPRS and can share screenshots with the prime).
COTS exception (throughout)
Awards solely for the acquisition of COTS items are excluded from the CMMC clause and provision prescriptions in both the selective (Years 1–3) and the broad (Year 4+) phases.
For Level 1 (FCI only) OSCs
What is required:
Assessment type:
Self-assessment (Level 1) posted to SPRS when the clause is present; keep your CMMC status current for the life of the contract and affirm annually in SPRS.
Scoping:
In scope are all assets that process, store, or transmit FCI; assets that do not handle FCI are out of scope. While no formal SSP is required, it is still smart to keep a lightweight SSP/system description and a few basic policies so you can clearly explain your scope and boundaries.
Specialized assets:
(IoT/IIoT, OT, GFE, restricted systems, test equipment) are not assessed at Level 1.
For Level 2 (FCI & CUI) OSCs
What is required:
Assessment type:
At the minimum a self-assessment attesting full implementation of the NIST SP 800-171r2 requirements – so 110 points – is required. If the contract includes CUI from the DoD Organizational Index group (see NARA CUI categories) will also require a C3PAO assessment at Level 2. For Level 3 an additional assessment by DIBCAC is required.
Your program office determines the CMMC level of your contract.
Scoping:
Level 2 scope includes CUI assets, Security Protection Assets, Contractor Risk-Managed Assets (CRMA), and Specialized Assets, with specific documentation/assessment expectations. Using enclaves to constrain scope is allowed; inherited controls are fine where valid, but all requirements must be met within the scope.
Conditional Status & POA&M:
You can be awarded with a Conditional Status if
(a) your score is at least 88/110, and
(b) only a small, limited set of requirements are eligible to be on your POA&M.
Final status must be reached within 180 days by closing out all POA&M items.
When will you actually see DFARS 252.204-7021/7025?
During the initial phase-in (through Nov 9, 2028), the -7021/-7025 clauses appear in a solicitation when the program office chooses to include CMMC for that buy.
Starting Nov 10, 2028 the -7021/-7025 clauses will appear automatically whenever your systems will handle FCI/CUI on that contract.
Also note that the clause can be added to solicitations issued just before the effective date so long as award occurs on/after Nov 10, 2025; Contracting Officers may bilaterally add it to existing contracts with consideration.
Why you’ll hear about “UIDs,” “SPRS,” and “affirmations” so much
DoD expects CMMC to be scoped to the specific systems you’ll use. Each assessment scope (enclave/system set) gets a CMMC UID from SPRS/eMASS, and those UIDs ride with your offer so Contracting Officers can verify your status. Then you affirm annually that you remain compliant and that there are no significant changes to the system.
The Short Version:
- Phase 1 begins Nov 10, 2025 – CMMC appears selectively for three years; from Nov 10, 2028 forward, it’s required when you’ll handle FCI/CUI
- Level 1: Self-assessment + annual affirmation; scope includes only FCI-handling assets
- Level 2: CUI from the DoD Organizational Index categories need a C3PAO assessment. CUI from not DoD categories will require a self-assessment. Conditional status (POA&M) possible for 180 days – but see the details above!
- Always: Provide CMMC UIDs, keep SPRS current, affirm annually, and ensure subcontractors comply