Most defense contractors we talk to have CMMC somewhere on their radar, whether they are deeply buried in CMMC prep or starting to scratch at the surface. Most know the requirements that exist, have a general sense of what is involved, and have every intention of getting to it. What tends to catch people off guard is the gap between when they planned to be ready and when they actually need to start the process. The CMMC timeline has specific, hard dates attached to it, and the preparation work that has to happen before those dates lands earlier than most people realize.
Where CMMC Enforcement Actually Stands
According to the Department of Defense's official CMMC FAQ, published at dodcio.defense.gov, the DoD began implementing CMMC requirements on November 10, 2025, when the revised DFARS clause 252.204-7021 became effective. Phase 1 is already underway, and new DoD contracts are being written today with compliance requirements.
One of the most important things to understand about where enforcement currently stands is who actually needs a third-party assessment and who does not, because this is an area where many contractors are operating on incomplete information. According to the DoD's CMMC Implementation Guidance Memo, the vast majority of Level 2 contractors will require a C3PAO certification assessment. Self-assessments will be the exception, not the rule, with 70 to 75 percent or more of companies handling Controlled Unclassified Information requiring third-party certification. The only contractors eligible for self-assessment at Level 2 are those dealing with non-defense CUI that falls outside of the Defense Organizational Index Grouping, which covers data types that are relatively rare in the defense industrial base.
Your specific contract or solicitation will state whether a self-assessment or a C3PAO assessment is required, so the first step for any contractor is understanding exactly what their contracts demand. What does not change regardless of which path applies is the underlying requirement: all 110 security controls in NIST SP 800-171 must be implemented, documented, and capable of holding up under scrutiny. The assessment method determines how compliance is verified, not whether the controls must be in place.
November 10, 2026: The Date That Changes Everything for Level 2
The date that most defense contractors handling sensitive information should be planning around is not the Phase 1 start date. It is Phase 2, which begins November 10, 2026, exactly one year after Phase 1.
According to 32 CFR 170.3(e), cited in the DoD's official CMMC FAQ, Phase 2 is when mandatory Level 2 C3PAO certification assessments become standard for applicable solicitations and contracts. The distinction from Phase 1 is significant. Where Phase 1 primarily relies on self-assessments, Phase 2 requires independent verification by a certified third-party assessor for a wider range of contracts. An organization that has been self-attesting to its compliance posture will need to demonstrate that posture to a C3PAO, not just report it.
For any contractor whose assessment has not yet happened and whose contracts will be subject to Phase 2 requirements, November 10, 2026, is the hard deadline to plan backward from. That is approximately 17 months from the time this campaign begins. It sounds like sufficient runway. It is not, once the actual preparation timeline is factored in.
The Preparation Timeline Most Contractors Underestimate
Most contractors significantly underestimate how long it takes to prepare for a C3PAO assessment. The preparation involves identifying the scope, defining the security boundary, conducting a gap assessment, developing a System Security Plan, remediating identified gaps, and standing up the operational security capability that an assessor will evaluate. Depending on an organization's current security posture, that process realistically takes between six and twelve months from start to assessment-ready.
That means a contractor who needs to be ready for Phase 2 and starts their preparation program in the second half of 2025 may already be managing a compressed timeline. A contractor starting today is working with roughly the minimum viable runway, not a comfortable buffer. Inside that preparation window sits an additional constraint that most planning conversations miss entirely.
The Operational Readiness Window
Before a C3PAO can assess security controls as functioning, those controls must have been operated long enough to produce a verifiable record that proves your program is real and actively running. You must have the right tools in place, documented evidence that those tools are being actively monitored, alerts are being investigated, and incidents are being responded to and documented. The processes have to exist, and you have to be able to prove that your team is executing them on an ongoing basis, because an assessor who arrives and finds tools deployed but no operational history has nothing to verify.
That means the date that actually determines whether your organization walks into a Phase 2 assessment ready is not the assessment date itself, but the date your security operation needs to be running by, and that date lands significantly earlier in the timeline than most contractors account for.
Reaching operational steady state with a managed security partner takes approximately 90 days, and that window sits inside the broader six to twelve month preparation timeline rather than after it, which means the clock on that decision is already running. When you work backward from November 10, 2026, and factor in both the full preparation timeline and the 90 days required to build a meaningful operational record, contractors who have not yet engaged a managed security partner will find that the comfortable runway they assumed they had is considerably shorter than it appears.
November 10, 2028: Full Implementation
The DoD FAQ published at dodcio.defense.gov describes Phase 4, which begins November 10, 2028, as full implementation. At this point, all applicable DoD contracts will require CMMC compliance as a condition of contract award. This represents the outer boundary of the phased rollout, not a grace period for organizations that handle sensitive information on defense contracts.
The 2028 date represents full implementation across all applicable DoD contracts, not a deadline by which contractors can begin preparing. The phased rollout was designed to bring more contracts under the requirement gradually, prioritizing higher-risk programs first. By the time Phase 4 arrives, the expectation is that compliant organizations are already operating and maintaining their compliance program.
The Timeline in Plain Language
To summarize the four dates every defense contractor should have on their calendar, sourced directly from the DoD CMMC FAQ and 32 CFR 170.3(e):
November 10, 2025 — Phase 1 begins. CMMC requirements are starting to appear in new DoD contracts. Level 1 and Level 2 self-assessments are required as pre-award conditions. Level 2 C3PAO assessments are possible at the DoD's discretion for select contracts.
November 10, 2026 — Phase 2 begins. Mandatory Level 2 C3PAO certification assessments become standard for applicable contracts. Self-attestation is no longer sufficient for most contractors handling relevant data on these contracts.
November 10, 2027 — Phase 3 begins. Level 2 C3PAO assessments are required across a broader range of contracts, and Level 3 DIBCAC assessments are introduced for high-priority programs.
November 10, 2028 — Phase 4 begins. Full implementation. All applicable DoD contracts require CMMC compliance as a condition of award.
The Question Worth Answering
Given those dates, work backwards from the Phase 2 deadline that applies to your contracts. Factor in six to twelve months of full preparation time. Factor in 90 days to reach operational security steady state within that window.
What date does that math point to for your organization?
For most contractors in the defense supply chain who have not yet engaged a managed security partner, that date is uncomfortably close. The practical reality is that a compressed timeline does not produce a weaker security program if it is managed deliberately. It just requires making the decision earlier rather than later.
The contractors who walk into Phase 2 assessments with confidence are the ones who did those calculations early, built their operational security program with enough runway to develop a meaningful record, and treated the November 10, 2026, deadline as the fixed constraint it is.
Source: U.S. Department of Defense CMMC FAQ, dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-FAQsv4.pdf, and 32 CFR 170.3(e). All phase dates referenced in this post are drawn directly from official DoD documentation.
BitLyft True MDR reaches operational steady state in approximately 90 days or less. If your CMMC timeline is tightening, that is the number to build around. Learn more at bitlyft.com/cmmc.