CMMC compliance is expected to be required for Department of Defense (DoD) contracts beginning in 2025. This follows the release of the final CMMC 2.0 rule in October 2024, which establishes the certification as a formal requirement for organizations within the Defense Industrial Base (DIB).
CMMC 2.0 will be implemented through a phased rollout from 2025 to 2028, gradually appearing in more DoD contract solicitations yearly. The first regulation (32 CFR) defines the CMMC program and took effect on December 16, 2024. The second regulation (48 CFR), which updates the Defense Federal Acquisition Regulation Supplement (DFARS) to enforce CMMC as a contract requirement, is expected to be finalized by mid-2025.
Once both rules are active, contractors and subcontractors bidding on applicable DoD contracts will be required to meet the appropriate CMMC level (Level 1, 2, or 3), depending on the type of information they handle—Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Important: The certification process can take several months, especially at Levels 2 and 3. With limited CMMC Third-Party Assessment Organizations (C3PAOs) available, businesses are strongly encouraged to begin preparations now to avoid delays and maintain contract eligibility.