The Cybersecurity Maturity Model Certification (CMMC) program is no longer a future requirement that defense contractors can plan around at their leisure. It is enforceable, it is appearing in contracts now, and it is rolling out on a fixed multi-year schedule. This guide explains where CMMC enforcement stands in 2026, how the phased rollout works, which certification level applies to your organization, and what you need to do to stay eligible for Department of War (DoW) work.
Where CMMC Enforcement Stands in 2026
The pivotal regulatory milestone has already passed. The DoD published the final 48 CFR rule integrating CMMC into the Defense Federal Acquisition Regulation Supplement (DFARS) in the Federal Register on September 10, 2025, and the rule took effect on November 10, 2025. That effective date kicked off the phased rollout that now governs how and when CMMC requirements appear in defense contracts.
In practical terms, CMMC has shifted from policy to binding contractual obligation. Defense contractors now need to be CMMC-certified at the appropriate level to win new DoD contracts, and contractors who delay compliance risk losing business opportunities, while false certifications can carry significant legal and financial penalties. If your organization handles federal contract information (FCI) or controlled unclassified information (CUI), CMMC eligibility is now part of your ability to compete.
How the Two-Rule Framework Works
CMMC operates under two separate but complementary regulations, and understanding the split clarifies why enforcement took until late 2025 to begin.
32 CFR Part 170 establishes the CMMC program itself: its structure, the three certification levels, assessment processes, waivers, and certification requirements. This program rule has been effective since December 16, 2024.
48 CFR Parts 204, 212, 217, and 252 implements the acquisition side. This is the rule that authorizes contracting officers to actually place CMMC requirements into solicitations and contracts. It is the enforcement mechanism.
For nearly a year, the program existed (32 CFR) but could not be enforced in contracts because the acquisition rule (48 CFR) had not taken effect. The November 10, 2025 effective date closed that gap. The final rule introduces two DFARS clauses: an updated DFARS 252.204-7021, used in contracts, and a new DFARS 252.204-7025, used in solicitations. Together, these clauses make CMMC certification a formal condition of award.
The Four-Phase, Three-Year Rollout
CMMC is not switching on all at once. The final program rule lays out a four-phase rollout over three years, with Phase 1 beginning on the effective date of the 48 CFR acquisition rule, November 10, 2025. Full implementation is required 36 months after the effective date.
Understanding which phase you are in matters because the assessment burden increases as the rollout progresses.
Phase 1 (first 12 months). Phase 1 focuses on self-assessments aligned with NIST SP 800-171 Rev. 2, giving contractors time to prepare before third-party certification becomes broadly mandatory. The goal is to establish a baseline across the Defense Industrial Base by verifying that contractors can self-assess and report their score to the Supplier Performance Risk System (SPRS). Critically, though, this is not a soft launch. There is no grace period, certification must be achieved before award, and DoD acquisition offices may require Level 2 third-party assessments at their discretion even during Phase 1.
Subsequent phases progressively expand third-party assessment requirements and extend coverage across more contracts, culminating in full implementation across essentially all applicable DoD contracts by the end of the three-year schedule.
Which CMMC Level Applies to You
CMMC uses a tiered structure matched to the sensitivity of the information you handle.
Level 1 (self-assessment) applies to contractors handling only FCI. It requires an annual self-assessment against 17 security controls in NIST SP 800-171.
Level 2 applies when a contractor’s information systems store, process, or transmit CUI. Level 2 can be satisfied by self-assessment for some contracts, but Level 2 via a certified third-party assessment organization (C3PAO) is emerging as the default expectation for organizations handling CUI. The DoD can require the C3PAO route for select contracts involving sensitive CUI at its discretion, even in Phase 1.
Level 3 applies to the most sensitive programs and carries the most rigorous government-led assessment requirements.
The practical takeaway is that for most contractors touching CUI, planning around a Level 2 C3PAO assessment is the prudent default. Self-assessment alone is increasingly insufficient to remain competitive.
What Defense Contractors Should Do Now
The realities of the current enforcement environment shape a clear set of priorities.
Self-assessments are no longer sufficient in most CUI scenarios, so organizations handling CUI should plan toward a Level 2 C3PAO assessment rather than assuming self-attestation will carry them. Waivers are rare and granted only at the contract level in limited circumstances, never as a blanket exemption for an individual company, so they should not factor into your planning. Prime contractors have been pressuring subcontractors to certify ahead of formal enforcement, which means the practical market timeline often runs ahead of the official phased schedule; if you supply a prime, expect the requirement to reach you sooner than the rollout phases alone would suggest.
Timing is the central risk. Most organizations need roughly 9 to 12 months to fully implement NIST SP 800-171 controls and pass a C3PAO assessment. With CMMC clauses now live in contracts and the rollout advancing through its phases, an organization that has not yet entered the implementation phase faces real exposure to contract ineligibility. The further the three-year rollout progresses, the more contracts carry the requirement, and the less runway remains for late starters.
The Bottom Line
CMMC enforcement is no longer a countdown; it is the operating environment. The regulatory framework is complete, the acquisition rule is in force, and the phased rollout is steadily expanding the universe of contracts that require certification. For defense contractors, the question is no longer whether CMMC will be required, but whether your certification will be in place before the contracts you want to bid on demand it. Organizations that treat CMMC as a current operational priority, rather than a future compliance project, will protect their position in the defense marketplace. Those that wait risk being locked out of awards they would otherwise win.
How Elevate Can Help
CMMC implementation is demanding, and the gap between starting and being assessment-ready is measured in months, not weeks. Elevate Consult helps defense contractors assess where they stand against NIST SP 800-171, build the security documentation and controls that a C3PAO assessment requires, and chart a realistic path to certification at the right level before enforcement reaches their contracts. Schedule a CMMC readiness consultation to begin your compliance journey and protect your eligibility for DoD work.
Frequently Asked Questions
When did CMMC become enforceable? The 48 CFR acquisition rule was published in the Federal Register on September 10, 2025, and took effect on November 10, 2025, beginning Phase 1 of the rollout. From that date, CMMC clauses began appearing in new DoD solicitations and contracts.
What is the difference between the 32 CFR and 48 CFR CMMC rules? 32 CFR Part 170 establishes the CMMC program (levels, assessments, certification requirements) and has been effective since December 2024. 48 CFR implements the acquisition side, authorizing contracting officers to put CMMC requirements into contracts through DFARS clauses 252.204-7021 and 252.204-7025. The program rule defines the standard; the acquisition rule enforces it.
Do I need a third-party assessment or can I self-assess? It depends on your level and the contract. Level 1 (FCI only) uses annual self-assessment. Level 2 (CUI) can be self-assessed for some contracts, but a C3PAO third-party assessment is increasingly the default for CUI, and the DoD can require it at its discretion. For most organizations handling CUI, planning toward a Level 2 C3PAO assessment is the safest approach.
How long does CMMC certification take? Most organizations need roughly 9 to 12 months to fully implement NIST SP 800-171 controls and pass a C3PAO assessment, which is why starting early is critical as the rollout advances.