The CMMC final rule dropped on October 15, 2024, and with it came a phase-in schedule that every prime contractor and subcontractor in the defense industrial base needs to internalize. The 32 CFR Part 170 timeline is not a suggestion. It is a contractual gate that will determine who can bid on DoD work and who gets locked out. After walking dozens of contractors through this timeline, I can tell you the biggest risk is not the complexity of the controls. It is the false sense of time people carry until it is too late.
The Three-Phase CMMC Rollout
Phase 1: Self-Assessment Is Already Here
Phase 1 went into effect when the 48 CFR CMMC acquisition rule became active. As of late 2025, DoD contracting officers can include CMMC Level 1 self-assessment requirements in new solicitations and contracts. This means any contractor handling Federal Contract Information (FCI) may already be required to complete a Level 1 self-assessment and submit an affirmation into the Supplier Performance Risk System (SPRS).
For Level 2, Phase 1 also allows self-assessments for certain programs where the DoD determines a third-party assessment is not required. These self-assessments still demand full implementation of all 110 NIST SP 800-171 Rev 2 controls, a completed System Security Plan, and an honest SPRS score submission. The word "self" does not mean "easy." It means the government is trusting you to tell the truth, and the False Claims Act applies if you do not.
Key Phase 1 Takeaway
If you have not already completed your Level 1 self-assessment and SPRS affirmation, you are behind. Contracting officers are already including these requirements in new solicitations. Waiting for Phase 2 to start preparing is a strategic mistake.
Phase 2: The C3PAO Assessment Gate
Phase 2 is where the real pressure hits. Approximately one year after Phase 1, DoD will begin requiring CMMC Level 2 certification assessments conducted by accredited C3PAOs (Certified Third-Party Assessment Organizations) for contracts involving CUI. This is the phase that most contractors are focused on, and for good reason: without a passing C3PAO assessment, you cannot be awarded contracts that require Level 2 certification.
The November 2026 target date is not arbitrary. It represents the point at which DoD expects the C3PAO ecosystem to have sufficient capacity to handle assessment demand. But here is the problem: there are roughly 80,000 companies in the defense industrial base that handle CUI, and the number of accredited C3PAOs is still ramping up. The math does not work in your favor if you wait.
C3PAO Capacity vs. Demand
At current capacity, it could take 20+ years to assess every company that needs L2. Early movers have a significant advantage in scheduling assessments.
Phase 3: Level 3 and DIBCAC
Phase 3 introduces CMMC Level 3 requirements, which add 24 controls from NIST SP 800-53 on top of the 110 Level 2 controls. Level 3 assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not C3PAOs. This phase targets contractors working on the most sensitive programs involving critical national security information.
If your contracts involve CUI that the DoD categorizes as requiring enhanced protection against advanced persistent threats, you will need Level 3. The good news is that Phase 3 is approximately two years after Phase 1, giving you more runway. The bad news is that Level 3 requires a passing Level 2 certification first, so you cannot skip ahead.
Who Needs Level 2 and By When
The answer depends on your contract vehicle and the type of information you handle. Here is the decision framework:
CMMC Level Decision Matrix
| Scenario | Level Required | Assessment Type | Earliest Requirement |
|---|---|---|---|
| FCI only, no CUI | Level 1 | Self-assessment | Now (Phase 1) |
| CUI, non-critical program | Level 2 (self) | Self-assessment | Now (Phase 1) |
| CUI, critical program | Level 2 (C3PAO) | Third-party | ~November 2026 |
| CUI with enhanced protection | Level 3 | DIBCAC | ~November 2027 |
What Happens If You Miss the Deadline
There is no grace period. When a solicitation includes a CMMC requirement, you must have the specified certification level at the time of contract award. Not at proposal submission. Not at option exercise. At award. If you do not have it, the contracting officer cannot award you the contract regardless of how strong your technical proposal is.
For primes, this creates a cascading problem. If your subcontractors are not certified at the required level, you cannot flow CUI to them. That means you either find new subs, bring the work in-house, or restructure your supply chain. None of those options are fast or cheap.
The Supply Chain Risk
Primes are already sending compliance questionnaires to their subcontractor base. If you are a sub and you cannot demonstrate a credible path to certification, you risk being replaced before the deadline arrives. The time to act is not when the solicitation drops. It is now.
Realistic Preparation Windows
Based on our experience preparing contractors across the DIB, here are realistic timelines for achieving certification readiness:
Preparation Timeline by Starting Posture
Strong Starting Posture (SPRS 80+)
Existing SSP, most controls implemented, some gaps
3-5 months to assessment readiness
Moderate Starting Posture (SPRS 40-79)
Partial SSP, significant control gaps, some documentation
6-9 months to assessment readiness
Weak Starting Posture (SPRS below 40)
No SSP, minimal controls, limited documentation
9-14 months to assessment readiness
Starting from Scratch (No SPRS score)
No prior NIST 800-171 implementation
12-18 months to assessment readiness
How AeoliTech Compresses the Timeline
The timelines above assume traditional consulting-driven preparation. AeoliTech's PolicyCortex platform compresses those windows by approximately four months on average. Here is how:
PolicyCortex Timeline Compression
Automated Gap Assessment (Days, Not Weeks)
PolicyCortex scans your environment and maps current state against all 110 NIST 800-171 controls automatically, producing a prioritized remediation roadmap in days instead of the 4-6 weeks a manual assessment takes.
Policy-as-Code Generation
Instead of writing policies from scratch, PolicyCortex generates enforceable policy-as-code artifacts that satisfy documentation requirements while simultaneously configuring technical controls.
Continuous Evidence Collection
Evidence is collected and organized automatically as controls are implemented, eliminating the last-minute scramble to assemble an evidence package before the C3PAO arrives.
SSP Auto-Generation
The System Security Plan is generated from your actual implementation state, not from a template. This eliminates the disconnect between what your SSP says and what your environment actually does.
The Bottom Line
November 2026 is not a cliff. It is the point at which the first C3PAO-assessed Level 2 requirements will appear in solicitations. But the preparation window is closing fast. If you are a prime, you need to be assessing your supply chain now. If you are a sub, you need to be demonstrating progress to your primes now. The contractors who treat this as a 2027 problem will find themselves locked out of the contracts they depend on.
The phase-in schedule is designed to give the ecosystem time to build capacity. Use that time wisely. Start your gap assessment, engage a preparation partner, and get on a C3PAO's calendar early. The queue is only going to get longer.
Don't Wait for Phase 2 to Start Preparing
AeoliTech compresses CMMC preparation timelines by ~4 months with PolicyCortex. Schedule a readiness call to see where you stand.
Schedule a CMMC Readiness CallLeonard Esere
Founder & CEO, AeoliTech
Leonard has guided dozens of defense contractors through CMMC preparation, drawing on deep experience with NIST frameworks at MITRE and LANL. He leads AeoliTech's mission to make compliance achievable through policy-as-code automation.