CMMC Phase 2 Timeline Explained

For years, there has been widespread misunderstanding about the CMMC rollout timeline, particularly around the belief that November 2026 represents a universal deadline for all contractors to achieve CMMC Level 2 certification. This is not how the regulation is structured.

The confusion largely stems from how CMMC Phase 2 is being interpreted versus how it is defined in the rule. Under the CMMC regulation, Phase 2 begins one calendar year after the start of Phase 1, which began on November 10, 2025. This places the start of Phase 2 implementation in November 2026. However, the start of Phase 2 is not a blanket compliance deadline for all Defense Industrial Base contractors. Instead, the regulation ties applicability to specific contract requirements.

As outlined in §170.3(d)(2), the Department of Defense states that, in addition to Phase 1 requirements, it intends to include CMMC Level 2 certification (conducted by a C3PAO where applicable) as a condition of award for applicable contracts. The key term is “applicable.”

CMMC requirements aren’t applied uniformly across all contracts or all contractors. They’re determined by the nature of the data involved in the contract, specifically whether Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is present and how it is handled within the scope of performance. This means the rollout is contract-driven, not organization-wide.

Some solicitations will require CMMC Level 2 certification earlier. Others may not require it at all depending on scope, data type, and procurement structure. Prime contractors may also impose flowdown requirements that differ from federal baseline timing, creating additional variability for subcontractors. As a result, there’s no single date where all 100,000-plus contractors are expected to hold Level 2 certification.

Instead, CMMC requirements will appear incrementally as contracts are released and updated under Phase 2 applicability rules. This distinction is important because it changes how organizations should prepare.

The risk is not missing a universal deadline as much as it is entering a solicitation or subcontract opportunity where CMMC Level 2 is already required and not being ready to compete. For that reason, contractors should not rely on generalized timelines. They should evaluate readiness based on their specific customers, contracts, and data handling requirements. Even within the phased rollout, the Department of Defense maintains discretion in applying requirements based on acquisition needs. This means organizations must stay aligned not just to regulatory phases, but to customer-driven expectations.

CMMC readiness is therefore less about a single milestone and more about being prepared for when compliance becomes a condition of award in your specific contracting environment.

Don’t wait until a solicitation forces the issue. Contact Clark Schaefer Consulting to determine your CMMC applicability and make sure you’re ready for contract-level requirements as they appear.