CMMC Final Rule Timeline

C MMC's Four-Phase Rollout

Are You Prepared for CMMC Requirements in Your Contracts?
The Pentagon Department of Defense
The Department of Defense (DoD) is rolling out CMMC requirements in four distinct phases, coordinated with the publication of the complementary 48 CFR Part 204 CMMC Acquisition rule. This rule will update the Defense Federal Acquisition Regulation Supplement (DFARS) to define how CMMC requirements are integrated into DoD contracts and solicitations. Given the scale of the DoD’s contracting activities, the full implementation of CMMC across the defense industrial base is expected to take approximately seven years. However, contractors are not required to wait for the phased rollout to take action. Certification can be pursued voluntarily now that the 32 CFR Rule has become effective.

CMMC's phased rollout is a vital part of enhancing cybersecurity across the Defense Industrial Base. TSI is here to help with your compliance needs with our CMMC 2.0 certification guide. For any other assistance or questions, please don't hesitate to reach out to our expert team of cybersecurity experts!

C MMC Timeline

TSI's Proposed Timeline for CMMC Requirements
TSI's CMMC Timeline

D ates to look out for

  • January - December 2028: CMMC Phase 4 rollout begins. CMMC Requirements are now included in all DoD contracts.
  • January - December 2027: CMMC Phase 3 begins. Lvl 2 C3PAO certification is now required to renew or extend existing contracts.
  • January - December 2026: CMMC Phase 2 rollout begins. Now third-party certification assessments are required.
  • January - December 2025: CMMC Phase 1 rollout begins and requires self-assessment for all new contracts. 48 CFR Final Rule expected early 2025.
  • January - December 2024: DoD reviews the comments on CMMC 2.0 32 CFR and 48 CFR proposed final rule. 32 CFR goes into effect on December 16, 2024.
  • December 2023: 32 CFR CMMC DFARS Rule open to public comment.
  • January - December 2022: DIB Contractors prepare for CMMC 2.0 contracts while rule making occurs.
  • December 2021: CMMC 2.0 model documentation and assessment guides revealed.
  • November 2021: The DoD's CMMC program review ends. CMMC 1.0 is terminated and replaced by CMMC 2.0.
  • April 2021: First C3PAO's begin to be assessed against CMMC Lvl 2 by the DIBCAC. C3PAO's must pass their own Lvl 2 assessment before being able to conduct assessments themselves.
  • January 2020: CMMC Version 1.0 is introduced.

What Our Clients Are Saying

quote-img

“There is just too much information to make clear informed IT decisions that are best for your business. Technical Support International’s cloud specialists helped navigate through the abyss of buzzwords and tech-centric concepts to help our business become more efficient and reduce IT capital expenditures. TSI’s ability to outline and explain the variety of available options helped solidify our decision to move to the cloud. I came out of the experience truly appreciating TSI’s approach."

Investment Group / Hyannis, MA

Learn More About CMMC Compliance and Get Started

Call us at (508)-543-6979 or click the button below to request a call back from a representative at TSI.