Module 3: The CMMC 2.0 Rollout Timeline and Contract Strategy

Orienting to the CMMC 2.0 Rollout (2025–2028)

In this module, you will dissect how CMMC 2.0 becomes real in contracts between late 2025 and roughly 2028, and what that means for bidding, renewals, and long‑term strategy.

> Context check (as of December 2025)

> CMMC 2.0 is being implemented via updates to the DFARS* (Defense Federal Acquisition Regulation Supplement), particularly the CMMC rule that entered into effect in late 2025.

> The DoD has announced a four‑phase rollout starting 10 November 2025* (Phase 1) and ramping through about 2028.

> CMMC is now a mandatory contract requirement* when it appears in a solicitation; it is no longer just a voluntary or pilot program.

You should already understand from Modules 1–2:

• The 3 CMMC levels and what FCI vs. CUI mean.
• The difference between self‑assessment, third‑party assessment (C3PAO), and government assessment.

Now we will focus on:

1. The four rollout phases (2025–2028) and the practical meaning of each.
2. How CMMC requirements appear in solicitations and contracts.
3. How to design a contract strategy and internal readiness timeline so you are not locked out of bids.

Keep in mind: this is a moving regulatory environment. Your task is to understand the logic of the rollout so you can reason about edge cases and changes, not just memorize dates.

Step 1 – The Four-Phase Rollout: High-Level Map

The DoD’s CMMC 2.0 implementation is structured into four phases beginning 10 November 2025. Exact labels and minor details can shift, but the core logic is:

1. Phase 1 – Self-Assessment On-Ramp (starting 10 Nov 2025)

• CMMC requirements begin to appear in a limited set of new solicitations.
• Focus is on self-assessments (especially for Level 1 and some Level 2) as a condition of eligibility.

1. Phase 2 – Third-Party Assessment Ramp-Up (roughly 2026–2027)

• Increasing number of solicitations require C3PAO-conducted certification at Level 2 (and some Level 3).
• Self-assessment may still be allowed in some lower-risk cases but shrinks in relative importance.

1. Phase 3 – Broad Incorporation Across New Awards (late 2027 onward)

• CMMC is expected in most new DoD solicitations that involve FCI or CUI.
• Third-party or government assessments are common at Levels 2–3.

1. Phase 4 – Full Steady State (around 2028 and beyond)

• CMMC is fully integrated into the DFARS baseline for relevant contracts.
• All new awards and most significant modifications that involve FCI/CUI are expected to have CMMC requirements.

> Key idea: The rollout is contract-based, not company-based. You are not “CMMC-compliant once and for all”; each contract can carry its own CMMC requirement, and your eligibility to bid depends on meeting that requirement at the time specified in the solicitation.

Quick Check: What Changes First?

Test your understanding of how CMMC enters the market.

Step 2 – Phase 1 (Starting 10 Nov 2025): Self-Assessment as Gatekeeper

Phase 1 is where CMMC begins to gate access to certain solicitations, but with a relatively lightweight requirement structure.

What happens in Phase 1?

1. CMMC clauses appear in selected new solicitations

• DoD adds CMMC-related DFARS clauses to a targeted set of solicitations (often higher-risk or pilot programs).
• These clauses specify the required CMMC level (1, 2, or 3) and whether a self-assessment is adequate or a certification is required.

1. Primary mechanism: self-assessment (especially Level 1)

• Level 1 (FCI): Most Phase 1 solicitations requiring Level 1 allow a self-assessment.
• Level 2 (CUI): Some lower-risk Level 2 efforts may also begin with self-assessment, but high-value CUI contracts may already anticipate third-party certification in later phases.

1. Scoring and attestation

• Contractors must complete a self-assessment against the relevant controls (e.g., NIST SP 800-171 for Level 2).
• They submit a score and plan of action & milestones (POA&M), typically into the Supplier Performance Risk System (SPRS) or a successor system defined by DoD.

1. Timing

• The solicitation will specify whether the CMMC requirement must be met:
• At time of proposal submission (common for self-assessments), or
• By time of award (sometimes allowed to give a short remediation window).

Practical contract implications in Phase 1

• New bids:
• If you lack a required self-assessment score on record by the deadline, you are ineligible to bid or to be awarded the contract.
• This applies even if you are technically capable in all other respects.

• Renewals and recompetes:
• When a contract is re-competed with CMMC in the solicitation, incumbents who have not performed self-assessments risk losing their position to more compliant competitors.

• Subcontractors:
• Primes may start requiring evidence of self-assessments from subs handling FCI or CUI.
• Less mature subs may be squeezed out or relegated to non-FCI/non-CUI roles.

> Strategic takeaway for Phase 1: Treat self-assessment as a minimum baseline. Organizations that delay self-assessment until they see a specific solicitation are already behind.

Step 3 – Phase 1 Example: Competing for a Level 2 CUI Contract

Consider AegisTech, a mid-size engineering firm that wants to bid on a new DoD R&D contract released in January 2026 (within Phase 1). The solicitation includes a CMMC clause:

> “Offerors must demonstrate a current CMMC Level 2 self-assessment score of at least 80/110 in SPRS at the time of proposal submission. Offerors must provide a POA&M for remaining gaps with completion dates no later than 12 months after award.”

AegisTech’s situation:

• They handle CUI under existing contracts but have never done a formal NIST SP 800-171 self-assessment.
• They discover the solicitation two weeks before the proposal deadline.

Analysis:

1. Time constraint: A credible self-assessment and POA&M for 110 controls in two weeks is extremely challenging, especially if documentation and technical baselines are weak.
2. Bid/no-bid decision:

• If they cannot produce a defensible score and POA&M, they risk:
• Being ineligible to bid, or
• Submitting a rushed, inaccurate score that could later be treated as misrepresentation.

1. Strategic error: They waited until a specific solicitation appeared instead of building a standing Level 2 self-assessment posture in late 2025.

What they should have done (Phase 1 strategy):

• By late 2025, complete:
• A full NIST SP 800-171 gap analysis.
• A realistic self-assessment score and POA&M.
• Upload to SPRS and maintain it.
• This way, when the solicitation dropped, they could focus on technical and pricing strategy, not scrambling to meet a gating compliance requirement.

Step 4 – Phases 2–4: From Optional-Looking to Inescapable

As the rollout progresses, the volume and strictness of CMMC requirements grow.

Phase 2 – Third-Party Assessment Ramp-Up (≈ 2026–2027)

• More solicitations include CMMC clauses, especially for CUI-heavy work.
• For many Level 2 contracts, the DoD begins to require:
• A C3PAO-conducted assessment (not just self-assessment).
• A formal certification valid for a defined period (often 3 years, subject to annual affirmations).
• Level 3: Early high-priority programs may start to require government-led assessments or very tight oversight.

Contract implications:

• You must schedule and pass a C3PAO assessment well before key solicitations.
• Delays in scheduling (limited C3PAO capacity) can cause you to miss bid windows.

Phase 3 – Broad Incorporation (late 2027 onward)

• CMMC is in most new awards involving FCI or CUI.
• DoD components refine internal guidance on risk-based use of self-assessment vs. third-party certification.
• Many large RFPs require proof of current certification at proposal submission, not just at award.

Contract implications:

• Not having the right CMMC level is equivalent to not meeting a mandatory minimum requirement.
• Incumbents whose certifications lapse risk being ineligible for option-year exercises or major modifications.

Phase 4 – Full Steady State (≈ 2028+)

• CMMC becomes a standard DFARS expectation for relevant contracts.
• CMMC status is treated similarly to other core compliance conditions (e.g., cybersecurity incident reporting, export controls).

Long-term implications:

• CMMC posture is no longer a differentiator; it is a license to compete.
• Competitive advantage shifts from “we have CMMC” to “we implement security and compliance more efficiently than competitors” (i.e., lower cost, fewer disruptions, better audit readiness).

Step 5 – Thought Exercise: Mapping Phases to Contract Risk

Use this thought exercise to connect the rollout phases to business risk.

Imagine you are the CFO of a small defense contractor that currently:

• Handles FCI only (no CUI) under two Level 1-type contracts.
• Wants to move into CUI work (Level 2) over the next 3 years.

Task: On a sheet of paper or a notes app, create three columns:

1. Phase (1–4)
2. Risk if we do nothing
3. Mitigation actions

For each phase, answer:

• What specific revenue or pipeline risks arise if we stay at Level 1 self-assessment only?
• When do we absolutely need to start preparing for Level 2?
• What actions must we take in each phase (e.g., gap analysis, budgeting for C3PAO, subcontractor vetting)?

Aim for at least 2–3 risks and 2–3 mitigation actions per phase. This will force you to translate the timeline into financial and strategic language, not just compliance jargon.

Step 6 – How CMMC Appears in Solicitations and Contracts

To make strategic decisions, you must be able to read a solicitation and extract its CMMC implications.

Where to look in a solicitation

1. Section L (Instructions to Offerors)

• May state:
• Required CMMC level.
• Whether self-assessment or certification is required.
• Timing (at proposal submission vs. at award vs. before performance).
• Required evidence (SPRS screenshot, C3PAO certificate, attestation letter).

1. Section M (Evaluation Factors)

• Clarifies whether CMMC is:
• A go/no-go factor (must-have to be considered), or
• A rated factor (e.g., higher score for stronger security posture).
• In most cases, CMMC level is treated as a minimum eligibility requirement.

1. Contract clauses (DFARS / special provisions)

• Look for updated DFARS CMMC clauses referencing CMMC 2.0.
• Clauses may:
• Flow down requirements to subcontractors.
• Require annual affirmations of continued compliance.
• Specify incident reporting and change notification duties (e.g., if your certification status changes).

Example clause language (simplified)

> “The Contractor shall maintain a current CMMC Level 2 certification, as assessed by a CMMC Third-Party Assessment Organization (C3PAO) listed in the CMMC Marketplace, throughout the period of performance. The Contractor shall ensure that all subcontractors receiving Controlled Unclassified Information under this contract possess a current CMMC Level 2 certification prior to receiving such information.”

Interpretation:

• Loss or lapse of Level 2 certification during performance can be a breach of contract.
• You must build a subcontractor vetting process to ensure their CMMC status before flowing CUI to them.

> Analytical skill: When reading any new DoD solicitation, you should be able to answer in writing:

> 1. What CMMC level is required?

> 2. What assessment type (self, C3PAO, government)?

> 3. By what date must it be in place?

> 4. What are the flow-down obligations to subs?

Step 7 – Quiz: Reading a CMMC Requirement

Apply what you’ve learned to a sample requirement.

Step 8 – Building a Readiness Timeline for Levels 1–3

Now you will outline a high-level readiness timeline for an organization aiming for different CMMC levels.

Assume today is December 2025 (early Phase 1). Consider three archetypes:

1. Company A – Level 1 only (FCI)

• Small manufacturer, no CUI, wants to preserve existing FCI contracts and compete for similar work.

1. Company B – Level 2 (CUI)

• Engineering firm with current DFARS 252.204-7012 obligations, wants to expand CUI work by 2027.

1. Company C – Level 3 (highly sensitive CUI)

• Niche cyber company targeting advanced R&D and weapons systems support by 2028.

Your task

For each company, sketch a timeline with at least three milestones:

• Short term (Phase 1) – 2025–2026
• What assessments or gap analyses must be done immediately?
• What self-assessments should be completed and logged?

• Medium term (Phase 2–3) – 2026–2027
• When should they schedule C3PAO assessments (for Level 2/3)?
• What budgeting and staffing decisions are needed (e.g., hiring a security engineer, MSSP)?

• Long term (Phase 4) – 2028+
• How will they maintain their level (e.g., continuous monitoring, annual affirmation, periodic re-assessment)?
• How will they manage subcontractor compliance?

Write this out as a table or bullet list. The goal is to internalize that CMMC readiness is a multi-year program, not a last-minute checkbox.

Step 9 – Key Terms and Concepts Review

Flip these cards to solidify your understanding of the CMMC rollout and contract implications.

Step 10 – Synthesis: From Timeline to Strategy

To close this module, integrate the regulatory timeline with business strategy:

• CMMC is time-bound and contract-specific. Your readiness must align with when solicitations drop and what they require, not just with abstract compliance goals.
• Phase 1 (starting 10 Nov 2025) is your chance to build a self-assessment foundation and avoid being surprised by early CMMC clauses.
• Phases 2–3 require proactive planning for third-party assessments, budgeting, and subcontractor governance.
• Phase 4 turns CMMC into a cost of doing business in the Defense Industrial Base.

As an advanced learner, you should now be able to:

1. Summarize the four rollout phases and locate 2025–2028 on that curve.
2. Interpret CMMC language in solicitations and identify its impact on eligibility to bid or renew.
3. Outline a multi-year roadmap for an organization to reach and maintain the required CMMC level ahead of critical solicitations.

In the next module, you would typically move from timeline and strategy into detailed planning artifacts: budgets, staffing plans, and governance structures that operationalize this roadmap.