Understanding the Four CMMC Phases
The start of 2025 brought with it another milestone in the implementation of the CMMC program: official C3PAO authorization. While the program officially commenced on December 16th, in a notice to the ecosystem, the Cyber AB stated that January 2nd 2025 would be the first day that pre-authorized C3PAOs would be officially recognized and empowered to begin conducting Level 2 Certification Assessments. Doubtless, some have already commenced as hundreds of thousands of members of the Defense Industrial Base (DIB) position themselves to remain qualified to continue pursuing DoD contracts and subcontracts. While a narrow few are initiating certification assessments, many more are still working out what their timeline for compliance looks like. Read on to learn about the four-phase rollout finalized in October’s final rule, and about what that means for your CMMC journey.
The Final Piece – Title 48 Rule
On October 15th 2024, the same day that the Title 32 rule finalized details of the CMMC program, the Title 48 rule, which will officially place CMMC requirements into contracts, exited its public comment period. Based on the timing of the Title 32 rule and repeated communications from the DoD, we expect this final piece to be published anytime in the upcoming months, and to almost immediately commence Phase 1 of the four-phased approach described in the Title 32 rule. From there, the following timeline will apply:
Phase 1: “Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule. DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self) for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts.”
Phase 2: “Begins one calendar year following the start date of Phase 1. In addition to Phase 1 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 2 (C3PAO) to an option period instead of as a condition of contract award. DoD may also, at its discretion, include the requirement for CMMC Status of Level 3 (DIBCAC) for applicable DoD solicitations and contracts.”
Phase 3: Begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date. DoD intends to include the requirement for CMMC Status of Level 3 (DIBCAC) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 3 (DIBCAC) to an option period instead of as a condition of contract award.
Phase 4, full implementation: Begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.
Timing Implications of CMMC Phases
On its surface, this appears a simple requirement for Level 1 self-assessments starting in approximately Q2 of 2025, with Level 2 certification assessments around Q2 2026, Level 3 certification assessments around Q2 2027, and Level 4 closing any gaps that may have arisen from program rollout in 2028. However, there are a pair of factors that make this timeline serve more as a backstop than a practical target: DoD discretion, and prime contractors.
Factors Accelerating the Timeline
These dates represent our best estimates of the latest deadlines which CMMC requirements can expected to be included in contracts at each level. The rule explicitly provides for the DoD to accelerate the process at its discretion. Given that Level 2 certification assessments are already underway, the DoD will have the latitude to make up any lost ground in the rulemaking process if it determines that the ecosystem is progressing on pace without it, so the projected Q2 2026 requirement for Level 2 certification should be considered a hard backstop for DIB member policy setters. Besides the DoD driving timelines forward, prime contractors are also likely to impose sooner deadlines on their subcontractors, as the prime cannot complete their own certification without reviewing and demonstrating that their third parties have achieved appropriate levels of compliance and been reviewed. So, while it appears that some unknowns yet remain in the rollout, they are largely ancillary to other drivers which are already set in motion.
The 7-Year Phased Roll-Out?
To clarify a final point, readers bold enough to tackle the 146-page rule itself may have noticed an additional 7-year timeline identified. This represents the amount of anticipated time before all previously awarded contracts have expired, bringing all active DoD contracts under applicability of CMMC. Therefore, this phased roll-out concerns the overall ecosystem transitioning from pre-CMMC contract holders to CMMC holders rather than the roll-out of requirements
Tevora Can Help
As an RPO, A2LA certified assessor of NIST SP 800-171 controls, and a FedRAMP 3PAO, Tevora is your partner in achieving compliance in advance of your CMMC certified assessment. As a candidate C3PAO, Tevora will soon be qualified to deliver certified assessments for organizations that are more advanced in their security journeys, and achieving this landmark will keep you qualified for all DoD contracts for years to come. Stay tuned to Tevora’s feed to ensure that you remain up to date on the latest CMMC developments.
