The DoD’s CMMC 2.0 final rule took effect Nov. 10, 2025, but this date marks the start of a phased implementation, not an immediate cut-off. It launches a 3‑year rollout of CMMC requirements across DoD contracts.

In Phase 1 (Nov. 2025 – Nov. 2026), new solicitations will begin to include CMMC clauses (DFARS 252.204‑7021/7025) requiring CMMC Level 1 or 2 status, but primarily via self-assessment. In other words, contractors handling Federal Contract Information or CUI can compete in Phase 1 by completing the required self-assessment and annual affirmation, formal certification by Nov. 10, 2025, is not mandatory.

CMMC 2.0 Phases

The DoD emphasized that during the first 12 months, it will “primarily focus on self-assessments”. The new rule simply allows contracting officers to start including CMMC requirements in awards, it does not immediately disqualify non-certified companies.

• Phase  1 (Nov  10, 2025 – Nov  9, 2026): Contracts may require Level 1 or Level 2 (Self) CMMC status. Offerors are expected to complete the self-assessment and post scores in Supplier Performance Risk System (SPRS). DoD may also include Level 2 Certified Third-Party Assessment Organization (C3PAO) clauses at its discretion.
• Phase  2 (Nov  10, 2026 – Nov  9, 2027): Contracts will begin to require Level 2 (C3PAO) certification for applicable work. DoD may delay the Level 2 certification requirement to a contract’s option period or start including Level 3 for some programs).
• Phase  3 (Nov  10, 2027 – Nov  9, 2028): Contracts will require Level 3 (DIBCAC) certification for applicable work, which is the Government’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). All Level 2 (C3PAO) requirements apply as before.
• Phase 4 (Full Implementation, Nov 10, 2028 onward): All applicable DoD solicitations and contracts (except Commercial Off the Shelf (COTS)-only) will include the appropriate CMMC level requirement as a condition of award. By this point, CMMC is fully integrated in the acquisition process.

These phases (outlined in 32 CFR §170.3(e) mean there is an extended ramp-up period. In Phase 1, because DoD will accept self‑attested compliance, companies that are not yet formally certified can still win new contracts (so long as they meet the self-assessment requirements and have a current SPRS score).

In practical terms, mid-Nov. 2025 was not a hard “drop-dead” deadline for certification. It was simply when agencies started adding the CMMC clause to solicitations.

Contract Impact

New vs. Existing Awards:

The key rule is that once a solicitation includes the CMMC clause, an offeror must have a current CMMC status at the required level to be eligible. (The final DFARS language makes CMMC status a condition of award, and contracting officers will verify compliance in SPRS).

In Phase 1, that means offerors must have a valid Level 1 or Level 2 (Self) status and affirmation. If a contract in Phase 1 requires Level 2 (Self), a company can simply submit its SPRS self-score and annual affirmation. Only in Phases 2–3 will certify Level 2 or Level 3 status become a prerequisite for award on covered contracts.

Importantly, existing contracts will not be automatically canceled if a vendor is not certified. Current awards (with only DFARS 7012/NIST SP 800-171 clauses) generally continue under the old terms.

The new CMMC clauses apply when a contract is awarded, extended, or modified after Nov 10, 2025. DoD’s rules allow contracting officers to add the CMMC clause by contract modification at their discretion. This means a company performing under an existing contract without CMMC can still complete that work, but if it later pursues a renewal, extension, or new award that includes a CMMC requirement, it will need to meet that requirement at that time.

In short: no automatic termination of current work, but any contract action in Phases 1–4 that incorporates CMMC clauses will require the contractor to have (or obtain) the specified CMMC status and affirmation.

Implications for Contractors

The phased rollout is deliberately gradual. Vendors who handle FCI/CUI should treat Phase 1 as an opportunity, not a crisis. In 2025–26, you can still compete on new solicitations by completing the required self-assessments and affirming compliance. But do not delay: the DoD expects contractors to use this transition period to get in order.

Identify which CMMC level your business will need, conduct the self-assessment now, and (for those needing Level 2 or 3) begin preparing for official certification. DoD and its CMMC program office provide free resources (e.g. Project Spectrum training) to help contractors meet the new requirements.

Why It Matters

Compliance with CMMC 2.0 is critical for any vendor’s growth in the DoD market. Cybersecurity is now a contractual requirement, not just guidance. Over the next three years, CMMC will become fully embedded in defense procurement.

Eventually, all contracts involving FCI/CUI will demand it. Being proactive about CMMC will keep your business eligible for DoD work and help protect your own systems and data. In DoD’s words, CMMC is a “critical safeguard” for the defense supply chain.

Companies that start early can leverage the ramp-up period as a runway: they can continue fulfilling contracts now while strategically investing in the cybersecurity improvements needed for future awards.

Key Takeaways for Vendors

Mid‑November 2025 was not an abrupt cutoff but the start of Phase 1 of a 3‑year CMMC schedule. During 2025–26, Level 1 and 2 self-assessments are accepted in contracts, so uncertified firms can still win and perform work by attesting compliance. Phases 2 and 3 (Nov 2026 and 2027) will add certified Level 2 and Level 3 requirements. Existing contracts without the CMMC clause remain valid until modified.

However, by late 2028 (Phase  4) all applicable DoD contracts will require the appropriate CMMC level. Vendors should use this ramp-up to align their cybersecurity: review NIST SP 800-171 controls, self-assess today, and plan for formal assessments as needed. Taking early action will ensure eligibility for awards and support a resilient growth strategy in the DoD market.

Frequently Asked Questions (FAQs)

1. Is November 10, 2025, a hard deadline for CMMC certification?
No. It’s the official start of the CMMC 2.0 rollout (Phase 1), but not a disqualification deadline. Self-assessments are accepted in most new contracts during this phase.

2. Can my company still win DoD contracts without CMMC certification?
Yes, during Phase 1 (Nov 2025–Nov 2026), most contracts only require a self-assessment for Level 1 or 2, not formal certification.

3. What happens to my current DoD contracts if I’m not CMMC certified yet?
You won’t lose existing contracts unless they’re modified to include CMMC clauses. The requirements mainly apply to new awards, extensions, or modifications.

4. What’s the difference between CMMC Level 1 and Level 2?
Level 1: 15 basic cybersecurity practices; self-assessment required

Level 2: 110 NIST 800-171 controls; starts with self-assessment, moves to third-party (C3PAO) certification

5. When does CMMC Level 2 certification become mandatory?
Beginning in November 2026, most Level 2 contracts will require C3PAO certification instead of self-assessment.