The U.S. Department of Defense (DoD) has established a timeline for implementing the Cybersecurity Maturity Model Certification (CMMC) program, but it will be rolled out in phases rather than on a single enforcement date.
Key Dates and Phases for CMMC Enforcement:
December 16, 2024: The CMMC Final Rule (32 CFR) became effective.
January 2, 2025: CMMC assessments officially began.
Mid-2025: CMMC requirements will begin appearing in select DoD contracts under the 48 CFR Final Rule, which is the enforcement mechanism.
Q3–Q4 2025: More advanced Level 2 CMMC requirements will be rolled out for contracts involving Controlled Unclassified Information (CUI).
By 2028: Full implementation is expected, with CMMC requirements in all DoD contracts.
Enforcement Mechanism:
The Title 48 CFR rule integrates CMMC into the Federal Acquisition Regulation (FAR), making certification a requirement to be awarded new DoD contracts. This means that contractors must be certified at the appropriate CMMC level to bid on or retain contracts.