Understanding the CMMC Phase‑In Plan: What Defense Contractors Need to Know in 2025 and Beyond

Written by Gene Jones, Senior Program Manager, Cybersecurity and Defense, Purdue MEP

As most of you are aware, the CMMC Program Rule (32 CFR) officially became effective, codifying the assessment framework and security controls in December 2024. About one year later, in November 2025, the Acquisition Rule (48 CFR) went live, which means that CMMC requirements can be added to Department of Defense (DoD)/Department of War (DoW) contracts. This article will summarize the anticipated CMMC Phase-In Plan. (Note: CMMC L3 is beyond the scope of this article, so it won’t be addressed.)

Phase 1: Nov 2025-Nov 2026 - DoD includes Level 1 and Level 2 self-assessment requirements in most new solicitations. Contractors must upload scores to the Supplier Performance Risk System (SPRS).

Phase 2: Nov 2026-Nov 2027 - Third-Party assessments begin. DoD starts requiring C3PAO-assessed Level 2 certifications as a condition of award for many contracts. Only companies authorized by the cyberAB and listed in their CMMC marketplace (https://cyberab.org) can issue a certification. Coordinate with a C3PAO at least 6-12 months in advance to schedule and make sure that your company is fully prepared!

Phase 3: Nov 2027-Nov 2028 - Extensions to existing contracts. Level 2 certification requirements begin appearing in contract options for existing work.

Phase 4: Nov 2028 and beyond - Full implementation. All new and existing DoD contracts (except for COTS items) must include the applicable CMMC Level as a condition of award. With the implementation of the Acquisition Rule (48 CFR) in November 2025, DFARS 252.204-7021 (Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements) became effective. It requires the “contractor” to:

1. Have and maintain for the duration of the contract a current CMMC status at the following CMMC level, or higher: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC) for all information systems used in performance of the contract, task order, or delivery order that process, store, or transmit FCI or CUI; and
2. Consult 32 CFR 170.23 related to the flowdown of the CMMC requirements, and flow down the correct CMMC level to subcontracts and other contractual instruments.

Image source: https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-101-Nov2025.pdf

If you only receive Federal Contract Information (FCI), attaining CMMC L1 (self) is relatively straightforward. Purdue MEP can guide you to the CMMC L1 resources online. With the help of an IT-savvy person, you can achieve CMMC L1 in short order. Alternatively, we can help you understand and implement CMMC L1 for a fee.

If your company processes, stores, or transmits Controlled Unclassified Information (CUI), you must attain CMMC L2 – Self or Certification as designated in the contract. Achieving CMMC L2 can be time-consuming and expensive because you must implement all 110 cybersecurity controls in NIST 800-171 Rev 2. If the contract requires a certification, you will also incur the expense of a C3PAO to conduct the certification assessment.

In summary, the CMMC Phase-In Plan is a planning tool to communicate a general plan. The DoD reserves the right to add a higher CMMC level sooner than listed in the Phase-In Plan, so our best advice is to start early!

We can support your attainment of CMMC L2, and Purdue MEP has partners that can help you sustain your CMMC status. Let’s get started! 

P.S. If your company has the time and talent to competently meet all 110 NIST 800-171 Rev2 controls, I will guide you to the online assessment guide resources.

Please contact Gene Jones for additional information.

Writer: Gene Jones, 765-496-7802, jonesew@purdue.edu