Home β€Ί CMMC FAQs β€Ί About CMMC
About CMMC β€” Official DoD FAQ

When Will CMMC Assessments Be Required for Department Contracts?

πŸ’Ό
Not sure if your contracts require CMMC? Schedule a free consultation with Jun Cyber to assess your obligations.
Schedule Free Consultation
Official DoD Answer
Source Source: DoD CIO CMMC FAQs v5 (A-Q1)

The Department began incorporating CMMC assessment requirements in applicable procurements on November 10, 2025, when the revised Defense Federal Acquisition Regulation Supplement clause 252.204-7021 became effective. The first 12 months of implementation will primarily focus on self-assessments. For further information on the Department's phased implementation plan, see 32 Code of Federal Regulations 170.3(e).

In-Depth Analysis

What This Means for Your Business

If your organization holds or is pursuing Department of Defense contracts, CMMC assessment requirements are already in effect as of November 10, 2025. This is not a future requirement β€” it's happening now.

The Phased Implementation Timeline

The DoD is rolling out CMMC requirements in four phases:

  • Phase 1 (Nov 2025 - Nov 2026): Self-assessments for CMMC Level 1 and Level 2 are required in applicable solicitations. This is the current phase.
  • Phase 2 (Nov 2026 - Nov 2027): Third-party assessments (C3PAO) become required for CMMC Level 2 contracts involving CUI.
  • Phase 3 (Nov 2027 - Nov 2028): Level 3 assessments (DIBCAC-led) begin for contracts requiring enhanced security.
  • Phase 4 (Nov 2028+): Full implementation β€” all applicable DoD contracts require the specified CMMC level.

Key Actions to Take Now

Even during Phase 1, contractors should not wait. The self-assessment process requires documenting your System Security Plan (SSP), completing a NIST SP 800-171 assessment, and entering your score into the Supplier Performance Risk System (SPRS). Organizations that delay preparation risk being unable to bid on contracts when third-party assessments become mandatory in Phase 2.

Additionally, the annual affirmation requirement means your organization must confirm continued compliance every year after your initial assessment. This is not a one-time activity β€” it's an ongoing obligation under 32 CFR Part 170.

Have More Questions?

ChatCMMC can answer detailed questions about CMMC compliance, NIST 800-171 controls, assessment preparation, and more β€” powered by official DoD documentation.

Ask ChatCMMC β†’

Get Your Free CMMC Readiness Assessment

Find out where your organization stands and what steps you need to take. Jun Cyber's CMMC experts are here to help.

By submitting, you agree to be contacted by Jun Cyber. No spam, ever.

Related Questions

You Might Also Want to Know

About CMMC

How Much Does CMMC Compliance Cost?

β†’ Implementation

How Will the Department Implement CMMC and How Can Businesses Prepare?

β†’ Assessments

How Frequently Will CMMC Assessments Be Required?

β†’
Jun Cyber

Ready to Start Your CMMC Journey?

Jun Cyber helps defense contractors navigate CMMC compliance with confidence. From gap assessments to certification readiness β€” we've got you covered.

πŸ“… Schedule a Consultation Learn About CMMC Select β†’