On September 9, 2025, the Department of Defense confirmed that CMMC Phase 1 will begin on November 10. That single decision shifted the conversation from planning to execution. For the first time, contracting officers will have the authority to include CMMC language in new solicitations, marking the formal start of enforcement.
The market responded immediately.
CMMC Level 2 certifications are increasing at a pace we haven’t seen before.
In April, only 85 organizations had completed their assessments. By September, the total reached 366—a 36 percent jump in one month.
Contractors are securing their certification positions before the surge in demand hits, knowing that assessor availability and scheduling will soon become a bottleneck.
With the rule now finalized and published, the timeline is no longer theoretical.
Here’s how implementation unfolds:
This staged rollout provides structure but not breathing room. Once CMMC language appears in a solicitation, readiness becomes a gate, not a goal.
C3PAOs are already reporting full calendars into Q1 2026. Contractors that have not scheduled an assessment are at risk of delays in their contract pursuits.
Self-assessments in Phase 1 require the same level of evidence, documentation, and governance maturity as third-party reviews. The difference is only in who conducts the validation.
Even before November 10, many are preparing to include CMMC clauses in pending solicitations. Early adopters are setting a new baseline for compliance expectations across the supply chain.
CMMC is no longer a future requirement. It is a live contracting factor. Contractors that began readiness planning in 2021 and 2022 are now realizing the payoff in competitive advantage. Those just starting must compress years of preparation into months.
Readiness isn’t about checking boxes. It’s about proving control ownership, maintaining version history, and demonstrating that compliance is part of ongoing governance, not a static milestone.
Contractors that act before November 10 will enter Phase 1 in a stronger position. Those that wait may face scheduling delays and limited access to certified assessors.
Coalfire Federal performs official CMMC Level 2 assessments for contractors across the Defense Industrial Base. Our role is to provide an independent, objective evaluation of your compliance posture and confirm that your controls meet the CMMC standard.
If your organization is preparing for certification, now is the time to secure your place in the assessment queue.
CMMC Phase 1 begins on November 10, 2025. Starting then, contracting officers can include CMMC requirements in new solicitations, making compliance an official contracting factor.
Since the announcement, certification activity has increased sharply as contractors secure early assessments before demand and scheduling bottlenecks set in.
Phase 1 runs from November 2025 to November 2026 and requires Level 1 or Level 2 self-assessments. Phase 2 begins in November 2026 and introduces mandatory third-party Level 2 certifications. Phases 3 and 4 expand to include Level 3 oversight and full adoption by November 2028.
Yes. Even in Phase 1, self-assessments must demonstrate the same evidence, documentation, and governance maturity as third-party reviews.
Confirm your certification level, assess your current NIST 800-171 compliance, schedule an accredited C3PAO, and make sure all documentation and change tracking are current.
The full assessment process can take several weeks to complete, depending on readiness and scheduling availability. Each assessment requires detailed planning, scoping, and evidence review by an accredited C3PAO. Because there are only a limited number of certified assessors, contractors that wait to schedule may face long lead times or miss preferred assessment windows. Being fully prepared before requesting an assessment helps avoid delays.
Contractors face several challenges when pursuing CMMC Level 2 certification. Limited availability of accredited C3PAOs can make scheduling assessments difficult. Readiness gaps in technical controls, documentation, or governance practices can stall or delay the process. Certification is also becoming a competitive gate, meaning contractors must ensure compliance quickly to maintain eligibility for new contracts. Oversight responsibilities for subcontractors add complexity, and timing pressures increase as Phase 1 begins. Early preparation, alignment across leadership and IT teams, and understanding CMMC Phase 1 requirements and the CMMC final rule and regulatory clearance help reduce these risks.
CMMC Level 2 certification is a critical factor for organizations that rely on Department of Defense contracts. With CFR 32 establishing the certification requirements and CFR 48 detailing how these requirements will be applied in contracts, achieving compliance is becoming a formal prerequisite for bidding.
Without Level 2 certification, your organization may be ineligible for certain contracts, which could affect revenue opportunities and competitive positioning. Beyond eligibility, certification signals a commitment to cybersecurity best practices, strengthens trust with partners, and positions your organization as proactive in managing risk. Organizations that complete the certification process often find their overall security posture improves, reinforcing the business value of compliance.