Is CMMC Mandatory in 2026?
Cybersecurity Maturity Model Certification is effectively becoming mandatory, but it is being rolled out in phases with specific deadlines. The key date was November 10, 2025, when CMMC requirements officially began appearing in new Department of Defense (DoD) contracts following the final rule. From that point forward, many contractors will need at least Level 1 or Level 2 self-assessments to be eligible for awards.
In 2026, the requirements tighten significantly. By October 31, 2026, CMMC compliance becomes mandatory for all new DoD contract awards, meaning no certification = no new business. Additionally, November 10, 2026 marks the start of Phase 2, when third-party Level 2 certifications (C3PAO audits) begin to be required more broadly.
The rollout continues beyond that: requirements expand further in 2027, and by November 10, 2028, CMMC is expected to be fully enforced across all applicable DoD contracts.
| Date | Milestone | Who it applies to |
|---|---|---|
| Nov 10, 2025 | CMMC requirements begin appearing in DoD contracts (Phase 1 start) | All DoD contractors & subcontractors bidding on new contracts |
| Oct 31, 2025 | CMMC required for all new DoD contract awards | All companies seeking new DoD contracts involving FCI or CUI |
| Nov 10, 2026 | Phase 2 begins – third-party assessments (C3PAO) required for some Level 2 | Contractors handling Controlled Unclassified Information (CUI) |
| 2027 (ongoing) | Expansion of certification requirements across more contracts | Increasing portion of the Defense Industrial Base (DIB) |
| Nov 10, 2028 | Full CMMC implementation across all applicable DoD contracts | All DoD contractors & subcontractors subject to CMMC requirements |