Schedule demo

CMMC 2.0 Enforcement Timeline 2025–2028


April 27, 2026

You’ve seen the headlines: “CMMC is live.” Phase 1 kicked off on November 10, 2025. DoD program managers can require CMMC on any new contract or option period right now—no grace period.

We’re now about four months into Phase 1 (as of March 2026)—and primes continue to actively require CMMC in RFPs today.

The 4-Phase Rollout: What Clients Must Prove—and Your Revenue Opportunity

Phase When Requirements MSP/MSSP Revenue
Phase 1 Started Nov 10, 2025 Level 1 self-assessment on FCI; Level 2 self-assessment on 5–15% CUI; Annual SPRS affirmation $5k–$15k per client (setup + monitoring)
Phase 2 Starts Nov 10, 2026 Level 2 C3PAO cert on 20–65% CUI contracts; Conditional certs OK if POA&Ms close in 180 days $25k–$50k per client + $2k–$5k/month recurring. C3PAO schedules booking 6–9 months out
Phase 3 Starts Nov 10, 2027 Level 2 C3PAO cert required on all CUI; Level 3 starts for high-risk $10k–$20k ARR per client via continuous monitoring
Phase 4 Starts Nov 10, 2028 Full Levels 1–3 mandatory; Triennial recerts + annual affirmations High-margin multi-year retainers

Key Details Most MSPs Still Get Wrong

  • “We only need Level 1.” → Most CUI contracts will require Level 2 by 2027
  • “Self-assessment is enough.” → Phase 2+ mandates third-party C3PAO certification and annual self-attestation
  • “We have until 2028.” → Primes have been requiring it in RFPs since Phase 1 launched in November 2025

The C3PAO Bottleneck Is Real 

As of February 2026 (with ~98 authorized C3PAOs per Cyber AB reports, and growth continuing toward 100+), authorized C3PAO organizations remain limited in the Cyber AB Marketplace. With thousands of DIB contractors needing Level 2 certification, assessment schedules are booking 6–9 months out—and demand continues to surge. MSPs who position themselves now with automated evidence-gathering and continuous-monitoring tools will capture the market before the Phase 2 rush intensifies.

The Bottom Line for MSPs & MSSPs

Phase 1 is well underway—primes are actively verifying subs. Clients who achieve Level 2 self-attestation this quarter will sail through 2026 and be first in line when C3PAO slots open up.

With technology to automate evidence gathering for the CMMC controls and track remediation for POA&Ms, you’re positioned for the busiest 24 months of your career.

SureShield’s ComplyShield automates evidence collection, remediation tracking, and template-based preparation to get clients Level 2-ready faster—with higher recurring revenue for you.

Contact us today at sales@sureshield.ai to schedule a 30-minute demo of SureShield’s ComplyShield. Let’s lock in your 2026 pipeline before the C3PAO rush intensifies.

Sources U.S. Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Program, Federal Register updates 2024–2025; Cyber AB C3PAO Marketplace & Town Hall updates, March 2026

Leave a comment

Your email address will not be published. Required fields are marked *