The Real Truth About the CMMC 2.0 Rollout Timeline

If you’ve been following the Cybersecurity Maturity Model Certification (CMMC) rollout, chances are you’ve heard the claim:
“CMMC 2.0 will officially start on October 1, 2025.”

It’s repeated in webinars, industry chatter, and even some outdated training material. It sounds definitive — but it’s wrong. This date is a leftover from the original CMMC 1.0 rollout plan, which has since been replaced.

The truth? CMMC 2.0 does not have an official start date yet. And waiting for one could put your business at a significant disadvantage.

Why the “October 1, 2025” Date Keeps Showing Up

This false date lingers because it was part of the original CMMC 1.0 timeline. When the DoD shifted to CMMC 2.0, that plan was scrapped — but the date continued to circulate.

Right now, CMMC 2.0’s effective date hasn’t been set. The final rules for 48 CFR and DFARS 7021 are still in review at the Office of Information and Regulatory Affairs (OIRA) within the Office of Management and Budget (OMB). Until those rules are published, any start date is pure speculation.

As Matthew Travis, CEO of The Cyber AB, confirmed during the July 2025 Cyber AB Town Hall — there is no official start date.

This is why it’s critical to rely on current, authoritative sources like the DoD’s official CMMC site and The Cyber AB, not recycled CMMC 1.0 timelines.

Reality:

1. No official start date has been set.
   The DoD has not announced when CMMC 2.0 will begin. That will only happen when the final rule is published in the Federal Register.
2. The final rules aren’t finished yet.
   The rules (48 CFR and DFARS 7021) that define how CMMC will be applied in contracts are still being finalized. Without them, CMMC can’t officially start.
3. It’s still in government review.
   Before becoming final, the rules must go through OIRA/OMB review — a process that’s still underway as of August 2025.
4. Confirmed by leadership.
   Matthew Travis of The Cyber AB made it clear in July 2025: October 1, 2025, is NOT the start date.

Where We Are in the Process

The CMMC 2.0 rollout follows the federal rulemaking process:

1. Draft Rule Published – December 2023
2. Public Comment Period Closed – February 2024
3. OIRA/OMB Review – Ongoing (current stage)
4. Final Rule Published – TBD
5. Effective Date Announced – After final rule publication

What This Means for Contractors Right Now

You don’t need to know the start date to start preparing — and waiting could cost you.

• Primes are already requiring NIST SP 800-171 compliance.
  Many prime contractors are including compliance clauses in subcontracts today. If you can’t provide proof — such as an SSP, POA&M, and SPRS score — you may lose opportunities now, not just later.
• Gap remediation takes time.
  Upgrading systems, implementing security controls, and training staff can take months. Waiting until the rule is final could leave you scrambling and missing out on contracts.
• Delays put both new and current contracts at risk.
  Some contracts could be modified to include compliance requirements. Being unprepared could hurt your ability to win or keep business.

Takeaway: Treat compliance as ongoing business practice — not a deadline-driven rush.

Stay Ready, Not Scrambling

The CMMC rollout is imminent, but it’s not tied to a fixed date yet. When the final rules are published, there won’t be much time to act. Contractors who have already built compliance into their daily operations will move through the process smoothly, while others will be fighting the clock.

Start now:

• Keep your SSP and POA&M up to date.
• Track and improve your SPRS score regularly.
• Follow only official sources for updates.
• Have a pre-audit done for your potential score

Bottom line: Don’t wait for a date. Stay ready, so when CMMC 2.0 officially arrives, you’re already compliant — and ahead of your competition.

Official Resources:

• DoD CMMC Program
• The Cyber AB