Achieving CMMC compliance can be complex.

Work with a qualified team to help you prepare your organization for CMMC requirements.

As a Registered Practitioner Organization (RPO), Eide Bailly can support CMMC readiness for both Level 1 and Level 2. We are also a Certified Third-Party Assessor Organization (C3PAO) authorized to perform Level 2 assessments. It should be noted that the same firm cannot support both CMMC preparedness and conduct assessments, and our team has established trusted partnerships to support clients throughout this process.

Our team can help you prepare, validate compliance, and position your organization for continued eligibility in the defense supply chain.

Now is the time to act. Waiting until the requirements take effect could put your contracts at risk. The DoD will implement the program in phases over the next three years:

• Phase 1 (Nov. 10, 2025):

  Solicitations will require CMMC Level 1 or Level 2 self-assessments. 
  DoD may also, at its discretion, require third-party CMMC Level 2 assessments in this phase.

• Phase 2 (Nov. 2026):

  Applicable solicitations will require third-party CMMC Level 2 assessments.

• Phase 3 (Nov. 2027):

  Applicable solicitations will require CMMC Level 3 assessments performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

• Full Implementation (Nov. 10, 2028):

  All DoD contracts and solicitations will include the required CMMC level as a condition of award.