.jpg)
The Department of Defense (DoD) is going to begin implementing Cybersecurity Maturity Model Certification (CMMC) into solicitations and contracts starting Monday, November 10, 2025. Almost a year after the CMMC Final Rule went into effect, the DoD published a Final Rule amending the Defense Federal Acquisition Regulation (DFARS) to allow CMMC to be added to contracts. If you’re not ready yet, don’t panic—just like the CMMC process has taught us so far, the implementation isn’t going to be speedy. On November 10, the DoD will begin Phase 1, which includes CMMC Level 1 and Level 2 self-assessments. Will this impact you? Read on to learn more.
Cybersecurity Maturity Model Certification (CMMC): What is it and Who Does it Apply to?
In case you need a refresher on CMMC or it’s all new to you, CMMC is the new way the DoD plans to verify that contractors and subcontractors are complying with cybersecurity requirements to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). More specifically, contractors need to follow requirements in Federal Acquisition Regulation (FAR) clause 52.204-21 and NIST SP 800-171.
CMMC applies to contractors in the Defense Industrial Base (DIB), meaning contractors who work directly with the Department of Defense and process, store, or transmit FCI or CUI. CMMC requirements will be specified in future contracts/solicitations and requirements are expected to flow down to subcontractors that will have access to or are working with any CUI.
As of right now, contractors who do not work on defense contracts are not required to follow CMMC, however, CMMC requirements can be added to civilian solicitations in the future, so it’s important to be aware.
CMMC Levels
CMMC consists of three levels, which are outlined in the table below:
|
CMMC Status |
Security Requirements |
Assessment Requirements |
|
Level 1 (self) |
15 requirements in FAR Clause 52.204-21 |
Conducted by organization annually and results entered into the SPRS |
|
Level 2 (self) |
110 NIST SP 800-171 requirements outlined in DFARS 252.204-7012 |
Conducted by organization every 3 years and results entered into SPRS. Annual affirmation. |
|
Level 2 (C3PAO) |
110 NIST SP 800-171 requirements outlined in DFARS 252.204-7012 |
Conducted by C3PAO every 3 years and annual affirmation. Results entered into CMMC eMASS |
|
Level 3 DIBCAC |
134 NIST SP 800-171 requirements outlined in DFARS 252.204-7012 and 24 requirements selected from NIST SP 800-172 |
Must have Level 2 (C3PAO) first, then conducted by DIBCAC every 3 years. Annual affirmation. Results entered into eMASS |
The first level and half of the second, which are in Phase 1 of the implementation, are self-assessed, and the results must be entered into the Supplier Performance Risk System (SPRS). This is done annually for Level 1 and every 3 years for Level 2. The second half of level 2 requires a Certified Third-Party Assessor Organization (C3PAO), and the results must be entered into the CMMC Enterprise Mission Assurance Support Service (eMASS) every 3 years. Level 3 requires an assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). More information on the assessment and affirmation requirements can be found on the official Chief Information Officer (CIO) site on CMMC.
Phase 1 of CMMC to Begin Soon
As mentioned above, the CMMC requirements will be implemented in a phased approach over the next few years, so they will not all be added at once. Phase 1 covers Level 1 and Level 2 self-assessments. This phase will begin on November 10, 2025. CMMC Level 2 third-party assessments will occur 12 months later, and then Level 3 assessments 12 months after that.
All in all, the plan is to have the last phase begin on November 10, 2028. In this last phase, ALL solicitations and contracts will include applicable CMMC level requirements as a condition of contract award. While this is the plan, the DoD stated the next phases could begin sooner.
How Do You Determine Your CMMC Level?
Since we’re about to enter Phase 1, you might be wondering what level you need to be prepared for. This depends on the type of data you are storing, processing, transmitting or sharing for your existing DoD contracts. You’ll want to identify and classify this data and make sure you have a good understanding of how you manage CUI. With this information, you should decide on a CMMC level that you will most likely need to obtain based on current and future contracts.
Next Steps: Preparing for CMMC Phase 1
If you haven’t already, now is the time to start prepping your company to handle CMMC requirements. Once you determine the level you need to reach, you’ll want to assess your current cybersecurity posture and identify any gaps that need to be filled before you begin the certification process.
If you have any subcontractors, External Service Providers (ESPs), or Cloud Service Providers (CSPs), you’ll want to make sure they have the proper certifications and are prepared for the CMMC assessments as well. As mentioned before, the CMMC requirements are expected to flow down to subcontractors.
To stay updated on Phase 1 and future CMMC phases, subscribe to our blog and monthly newsletter. If you need help figuring out how to meet these requirements, or you need help prepping your GSA Schedule for future solicitations, we can direct you to the right place.
