CMMC

CMMC assessments began being required on November 10, 2025, when DFARS rule changes took effect. Companies may elect to complete assessments prior to contractual requirements taking effect in their specific solicitations. Contractors are advised not to wait for a contract requirement to trigger action, as assessment scheduling, remediation timelines, and C3PAO availability can extend the process well beyond initial estimates.

CMMC requirements are being implemented in a four-phase plan that adds requirements incrementally over the course of three years.

• Phase 1 began on November 10, 2025. Solicitations require level 1 or level 2 self-assessments, where applicable.
• Phase 2 begins on November 11, 2026. Solicitations will require level 2 certifications, where applicable.
• Phase 3 begins on November 10, 2027. Solicitations will require level 3 certifications, where applicable.
• Phase 4 begins on November 10, 2028. Solicitations will require applicable CMMC requirements as a condition of the award.

CMMC is a DOW program that verifies a contractor’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). If you want to bid on or retain DOW contracts, especially those involving sensitive information, obtaining the appropriate CMMC level is now a contract requirement. Agencies beyond the DOW are also expected to adopt these requirements.

CMMC requirements began appearing in DOW solicitations when the updated DFARS rule became effective in November 2025. Many contract awards now require demonstrated CMMC compliance, and this requirement will expand incrementally through Phase 4 in November 2028. Contractors should review active solicitations carefully, as contracting officers are required to specify the applicable CMMC level in each solicitation. Waiting for a formal contract requirement before beginning preparation materially increases compliance risk.

The required CMMC level depends on the type and sensitivity of data your company handles. Contracts specifying access to CUI generally require higher CMMC levels, while simpler contracts that only involve FCI often require a lower level. Under 32 CFR Part 170, the contracting officer is required to identify the applicable CMMC level in the solicitation. Contractors are advised to review their System Security Plan (SSP) and data handling practices against NIST SP 800-171 requirements before making a level determination.

Some CMMC levels allow self-assessment (e.g., Level 1 or basic Level 2) where you attest your compliance. Higher levels, especially when CUI is involved, require an independent third-party assessment conducted by a certified C3PAO. It is important to note that under 32 CFR Part 170, the assessor must be fully independent from any party that assisted in preparation. This independence requirement has direct implications for how contractors structure their compliance support relationships.

A gap assessment evaluates your current cybersecurity controls against CMMC requirements to identify where you fall short. This is critical for building a “path-to-pass” plan with prioritized remediation, reducing surprises during the formal assessment.

There’s no single timeline. It varies based on your existing cybersecurity posture, the complexity of your environment, and the CMMC level required. Organizations often spend several months preparing and remediating before scheduling the formal assessment.

Yes. If your business handles CUI or is otherwise included in a DOW supply chain contract that flows down CMMC requirements, certification at the required level is necessary regardless of whether you are a prime contractor or subcontractor.

If your organization isn’t certified at the required level by the time of contract award, you could be deemed ineligible to bid or might lose opportunities on new DOW contracts. Under the phased implementation schedule, CMMC compliance is a condition of award beginning in Phase 4, and contracting officers are required to verify certification status through the Supplier Performance Risk System (SPRS) and the Cyber AB registry. Beyond contract loss, a failure to maintain accurate SPRS scores or provide a false attestation carries potential exposure under the False Claims Act.

Yes. Ongoing compliance requires annual checks and documentation to demonstrate continued ability to meet the required controls. All levels require annual attestations in SPRS (Supplier Performance Risk System).

Costs depend on your CMMC level, existing security posture, assessment type, and remediation needs. Budgeting should include assessments, remediation work, and potential consulting support.