CMMC Is Here:
On November 10, 2025, the Department of Defense’s Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) officially took effect — launching the long-awaited Cybersecurity Maturity Model Certification (CMMC) Program into real-world implementation.
For the first time, the DoD now has a formal mechanism to verify that contractors and subcontractors are maintaining required cybersecurity safeguards throughout contract performance.
If your company touches Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) at any tier of the defense supply chain, these requirements directly impact your eligibility for award, option-year exercises, and subcontracting relationships.
Below is your clear, contractor-focused guide to what has changed — and what you must do now.
What Is CMMC, and Why Does It Matter Now?
CMMC serves as the DoD’s verification framework to ensure contractors are actually implementing the cybersecurity protections already required under:
✔ FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
Requires 15 basic controls to protect FCI.
✔ DFARS 252.204-7012 – Safeguarding Covered Defense Information & Cyber Incident Reporting
Requires “adequate security,” defined as full implementation of NIST SP 800-171 (110 controls) for systems handling CUI, plus a 72-hour cyber incident reporting requirement, 90-day evidence preservation, and FedRAMP-Moderate cloud restrictions.
These rules are not new —
What’s new is DoD verifying that you actually comply.
And that enforcement mechanism is CMMC.
CMMC Requirements Now Appear in DoD Solicitations
Beginning November 10, 2025, contracting officers are required to include a CMMC Level (1, 2, or 3) in solicitations and contracts.
To be eligible for award, contractors must have:
A CURRENT CMMC status posted in SPRS at the level required by the solicitation.
No CMMC status in SPRS = No award.
This rule also affects option periods.
Before exercising an option or extending performance, contracting officers must verify your current CMMC status in SPRS.
No CMMC status in SPRS = No options, no extensions.
Understanding the Three CMMC Levels
CMMC’s structure aligns with the sensitivity of the information your systems process:
⭐ CMMC Level 1 – Basic Safeguarding of FCI
Assessment: Annual self-assessment
Requirements: 15 controls under FAR 52.204-21
Affirmation: Annual affirmation in SPRS
This is the minimum for contractors who only handle FCI.
⭐⭐ CMMC Level 2 – Broad Protection of CUI
Assessment Options:
- Self-assessment every 3 years or
- C3PAO-conducted third-party assessment (every 3 years)
Chosen based on the program office’s determination.
Requirements: 110 controls under NIST SP 800-171 Rev. 2
Affirmation: Annual affirmation in SPRS
Posting:
- Level 2 Self → posted by the contractor in SPRS
- Level 2 C3PAO → posted in eMASS by assessor
This is the level required when contractors handle CUI.
⭐⭐⭐ CMMC Level 3 – Protection Against Advanced Persistent Threats
Assessment:
- Must achieve Level 2 (C3PAO) first
- Government-led assessment every 3 years (DIBCAC)
Requirements:
- 110 controls from NIST SP 800-171 Rev. 2
- 24 enhanced requirements from NIST SP 800-172
Affirmation: Annual affirmation in SPRS
Reserved for programs where CUI faces high-threat environments or national security sensitivity.
SPRS Is Now a Gatekeeper for Awards
Contractors must post the following in SPRS:
✔ Level 1 Self-assessment score
✔ Level 2 Self-assessment score
✔ Annual affirmations
✔ Status of required CMMC level
Assessment results from third-party assessors (C3PAO) and DIBCAC will be uploaded into eMASS, but contractors must still enter their annual affirmations in SPRS.
If your SPRS profile is outdated or missing, you are ineligible for:
- Award
- Option years
- Contract extensions
- Subcontract awards involving CUI
Flowdown Obligations Across the Supply Chain
CMMC applies to all tiers — primes, subcontractors, and suppliers — if they process, store, or transmit FCI or CUI.
Prime contractors must determine:
Does the subcontractor handle FCI or CUI?
- If only FCI → Level 1 (Self)
- If CUI → minimum Level 2 (Self)
- If the prime contract requires Level 2 (C3PAO) → sub must also meet Level 2 (C3PAO)
- If the prime contract requires Level 3 → sub must meet Level 2 (C3PAO) minimum
Important:
Primes cannot view subcontractor SPRS data.
They must obtain verification directly—e.g., screenshots, certification letters, or subcontract certifications.
Failure to verify exposes primes to False Claims Act risk.
CMMC Phased Implementation Timeline (2025–2028)
Phase 1 – Starting Nov 10, 2025
Solicitations may require:
- Level 1 Self
- Level 2 Self
Phase 2 – Starting Nov 10, 2026
Solicitations may require:
- Level 2 C3PAO
- Level 3 (DIBCAC) where applicable
Phase 3 – Starting Nov 10, 2027
DoD will:
- Require Level 2 C3PAO for award and options
- Require Level 3 where directed
Phase 4 – Starting Nov 10, 2028
Full implementation across all applicable DoD contracts.
By Phase 4, CMMC is mandatory for every applicable contract and subcontract.
What Contractors Should Do Now (Action List)
✔ Determine whether you handle FCI, CUI, or both
✔ Identify your likely CMMC Level
✔ Update your SSP, POA&Ms, and network diagrams
✔ Complete or update NIST SP 800-171 assessments
✔ Ensure SPRS posting and affirmations are current
✔ Validate subcontractor CMMC readiness
✔ Prepare for the required assessment path (Self / C3PAO / DIBCAC)
✔ Validate FedRAMP Moderate-equivalent cloud environments
✔ Rehearse 72-hour cyber incident reporting under DFARS 252.204-7012
Here’s my advice…
CMMC has officially moved from concept to enforceable requirement.
Contractors who begin preparing now will protect their revenue, avoid compliance delays, and stay eligible as DoD phases in stricter requirements through 2028.
CAUTION
Think you have tons of time? Right now, they are auditing the self-assessments scores, you can read about it here.
If your self-assessment score isn’t accurate, you could be facing some consequences.
Leave a Reply