The GovCon Rabbit Hole: A Guided Tour

No CMMC status = No Award: What defense contractors must do in 2025

Published by

Valerie Hamby

on

CMMC Is Here:

On November 10, 2025, the Department of Defense’s Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) officially took effect — launching the long-awaited Cybersecurity Maturity Model Certification (CMMC) Program into real-world implementation.

For the first time, the DoD now has a formal mechanism to verify that contractors and subcontractors are maintaining required cybersecurity safeguards throughout contract performance.

If your company touches Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) at any tier of the defense supply chain, these requirements directly impact your eligibility for award, option-year exercises, and subcontracting relationships.

Below is your clear, contractor-focused guide to what has changed — and what you must do now.

What Is CMMC, and Why Does It Matter Now?

CMMC serves as the DoD’s verification framework to ensure contractors are actually implementing the cybersecurity protections already required under:

✔ FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems

Requires 15 basic controls to protect FCI.

✔ DFARS 252.204-7012 – Safeguarding Covered Defense Information & Cyber Incident Reporting

Requires “adequate security,” defined as full implementation of NIST SP 800-171 (110 controls) for systems handling CUI, plus a 72-hour cyber incident reporting requirement, 90-day evidence preservation, and FedRAMP-Moderate cloud restrictions.

These rules are not new —
What’s new is DoD verifying that you actually comply.
And that enforcement mechanism is CMMC.

CMMC Requirements Now Appear in DoD Solicitations

Beginning November 10, 2025, contracting officers are required to include a CMMC Level (1, 2, or 3) in solicitations and contracts.

To be eligible for award, contractors must have:

A CURRENT CMMC status posted in SPRS at the level required by the solicitation.

No CMMC status in SPRS = No award.

This rule also affects option periods.

Before exercising an option or extending performance, contracting officers must verify your current CMMC status in SPRS.

No CMMC status in SPRS = No options, no extensions.

Understanding the Three CMMC Levels

CMMC’s structure aligns with the sensitivity of the information your systems process:

CMMC Level 1 – Basic Safeguarding of FCI

Assessment: Annual self-assessment
Requirements: 15 controls under FAR 52.204-21
Affirmation: Annual affirmation in SPRS

This is the minimum for contractors who only handle FCI.

⭐⭐ CMMC Level 2 – Broad Protection of CUI

Assessment Options:

  • Self-assessment every 3 years or
  • C3PAO-conducted third-party assessment (every 3 years)

Chosen based on the program office’s determination.

Requirements: 110 controls under NIST SP 800-171 Rev. 2
Affirmation: Annual affirmation in SPRS
Posting:

  • Level 2 Self → posted by the contractor in SPRS
  • Level 2 C3PAO → posted in eMASS by assessor

This is the level required when contractors handle CUI.

⭐⭐⭐ CMMC Level 3 – Protection Against Advanced Persistent Threats

Assessment:

  • Must achieve Level 2 (C3PAO) first
  • Government-led assessment every 3 years (DIBCAC)

Requirements:

  • 110 controls from NIST SP 800-171 Rev. 2
  • 24 enhanced requirements from NIST SP 800-172

Affirmation: Annual affirmation in SPRS

Reserved for programs where CUI faces high-threat environments or national security sensitivity.

SPRS Is Now a Gatekeeper for Awards

Contractors must post the following in SPRS:

✔ Level 1 Self-assessment score

✔ Level 2 Self-assessment score

✔ Annual affirmations

✔ Status of required CMMC level

Assessment results from third-party assessors (C3PAO) and DIBCAC will be uploaded into eMASS, but contractors must still enter their annual affirmations in SPRS.

If your SPRS profile is outdated or missing, you are ineligible for:

  • Award
  • Option years
  • Contract extensions
  • Subcontract awards involving CUI

Flowdown Obligations Across the Supply Chain

CMMC applies to all tiers — primes, subcontractors, and suppliers — if they process, store, or transmit FCI or CUI.

Prime contractors must determine:

Does the subcontractor handle FCI or CUI?

  • If only FCI → Level 1 (Self)
  • If CUI → minimum Level 2 (Self)
  • If the prime contract requires Level 2 (C3PAO) → sub must also meet Level 2 (C3PAO)
  • If the prime contract requires Level 3 → sub must meet Level 2 (C3PAO) minimum

Important:

Primes cannot view subcontractor SPRS data.
They must obtain verification directly—e.g., screenshots, certification letters, or subcontract certifications.

Failure to verify exposes primes to False Claims Act risk.

CMMC Phased Implementation Timeline (2025–2028)

Phase 1 – Starting Nov 10, 2025

Solicitations may require:

  • Level 1 Self
  • Level 2 Self

Phase 2 – Starting Nov 10, 2026

Solicitations may require:

  • Level 2 C3PAO
  • Level 3 (DIBCAC) where applicable

Phase 3 – Starting Nov 10, 2027

DoD will:

  • Require Level 2 C3PAO for award and options
  • Require Level 3 where directed

Phase 4 – Starting Nov 10, 2028

Full implementation across all applicable DoD contracts.

By Phase 4, CMMC is mandatory for every applicable contract and subcontract.

What Contractors Should Do Now (Action List)

✔ Determine whether you handle FCI, CUI, or both

✔ Identify your likely CMMC Level

✔ Update your SSP, POA&Ms, and network diagrams

✔ Complete or update NIST SP 800-171 assessments

✔ Ensure SPRS posting and affirmations are current

✔ Validate subcontractor CMMC readiness

✔ Prepare for the required assessment path (Self / C3PAO / DIBCAC)

✔ Validate FedRAMP Moderate-equivalent cloud environments

✔ Rehearse 72-hour cyber incident reporting under DFARS 252.204-7012

Here’s my advice…

CMMC has officially moved from concept to enforceable requirement.


Contractors who begin preparing now will protect their revenue, avoid compliance delays, and stay eligible as DoD phases in stricter requirements through 2028.

CAUTION

Think you have tons of time?  Right now, they are auditing the self-assessments scores, you can read about it here

If your self-assessment score isn’t accurate, you could be facing some consequences.

Discover more from The GovCon Rabbit Hole: A Guided Tour

Subscribe to get the latest posts sent to your email.

Leave a Reply

Previous Post
Next Post

Recent YOUTUBE Short

Quote of the week

“A smooth sea never made a skillful mariner.”

~ unknown

  • What Counts as FCI or CUI? A DoD Guide for CMMC Compliance (With Sources)

    Most contractors don’t realize they’re already handling FCI or CUI—often in simple tasks like receiving the award or entering data into DPMS. This post breaks down exactly what counts as FCI and CUI, with proof from FAR, DFARS, and DoD sources, so you can prepare for CMMC with confidence.

The GovCon Rabbit Hole: A Guided Tour

About

Here you’ll find clear, practical insights that simplify the complexities of government contracting, especially in the military supply chain, written in plain English for contractors, suppliers, and curious minds alike.

BLOG Topics

stay informed by Subscribing to our monthly newsletter

© 2026 The GovCon Rabbit Hole. All content is provided for informational purposes only. All rights reserved.

Discover more from The GovCon Rabbit Hole: A Guided Tour

Subscribe now to keep reading and get access to the full archive.

Continue reading