On this date, the final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program officially went into effect. This isn’t a date you wanted to have slip by, and the implications for your business can be significant.

So, what exactly does your company need to know?

1. CMMC Becomes an Enforceable Contractual Requirement

Gone are the days of CMMC being a “future possibility.” Starting November 10, 2025, contracting officers may begin including CMMC requirements in new solicitations and contracts. This means that if your company handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) for the DoD, understanding CMMC Phase 1 is essential, as you will eventually need to demonstrate compliance.

2. Phased Implementation Begins: Don’t Wait!

CMMC will be implemented in four phases over roughly three years, but this doesn’t mean you have four years to start preparing. CMMC Phase 1 kicked off on November 10, 2025. During this first phase, you can expect to see solicitations requiring:

• CMMC Level 1 Self-Assessments: If your company only handles FCI, you’ll need to perform a self-assessment against the CMMC Level 1 practices.
• CMMC Level 2 Self-Assessments: For certain lower-risk CUI contracts, a CMMC Level 2 self-assessment might be required.

In addition, the results of these assessments must be accurately recorded and posted in the Supplier Performance Risk System (SPRS).

3. Your SPRS Score Will Matter

If your company doesn’t have the required CMMC status (a current self-assessment or, eventually, a certification) posted in SPRS at the specified level, you face a significant risk: ineligibility for contract awards or extensions that include the new CMMC clause. Think of SPRS as your cybersecurity report card for the DoD. It needs to be up-to-date and reflect your compliance.

4. Understand Your CMMC Level

Do you know what level of CMMC compliance your company will need? It’s crucial to identify the type of DoD information you handle:

• CMMC Level 1 (Foundational): For companies handling Federal Contract Information (FCI). Requires annual self-assessments.
• CMMC Level 2 (Advanced): For companies handling Controlled Unclassified Information (CUI). This requires either triennial self-assessments (for non-prioritized acquisitions) or triennial third-party assessments by a C3PAO (for prioritized acquisitions). A yearly affirmation of compliance is also required for all Level 2 contracts.
• CMMC Level 3 (Expert): For companies handling CUI on the DoD’s most critical programs. Requires triennial government-led assessments.

Most companies will likely fall into Level 1 or Level 2. Understanding your data flow is the first step to determining your required level.

5. The Process

Achieving CMMC compliance, especially for Level 2 and above, is a journey, not a one-time task. It involves:

• Gap Analysis: Understanding where your current cybersecurity posture stands against CMMC requirements.
• Remediation: Implementing the necessary technical and procedural controls to close those gaps.
• Documentation: Documenting your policies, procedures, and evidence of implementation.
• Training: Ensuring your employees are aware of and follow cybersecurity best practices.
• Certification Support: Assisting framework with documentation, policy and technology security posture. 

Don’t Let CMMC Be a Barrier to Opportunity

The DoD is serious about protecting the defense supply chain from cyber threats. CMMC is their framework to achieve that. For your company, it’s not just a compliance checklist; it’s an opportunity to strengthen your cybersecurity, protect sensitive information, and remain a trusted partner to the DoD.

Start your CMMC journey today. Assess your current posture, understand your requirements, and begin the necessary preparations. Contact us today to learn more!