–CMMC Phase 1 Implementation Begins: November 10, 2025

Home » security » –CMMC Phase 1 Implementation Begins: November 10, 2025
November 13, 2025 0 Comments

New DoD solicitations/contract awards can start requiring CMMC clauses. Self‑assessments (for Level 1 and Level 2) become required in applicable contracts; in some cases, Level 2 third‑party assessments may be inserted at DoD’s discretion.

The long-awaited Cybersecurity Maturity Model Certification (CMMC) program has officially moved from policy to practice. As detailed in recent industry publications (such as the one beginning with the final DFARS rule’s effective date), November 10, 2025, marked the official launch of CMMC Phase 1.

This date is not just a milestone; it is a critical shift in the contracting landscape. If your company operates within the Defense Industrial Base (DIB), the time to achieve compliance is no longer “soon”—it is now.

Phase 1: The New Reality of DoD Contracting

The start of Phase 1 means that the Department of Defense (DoD) has begun incorporating the CMMC requirements (DFARS clause 252.204-7025) into applicable new solicitations and contracts. This phased rollout is designed to slowly ramp up enforcement, focusing initially on self-assessment.

Key Takeaways for Phase 1 (November 10, 2025 – November 9, 2026):

  1. CMMC Status is a Condition of Award: For covered contracts, you must have a current CMMC status at the required level to be eligible for the award.
  2. Focus on Self-Assessments: The first phase primarily mandates CMMC Level 1 and Level 2 (Self-Assessment) for contractors.
  3. Submission is Mandatory: Compliance information—whether a self-assessment score or a certification status—must be recorded in the Supplier Performance Risk System (SPRS).

Understanding Your Required CMMC Level

Your organization’s required CMMC Level is determined by the type of government data you handle:

1. CMMC Level 1: Safeguarding FCI

  • Applies to: Organizations that only process, store, or transmit Federal Contract Information (FCI).
  • Requirements: You must comply with 15 cybersecurity controls based on FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).
  • Assessment: Requires an annual self-assessment and submission of compliance affirmation to SPRS.
  • Note: Plans of Action and Milestones (POA&Ms) are not permitted for Level 1; you must be fully compliant.

2. CMMC Level 2: Protecting CUI

  • Applies to: Organizations that handle Controlled Unclassified Information (CUI).
  • Requirements: You must implement all 110 security requirements detailed in NIST SP 800-171.
  • Phase 1 Assessment:
    • Self-Assessment: This is permitted for CUI that is not deemed critical or high-risk by the DoD. Like Level 1, this must be submitted to SPRS and affirmed annually.
    • C3PAO Assessment: Crucially, the DoD retains the discretion to require a Certified Third-Party Assessor Organization (C3PAO) assessment for Level 2 in certain solicitations, even during Phase 1. Do not assume self-assessment is always an option.

The Compliance Imperative: Risk and Accountability

With the implementation of Phase 1, the stakes are higher than ever. CMMC is the DoD’s verification mechanism for existing cybersecurity rules. Inaccurate reporting or misrepresenting your security posture now carries significant legal risk under the False Claims Act (FCA).

The self-assessment aspect of Phase 1 is not a grace period; it is a direct grant of accountability. A senior company official must sign an affirmation of compliance, legally attesting to the company’s cybersecurity status. Missteps here could lead to penalties, investigation, and loss of contract eligibility.

What to Do Right Now

To stay competitive and eligible for DoD awards, organizations in the DIB should take immediate action:

  1. Determine Your Required Level: Identify what data (FCI or CUI) you handle to pinpoint your CMMC Level target.
  2. Conduct a Gap Assessment: Complete a thorough self-assessment against the applicable CMMC controls (15 for Level 1, 110 for Level 2).
  3. Finalize Documentation: Ensure your System Security Plan (SSP) and any necessary POA&Ms (for Level 2, where permitted) are complete and accurate.
  4. Submit to SPRS: Record your compliance score and affirmation in the Supplier Performance Risk System to establish your official CMMC status.

Phase 1 marks the true beginning of verified cybersecurity in the defense supply chain. For contractors, preparation is no longer a best practice—it is the law.

#CMMC #CyberSecurity #Governance #NIST #Security

Categories:

Related Posts

–The Worm in the Code: How a Self-Replicating Malware Briefed CrowdStrike and the Developer Community
A new and sophisticated cyber threat, a self-replicating worm dubbed "Shai-Hulud," has recently shaken the
–Major Security Flaw in Microsoft OneDrive File Picker Exposes Cloud Data
A significant security vulnerability has been identified in Microsoft’s OneDrive File Picker, potentially exposing users’