{"id":3959,"date":"2025-11-13T15:39:53","date_gmt":"2025-11-13T15:39:53","guid":{"rendered":"https:\/\/mspblueteam.com\/?p=3959"},"modified":"2025-11-13T15:39:53","modified_gmt":"2025-11-13T15:39:53","slug":"cmmc-phase-1-implementation-begins-november-10-2025","status":"publish","type":"post","link":"https:\/\/mspblueteam.com\/index.php\/2025\/11\/13\/cmmc-phase-1-implementation-begins-november-10-2025\/","title":{"rendered":"&#8211;CMMC Phase 1 Implementation Begins: November 10, 2025"},"content":{"rendered":"\n<p>New DoD solicitations\/contract awards can start requiring CMMC clauses. Self\u2011assessments (for Level\u202f1 and Level\u202f2) become required in applicable contracts; in some cases, Level\u202f2 third\u2011party assessments may be inserted at DoD\u2019s discretion.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>The long-awaited Cybersecurity Maturity Model Certification (CMMC) program has officially moved from policy to practice. As detailed in recent industry publications (such as the one beginning with the final DFARS rule&#8217;s effective date), <strong>November 10, 2025, marked the official launch of CMMC Phase 1<\/strong>.<\/p>\n\n\n\n<p>This date is not just a milestone; it is a critical shift in the contracting landscape. If your company operates within the Defense Industrial Base (DIB), the time to achieve compliance is no longer &#8220;soon&#8221;\u2014it is <strong>now<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Phase 1: The New Reality of DoD Contracting<\/h2>\n\n\n\n<p>The start of Phase 1 means that the Department of Defense (DoD) has begun incorporating the CMMC requirements (DFARS clause <strong>252.204-7025<\/strong>) into applicable new solicitations and contracts. This phased rollout is designed to slowly ramp up enforcement, focusing initially on self-assessment.<\/p>\n\n\n\n<p><strong>Key Takeaways for Phase 1 (November 10, 2025 \u2013 November 9, 2026):<\/strong><\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>CMMC Status is a Condition of Award:<\/strong> For covered contracts, you must have a current CMMC status at the required level to be eligible for the award.<\/li>\n\n\n\n<li><strong>Focus on Self-Assessments:<\/strong> The first phase primarily mandates CMMC <strong>Level 1<\/strong> and <strong>Level 2 (Self-Assessment)<\/strong> for contractors.<\/li>\n\n\n\n<li><strong>Submission is Mandatory:<\/strong> Compliance information\u2014whether a self-assessment score or a certification status\u2014must be recorded in the <strong>Supplier Performance Risk System (SPRS)<\/strong>.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding Your Required CMMC Level<\/h2>\n\n\n\n<p>Your organization&#8217;s required CMMC Level is determined by the type of government data you handle:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. CMMC Level 1: Safeguarding FCI<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Applies to:<\/strong> Organizations that only process, store, or transmit <strong>Federal Contract Information (FCI)<\/strong>.<\/li>\n\n\n\n<li><strong>Requirements:<\/strong> You must comply with <strong>15 cybersecurity controls<\/strong> based on FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).<\/li>\n\n\n\n<li><strong>Assessment:<\/strong> Requires an <strong>annual self-assessment<\/strong> and submission of compliance affirmation to SPRS.<\/li>\n\n\n\n<li><strong>Note:<\/strong> Plans of Action and Milestones (<strong>POA&amp;Ms<\/strong>) are <strong>not<\/strong> permitted for Level 1; you must be fully compliant.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. CMMC Level 2: Protecting CUI<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Applies to:<\/strong> Organizations that handle <strong>Controlled Unclassified Information (CUI)<\/strong>.<\/li>\n\n\n\n<li><strong>Requirements:<\/strong> You must implement all <strong>110 security requirements<\/strong> detailed in <strong>NIST SP 800-171<\/strong>.<\/li>\n\n\n\n<li><strong>Phase 1 Assessment:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>Self-Assessment:<\/strong> This is permitted for CUI that is <strong>not<\/strong> deemed critical or high-risk by the DoD. Like Level 1, this must be submitted to SPRS and affirmed annually.<\/li>\n\n\n\n<li><strong>C3PAO Assessment:<\/strong> Crucially, the DoD retains the <strong>discretion<\/strong> to require a <strong>Certified Third-Party Assessor Organization (C3PAO)<\/strong> assessment for Level 2 in certain solicitations, even during Phase 1. Do not assume self-assessment is always an option.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">The Compliance Imperative: Risk and Accountability<\/h2>\n\n\n\n<p>With the implementation of Phase 1, the stakes are higher than ever. CMMC is the DoD\u2019s verification mechanism for existing cybersecurity rules. Inaccurate reporting or misrepresenting your security posture now carries significant legal risk under the <strong>False Claims Act (FCA)<\/strong>.<\/p>\n\n\n\n<p>The self-assessment aspect of Phase 1 is not a grace period; it is a direct grant of accountability. A senior company official must sign an affirmation of compliance, legally attesting to the company&#8217;s cybersecurity status. Missteps here could lead to penalties, investigation, and loss of contract eligibility.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What to Do Right Now<\/h3>\n\n\n\n<p>To stay competitive and eligible for DoD awards, organizations in the DIB should take immediate action:<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Determine Your Required Level:<\/strong> Identify what data (FCI or CUI) you handle to pinpoint your CMMC Level target.<\/li>\n\n\n\n<li><strong>Conduct a Gap Assessment:<\/strong> Complete a thorough self-assessment against the applicable CMMC controls (15 for Level 1, 110 for Level 2).<\/li>\n\n\n\n<li><strong>Finalize Documentation:<\/strong> Ensure your <strong>System Security Plan (SSP)<\/strong> and any necessary <strong>POA&amp;Ms<\/strong> (for Level 2, where permitted) are complete and accurate.<\/li>\n\n\n\n<li><strong>Submit to SPRS:<\/strong> Record your compliance score and affirmation in the Supplier Performance Risk System to establish your official CMMC status.<\/li>\n<\/ol>\n\n\n\n<p>Phase 1 marks the true beginning of verified cybersecurity in the defense supply chain. For contractors, preparation is no longer a best practice\u2014it is the law.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>New DoD solicitations\/contract awards can start requiring CMMC clauses. Self\u2011assessments (for Level\u202f1 and Level\u202f2) become required in applicable contracts; in some cases, Level\u202f2 third\u2011party assessments may be inserted at DoD\u2019s discretion. The long-awaited Cybersecurity Maturity Model Certification (CMMC) program has officially moved from policy to practice. As detailed in recent industry publications (such as the &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/mspblueteam.com\/index.php\/2025\/11\/13\/cmmc-phase-1-implementation-begins-november-10-2025\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;&#8211;CMMC Phase 1 Implementation Begins: November 10, 2025&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[18,5,6,7,8],"class_list":["post-3959","post","type-post","status-publish","format-standard","hentry","category-security","tag-cmmc","tag-cybersecurity","tag-governance","tag-nist","tag-security"],"_links":{"self":[{"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/posts\/3959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/comments?post=3959"}],"version-history":[{"count":1,"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/posts\/3959\/revisions"}],"predecessor-version":[{"id":3960,"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/posts\/3959\/revisions\/3960"}],"wp:attachment":[{"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/media?parent=3959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/categories?post=3959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mspblueteam.com\/index.php\/wp-json\/wp\/v2\/tags?post=3959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}